FASTCash: New Campaign of Lazarus Group

Delaware, USA – October 4, 2018 — US-CERT, the US Department of Homeland Security, the US Department of the Treasury and the FBI have published a joint report on a new scheme for stealing money from ATMs. One of the divisions of the infamous Lazarus group uses FASTCash tactics in attacks on banks worldwide. The attackers open zero balance account in a targeted bank, and then remotely compromise the bank’s Switch application server, which is used to validate user data when transferring money. After hacking, the attackers install malware that intercepts requests for transactions related to the group’s payment cards and confirms their authenticity. With the help of the FASTCash tactics, the group managed to steal tens of millions of dollars, as ATMs gave the requested sums without notifying the bank about the transaction.

Also, researchers from FireEye revealed their investigation on the activities of this division of the Lazarus group, which they called APT38. This group has been active since 2014 and during this time has conducted attacks on at least 16 organizations in 11 countries, although the actual figure may be significantly higher. The attackers conduct internal reconnaissance and try to gain access to the SWIFT payment system, after which they transfer money to the controlled accounts. For 4 years, APT38 tried to steal more than $1 billion, and they managed to successfully withdraw more than a hundred million dollars.

One of the vectors of the Lazarus group attack is the compromise of web servers with vulnerable frameworks installed. To detect attacks on your publicly accessible web resources, you can use Web Application Security Framework, which acts as an early warning system for critical business applications: https://my.socprime.com/en/integrations/web-application-security-framework-hpe-arcsight