Delaware, USA – December 7, 2018 – At least eight banks in Eastern Europe became the victims of the new type of attack in the past two years, the total damage from the attacks is estimated in the tens of millions of dollars. In a recent publication, researchers from Kaspersky Lab shared the results of their investigations. In all DarkVishnya attacks, attackers conducted physically connection to banks’ network using netbooks or cheap notebooks, Raspberry Pi boards or a Bash Bunny (hardware tool for carrying out USB attacks). The attackers visited targeted bank under a seemingly legitimate pretext (for example, under the guise of couriers) and connected the device to the organization’s local network. For remote communication with the device, they used a built-in or USB-powered GPRS / 3G / LTE wireless modules. When they gained access to the network, they scanned the digital premises in search of public shared folders, web servers and any other open resources. This information was used to find the way to servers and workstations used for making payments, and than the attackers conducted a brute-force attack or intercepted traffic to steal the necessary credentials to gain access to the assets. For further distribution over the network, a set of various trojans and remote access tools were used. To avoid whitelisting technologies and domain policies during DarkVishnya attacks, cybercriminals used fileless attacks and PowerShell. If these methods didn’t work out, they leveraged impacket and winexesvc.exe or psexec.exe.
Devices used in these attacks may remain undetected until the transfer of funds and the start of an investigation. To automatically discover and categorize all assets into service categories, you can use Asset Identification Framework rule pack from Threat Detection Marketplace. Also, you can use Brute Force Detection to uncover any attempts of password guessing targeted at your sensitive workstations.