Delaware, USA – October 16, 2017 – Researchers from Trend Micro report an attack on financial institutions in several former Soviet Republics. Adversaries leveraged business process compromise attack to steal approximately 40 million dollars. In this cases, adversaries exploited the overdraft limit on payment cards: they sent emails to banks’ customers with a proposal to sign up for bank accounts with payment cards, and then the data on these cards were redirected to cybercriminals located in the European Union countries.
Hackers first conducted phishing campaigns against bank employees to install a TROJ_MBRWIPE.B backdoor on the systems inside the perimeter. This was necessary, among other things, to steal VPN credentials and connect to a third-party payment processing company’s network to infect their systems with various malware to gain access to the payment card management infrastructure.
Business process compromise attacks each year cause significant damage to financial institutions. They differ in sophistication and thoroughness of planning at all phases of attacks, and therefore it is very difficult to detect or prevent them. In the described case, attackers used stolen VPN credentials, the use of which is almost impossible to monitor carefully in large organizations. To automate monitoring of security events related to VPN access, you can download content from Use Case Cloud. VPN Security Monitor for ArcSight and QRadar provides all the necessary information to detect abuse of VPN protocol.