Anti-virus pro forma
Tuesday, January 17, 2017
Regular Anti-virus Times readers must have already noticed that most of our anti-malware security recommendations are quite simple:
- Keep your anti-virus up to date;
- Don't work under accounts with elevated privileges;
- Install security updates;
- Don’t mindlessly click on links;
- Back up important information.
There are no secrets here; our advice is obvious and logical. Why then is the media so full of news stories about hacker attacks and data leaks? It’s because either our recommendations are no good and hackers can easily circumvent them or they don’t provide a sufficient level of security; anyone who wants a high level of protection is going to have to pay more money.
Furthermore, attackers may get help from inside.
The initial infection occurred because the anti-virus on an employee's PC was either disabled or was using outdated virus definitions, allowing malware from a phishing email containing documents.exe to be launched.
Please note that the anti-virus software had detected the malicious attachments as well as the attackers' activities in the compromised systems—long before any money was stolen. Among all the other things detected was suspicious behaviour on the part of the legitimate program Ammyy Admin. In some cases infection was prevented by the anti-virus software.
https://www.ptsecurity.com/upload/ptru/analytics/Cobalt-Snatch-rus.pdf
documents.exe! Who would be foolish enough to open a file like this?!
The anti-virus had the signature for this malware for quite a while, but it was disabled! On machines where it was up and running, there was no need to use behaviour analysis of any kind—the machines were never infected.
But that's not the end of it. There’s more.
The investigation showed that several employees had launched the files attached to the phishing emails at different times.
That is, no restrictions were in place that could have prevented users from launching or using certain programs.
To find and download various utilities (such as Mimikatz), criminals accessed legitimate sites, such as popular search engines, via the infected hosts.
Apart from the fact that employee machines weren't disconnected from the Internet, staff members also fell for a trick of the criminals who used the infected machines to find the software they needed to continue the attack. Devious hackers who use command prompt, without looking at the screen, and receive the machines' response exclusively by ear… Indeed, who can possibly stop them?
The absence of network segmentation and excessive privileges for user accounts (the compromised user account was listed as a local administrator on all the machines in the network) were the key factors that contributed to the rapid development of the attack vector. The criminals were able to continue the attack easily because they didn't have to resort to additional exploits to elevate their privileges or look for ways to seize control.
They used sendspace.com to download additional files.
An analysis of the software’s security logs confirmed that the compromised computers were engaged in network activities, including connecting to ATMs with RAdmin. The administrators of the attacked bank’s network routinely use this software to remotely control network nodes including the bank’s ATMs.
The ATMs weren't connected to a separate network and apparently were also accessible from the Internet, and security experts failed to notice that strangers were trying to break in.
By the way, if you're using Dr.Web and start RAdmin (or any other remote administration software), the anti-virus will warn you that a potentially dangerous program is being launched.
The outcome:
- The PCs of key employees and critical network infrastructure servers, including the terminal server and domain controller, were compromised. In addition, the criminals got hold of virtually all employee passwords, including administrator accounts, so they were able to navigate through the network freely.
- As a result, the equivalent of 36,742 USD was stolen from six ATMs over the course of one night.
- To get cash from the ATMs, they used drops (individuals who were hired for the operation). One of the drops, a Republic of Moldova national, was caught red-handed by law enforcement agencies while he was withdrawing the cash.
The Anti-virus Times recommends
Many people are so confident in their abilities that they see no reason to use anti-virus software or they disable it regularly because it seemingly affects system performance; and, at the same time, they continue to use an account with administrative privileges. Sooner or later a day of reckoning comes.
And it’s not the recommendations that cause problems, but people who believe that using an anti-virus is a mere formality.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
05:12:05 2018-08-24
vasvet
09:17:07 2018-07-02