Bad actors have been targeting payment systems in an ATM cash-out scheme dubbed “FASTCash.”
The Department of Homeland Security (DHS), the Department of the Treasury (Treasury), and the Federal Bureau of Investigation (FBI) have issued a joint technical alert with details about identified malware and other indicators of compromise used by the North Korean government in the FASTCash scheme.
The malicious actors have been using the FASTCash tactics since early 2016 to target banks in Africa and Asia. The U.S. Government also have not confirmed that any U.S. institutions have been affected by FASTCash incidents at the time of the report.
The North Korean government malicious cyber activity is referred to as HIDDEN COBRA, according to the U.S. Government.
“FBI has high confidence that HIDDEN COBRA actors are using the IOCs listed in this report to maintain a presence on victims’ networks to enable network exploitation. DHS, FBI, and Treasury are distributing these IOCs to enable network defense and reduce exposure to North Korean government malicious cyber activity,” as stated in the alert.
FASTCash activity
“FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” DHS and FBI warned.
Tens of millions of dollars were stolen by the HIDDEN COBRA actors, to include one incident in 2017 and another one in 2018. The actors enabled cash to be simultaneously withdrawn from ATMs in 23 countries in one incident and over 30 different countries in the more recent incident this year.
The HIDDEN COBRA actors have also used their knowledge of International Standards Organization (ISO) 8583, the standard for financial transaction messaging, to target and exploit systems.
The bad actors “most likely deployed ISO 8583 libraries on the targeted switch application servers. Malicious threat actors use these libraries to help interpret financial request messages and properly construct fraudulent financial response messages,” according to the report.
Malware samples
10 malware samples related to FASTCash activity were produced in a malware analysis report.
Four of the malware samples are malicious apps that use a file encryption tool called Themida. This malware “unpacks a payload that is loaded directly into the memory of the compromised system” when executed on Windows systems.
The malware then modifies the Windows Firewall to allow incoming connections and then installs a proxy server application. The malware also can “exfiltrate data, install and run secondary payloads, and provide proxy capabilities on a compromised system.”
Other samples include command line utilities, log files and apps used to exfiltrate data as well as “interact with financial systems and perform transactions,” according to the malware report.
Recommended mitigations
The report also provides some good guidance to help protect payment systems, such as:
- Require Chip and Personal Identification Number Cryptogram Validation
- Isolate Payment System Infrastructure
- Logically Segregate Operating Environments
- Encrypt Data in Transit
- Monitor for Anomalous Behavior as Part of Layered Security.
Read the report for many more details on these and more security safeguards that organizations should deploy to help protect payment systems from future attacks.