{"id":3637,"date":"2015-02-19T17:51:04","date_gmt":"2015-02-19T17:51:04","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3637"},"modified":"2020-02-27T03:53:35","modified_gmt":"2020-02-26T16:53:35","slug":"the-equation-carbanak-desert-falcons-security-analyst-summit-summary","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/the-equation-carbanak-desert-falcons-security-analyst-summit-summary\/3637\/","title":{"rendered":"The Equation, Carbanak, Desert Falcons: Security Analyst Summit summary"},"content":{"rendered":"

On February 16th and 17th in Cancun, Mexico, the Fourth annual Kaspersky Security Analyst Summit took place. That\u2019s an extremely important event for Kaspersky Lab, where we share our researches and invite to speak our colleagues from other companies from security industry.<\/p>\n

#TheEquationAPT, #Carbanak, #DesertFalconsAPT: #SAS summary<\/p>Tweet<\/a><\/blockquote>\n

In this particular post we discuss three of our keynotes from Security Analyst Summit regarding The Equation APT, Carbanak and an unknown before entity that we called Desert Falcons APT group. If you are interested in detailed research, please follow the appropriate links to Securelist. Here you can also find a few pictures from the Summit, and later videos from our experts\u2019 keynotes will be available either.<\/p>\n

Carbanak. The Great Robbery<\/strong><\/p>\n

Securelist full report with technical details<\/a>. Indicators of compromise<\/a> (in .IOC<\/a> format).<\/p>\n

A lot of comments come on the ATM compromise aspect of Carbanak, which is indeed the most high-profile part of the story: one sends a command, the ATM yields money, with no card or PIN required.<\/p>\n

Actually, this is where Carbanak failed: it\u2019s clear that ATMs don\u2019t work that way without a third party intervening. Further investigation showed that ATM cracking was just one method of cashing out. There were others too: criminals could transmit funds to their own accounts, manipulate the balance so that multiple security systems failed to detect it. Without total control about internal bank systems the operation like this would be impossible to conduct. So after the initial infiltration attackers used various methods to gather data on internal workings of the bank, including recording the video.<\/p>\n

\"4\"<\/p>\n

The actual attack started quite trivially:<\/p>\n

\"5\"<\/p>\n

A letter with a malicious payload exploiting, among others, Microsoft Office vulnerabilities (CVE-2012-0158; CVE-2013-3906) and Microsoft Word (CVE-2014-1761).<\/em><\/p>\n

So where the $1 bn came from?<\/em><\/p>\n

Carbanak investigation had been conducted in close cooperation with various LEAs in various countries. Peter Zinn from National Hi-Tech Crime Unit told about it during his speech in Kaspersky Security Analyst Summit.<\/p>\n

\"5x\"<\/p>\n

Information from law enforcement agencies allowed to evaluate the total number of Carbanak victims \u2013 about 100 financial organization. Given the on average they lost between $2.5 and $10 million, the total possible losses may mount exactly up to $1bn.<\/p>\n

A saviour .bat:<\/em><\/p>\n

An interesting situation took place during the investigation, when the fact of infection had been already confirmed and there was a need to identify all of the compromised PCs. It should have been done fast: first \u2013 to block the threat, second \u2013 to gather samples to research. A simple script had been written for this:<\/p>\n

\"6\"<\/p>\n

The Equation, or \u201cStuxnet, I am your father\u201d, or attribution difficulties<\/strong><\/p>\n

A Securelist article<\/a>, Q&A<\/a> (pdf), Fanny module research<\/a><\/p>\n

Every SAS guest received as a present Kim Zetter\u2019s book<\/a> on Stuxnet, signed by author. For your information, it\u2019s a gross 500 pages tome, and, according to Zetter, publisher requested to shorten technical details as much as possible. So if one day a book on The Equation will be written, it won\u2019t be any smaller. An important thing: the investigation of this operation is just beginning right now. We have only published the general information and made a detailed research of one of its modules. Further research will demand time and effort, both from Kaspersky Lab and other companies. Why? Those behind Equation APT is doing their business for more than 10 years, probably even for 20 years already, given the date of first C&C servers domain registration.<\/p>\n

\"7\"<\/p>\n

Kaspersky Lab researchers speaking on The Equation at SAS: Igor Sumenkov, Sergery Mineev, Vitaliy Kamlyuk, Costin Raiu.<\/em><\/p>\n

\u00a0<\/p>\n

Grzegorz Brz\u0119czyszczykiewicz <\/em><\/p>\n

We have identified with certainty more than 500 victims of The Equation. Given that malicious modules of the operation are armed with self-destruct mechanism, the actual total number of victims may be dozens of thousands. Among them \u2013 governmental organizations, telecoms, aviation industry, gas and oil sector, etc. Our research started when an individual named Grzegorz Brz\u0119czyszczykiewicz<\/em> (spelled approximately \u201cG(r)zhego(r)zh B(r)zhechishchikevich\u201d) suspected that he was a victim of a malicious attack after he has inserted into his CD-Rom a CD with pictures sent to him from a scientific conference in Houston, he was participating in.<\/p>\n

His name has been changed for confidentiality reasons. It\u2019s been chosen from this flick:<\/p>\n