Attacks on contracting banks: Cobalt's new approach

Phishing emails are still useful when it comes to penetrating a bank's information infrastructure. Intruders used to fake a sender address, but now they have a new game plan: they attack suppliers and partners and use hacked accounts of real employees to continue an attack against financial organizations. Moreover, intruders send malware files under the guise of bank notifications and attack both personal and work emails of bank employees.

This was revealed in Positive Technologies' new report of Cobalt’s activities, a cybercriminal group. The criminal collective become known in 2016 after attacking a number of banks in CIS and Eastern Europe. Cobalt attacks began with targeted phishing emails to bank employees. When a worker opens a malware attachment, his or her computer gets infected, and then the attack is spread inside the bank's network through to ATM control systems, which in turn allows a large amount of money to be stolen.

The group's activity was exposed in 2016 following an investigation, in which Positive Technologies took part. Upon the investigation, Russian FinCERT began to notify financial companies. However, it hasn’t stopped the criminals: they’ve launched more sophisticated attacks in response. Here are some specific Cobalt activities revealed by Positive Technologies experts in 2017:

  • Fake domains. When most of the phishing emails from fake addresses were blocked by spam filters, the attackers began to use fake domains similar in spelling to addresses of bonafide organizations. Today, due to the joint efforts of Positive Technologies specialists and industry regulators, all phishing domains detected in the .ru zone, and most domains in other regions, are removed from delegation.
  • Attacks via contractors. In 2017, Cobalt began to attack various companies that work with banks and send phishing emails from their infrastructures by using accounts and email addresses of their employees. This approach guarantees that the receiver will trust the sender's message. The success of such an attack also relies on the subject of the email: In early 2017, 60 percent of emails from Cobalt contained terms of collaboration between banks and contractors.
  • Expanding attack geography. In 2017, the list of Cobalt's targets in CIS, Eastern Europe, and Southeastern Asia was supplemented with companies in Western Europe and North and South America: 75 percent of companies being financial organizations, and the rest were governmental organizations, telecoms, services and entertainment companies, etc. It is believed that they are an intermediate step in the attack path.
  • Emails from information security regulators' addresses. Such emails were sent from fake domains, in particular from VISA and Mastercard payment systems, FinCERT (the Russian Central Bank's service), and National Bank of Kazakhstan.
  • Emails to personal addresses of employees (not only corporate addresses). It is planned that emails are delivered in recipients' working hours. The idea is that, when checking their personal email, the user will likely infect the office computer.
  • Using the latest version of Microsoft Word Intruder 8 to create documents that exploit CVE-2017-0199. Cobalt was among the first to gain access to the limited version of the MWI exploit builder, which suggests that there is a connection between the attackers and the developer of this exploit builder.

The authors of the study note that it is not currently possible to estimate the actual losses of companies from Cobalt activities in 2017. However, based on the scale of the group's activities around the world, serious consequences for financial organizations in the near future can not be ruled out.

"In addition to banks that became traditional targets for the Cobalt group, the number of attacked companies now include other financial organizations: insurance and investment funds, brokers," says Leigh-Anne Galloway, Cyber Security Resilliance Lead at Positive Technologies. "In 2017, Cobalt started to actively attack contractors in order to use them as a stepping stone to reach their actual target - banks. For example, one known successful attack on a bank was preceded by hacking a CIT company. To carlify, the bank's security system was resistant to penetration, but Cobalt took advantage of contemporary business features, namely the dependence on various contractors, the perimeter of which is weaker."