Admin l Monday, August 31, 2020
US warns of BeagleBoyz, says group targets banks in Nigeria, others for financial crimes
WASHINGTON – The United States has issued a cyber crime alert, warning of the existence of BeagleBoyz, which it said has targeted banks in Nigeria and other countries for financial crimes.
In the warning tagged, “National Cyber Awareness System Alerts FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks”, the US said the group has likely targeted financial institutions in Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia from 2015 through 2020.
This joint advisory according to FBI is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM).
“Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
According to the report, since February 2020, North Korea has resumed targeting banks in multiple countries to initiate fraudulent international money transfers and ATM cash outs.
“The recent resurgence follows a lull in bank targeting since late 2019. This advisory provides an overview of North Korea’s extensive, global cyber-enabled bank robbery scheme”, the report said, warning that North Korea’s intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access.
“To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts.
“This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system”, the report added.
Read also FBI 10 MOST WANTED FUGITIVE NABBED
According to the United States, the BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs.
“The BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, according to public estimates….these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions. In 2018, a bank in Africa could not resume normal ATM or point of sale services for its customers for almost two months following an attempted FASTCash incident.
“The BeagleBoyz often put destructive anti-forensic tools onto computer networks of victim institutions. Additionally, in 2018, they deployed wiper malware against a bank in Chile that crashed thousands of computers and servers to distract from efforts to send fraudulent messages from the bank’s compromised SWIFT terminal.
“North Korea’s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world. Any BeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the flow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the international financial system for profit”, the alert said.
The alert added that traudulent ATM cash outs have affected upwards of 30 countries in a single incident and that the conspirators have withdrawn cash from ATM machines operated by various unwitting banks in multiple countries, including in the United States.
“The BeagleBoyz also use unwitting banks, including banks in the United States, for their SWIFT fraud scheme. These banks are custodians of accounts belonging to victim banks or unknowingly serve as a pass-through for the fraud. Most infamously, the BeagleBoyz stole $81 million from the Bank of Bangladesh in 2016. The Federal Reserve Bank of New York stopped the remainder of this attempted $1 billion theft after detecting anomalies in the transfer instructions they had received”, the report added.
The alert noted that North Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018 and that since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks’ retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).
It added that since the publication in October 2018, there have been two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.
In October 2018, the U.S. Government identified malware used in the FASTCash scheme that has the capability to manipulate AIX servers running a bank’s switch application to intercept financial request messages and reply with fraudulent, but legitimate-looking, affirmative response messages to enable extensive ATM cash outs. The U.S. Government has since identified functionally equivalent malware for the Windows operating system.
The BeagleBoyz initially targeted switch applications at individual banks with FASTCash malware but, more recently, have targeted at least two regional interbank payment processors. “This suggests the BeagleBoyz are exploring upstream opportunities in the payments ecosystem”, the report noted.
Presenting the profile of the group, the US identified BeagleBoyz as an element of the North Korean government’s Reconnaissance General Bureau, which have likely been active since at least 2014.
“ As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security”, the alert noted.
The BeagleBoyz, the US said overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).
The BeagleBoyz, it added use a variety of tools and techniques to gain access to a financial institution’s network, learn the topology to discover key systems, and monetize their access and that they have used a variety of techniques, such as spearphishing and watering holes, to enable initial access into targeted financial institutions.
“ Towards the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing attacks using the following publicly available malicious files: MD5: b484b0dff093f358897486b58266d069, MD5: f34b72471a205c4eee5221ab9a349c55; MD5: 4c26b2d0e5cd3bfe0a3d07c4b85909a4; MD5: 52ec074d8cb8243976963674dd40ffe7; MD5: d1d779314250fab284fd348888c2f955; MD5: 41fd85ff44107e4604db2f00e911a766; MD5: cf733e719e9677ebfbc84a3ab08dd0dc; MD5: 01d397df2a1cf1d4c8e3615b7064856c
“The BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development”, the alert noted and that the third party typically uses commodity malware to establish initial access on a victim’s network and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until months later.
The BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer network (Initial Access [TA0001]). Email an attachment with malware to a specific individual, company, or industry (Phishing: Spearphishing Attachment [T1566.001]) Compromise a website visited by users in specific communities, industries, or regions (Drive-by Compromise [T1189]); Exploit a weakness (a bug, glitch, or design vulnerability) in an internet-facing computer system (such as a database or web server) (Exploit Public Facing Application [T1190]); Steal the credentials of a specific user or service account to bypass access controls and gain increased privileges (Valid Accounts [T1078]); Breach organizations that have access to the intended victim’s organization and exploit their trusted relationship (Trusted Relationship [T1199]); Use remote services to initially access and persist within a victim’s network (External Remote Services [T1133])
By way of Execution, The BeagleBoyz, the alert said selectively exploit victim computer systems after initially compromising a computer connected to a financial institution’s corporate network.
“After gaining initial access to a financial institution’s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems [Execution [TA0002]); Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059]); Use scripts (e.g., VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005])
The report added that the group rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204]) Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203]); Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002]); Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129]); Use the Windows API to execute arbitrary code on the victim’s system (Native API [T1106]); Use a system’s graphical user interface (GUI) to search for information and execute files (Remote Services [T1021]); Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
In addition, they abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001]); abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001]); Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task/Job: Cron [T1053.003], Scheduled Task/Job: Launchd [T1053.004])
The BeagleBoyz use many techniques to maintain access on compromised networks through system restarts, changed credentials, and other interruptions that could affect their access (Persistence [TA0003]). Add an entry to the “run keys” in the Registry or an executable to the startup folder to execute malware as the user logs in under the context of the user’s associated permissions levels (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001])
“Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003]);
“Compromise an openly accessible web server with a web script (known as web shell) to use the web server as a gateway into a network and to serve as redundant access or persistence mechanism (Server Software Component: Web Shell [T1505.003]). Manipulate accounts (e.g., modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098])
“Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (Valid Accounts [T1078]). Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
“Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004]). Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001]). Use remote services to persist within a victim’s network (External Remote Services [T1133])
The BeagleBoyz often seek access to financial institutions’ systems that have tiered user and system accounts with customized privileges. The BeagleBoyz must overcome these restrictions to access necessary systems, monitor normal user behavior, and install and execute additional malicious tools. To do so, the BeagleBoyz have used the following techniques to gain higher-level permissions on a system or network (Privilege Escalation [TA0004]).Inject code into processes to evade process-based defenses and elevate privileges (Process Injection [T1055])
Install a new service that can be configured to execute at startup using utilities to interact with services or by directly modifying the Registry (Create or Modify System Process: Windows Service [T1543.003]). Compromise an openly accessible web server with web shell to use the web server as a gateway into a network (Server Software Component: Web Shell [T1505.003])
Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution as part of lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053])
Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (Valid Accounts [T1078]), Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001])
Perform Sudo (sometimes referred to as “super user do”) caching or use the Soudoers file to elevate privileges in Linux and macOS systems (Abuse Elevation Control Mechanism: Sudo and Sudo Caching [T1548.003])
Execute malicious payloads by hijacking the search order used to load DLLs (Hijack Execution Flow: DLL Search Order Hijacking [T1574.001])
According to the alert, throughout their exploitation of a financial institution’s computer network, the BeagleBoyz have used different techniques to avoid detection by OS security features, system and network security software, and system audits (Defense Evasion [TA0005]).
Exploit code signing certificates to masquerade malware and tools as legitimate binaries and bypass security policies that allow only signed binaries to execute on a system (Subvert Trust Controls Signing [T1553.002]). Remove malware, tools, or other non-native files dropped or created throughout an intrusion to reduce their footprint or as part of the post-intrusion cleanup process (Indicator Removal on Host: File Deletion [T1070.004])
Inject code into processes to evade process-based defenses (Process Injection [T1055]) Use scripts (such as VBScript and PowerShell) to bypass process monitoring mechanisms by directly interacting with the OS at an API level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005])
Attempt to make an executable or file challenging to discover or analyze by encrypting, encoding, or obfuscating its contents on the system or in transit (Obfuscated Files or Information [T1027]), Use external previously compromised web services to relay commands to a victim system (Web Service [T1102]), Use software packing to change the file signature, bypass signature-based detection, and decompress the executable code in memory (Unsecured Credentials: Private Keys [T1552.004]), Use obfuscated files or information to hide intrusion artifacts (Deobfuscate/Decode Files or Information [T1140])
Modify the data timestamps (the modify, access, create, and change times fields) to mimic files that are in the same folder, making them appear inconspicuous to forensic analysts or file analysis tools (Indicator Removal on Host: Remove Timestamp [T1070.006])
Abuse Windows utilities to implement arbitrary execution commands and subvert detection and mitigation controls (such as Group Policy) that limit or prevent the usage of cmd.exe or file extensions commonly associated with malicious payloads (Indirect Command Execution [T1202])
Use various methods to prevent their commands from appearing in logs and clear command history to remove activity traces (Indicator Removal on Host: Clear Command History [T1070.003]), Disable security tools to avoid possible detection of tools and events (Impair Defenses: Disable or Modify Tools [T1562.001]), Steal the credentials of a specific user or service account to bypass access controls and grant increased privileges (Valid Accounts [T1078]) Click here https://us-cert.cisa.gov/ncas/alerts/aa20-239a