I’m sure you have all seen or at least heard the recent news concerning
“Carbanak” and the hundreds of millions of dollars stolen directly from banks and financial institutions, possibly upwards of $1 billion . One can’t help but picture Dr. Evil from “Austin Powers” with his pinky up to his lips. Some reports also indicate that most of the compromised banks are outside of the U.S., but nobody is denying that U.S. financial institutions are being targeted by this attack as well.
We know that Dr. Evil had nothing to with this, but we don’t know specifically who is responsible. These crimes are just generally attributed to a “multinational gang of cyber criminals.” Not much to go on, but that is a problem for law enforcement. The problem that we face from this threat is how to effectively defend against it. Based on reports from Kaspersky,
Fox-IT and other security firms who have investigated this attack, we have a fairly good idea of what they did and how they did it.
One aspect of this attack that is different from many previous attacks is that instead of targeting customers and members of financial institutions, they are directly targeting employees of financial institutions. Employees of financial institutions have been targeted before, but this attack represents a massive and very successful shift in technique to access and steal the financial institution’s funds.
However, the techniques used to gain the unauthorized network access have remained largely the same as most other attacks with which we are familiar. They always seem to start with a spear phishing campaign. In this case, the emails most likely contained Microsoft Word documents that had been infected with the Carbanak malware. Based on the reports from the security firms investigating the attacks, the malware targeted well-known Microsoft vulnerabilities for which patches have been available for quite some time, some for well over a year. Some of the affected software is outdated and no longer even supported by Microsoft. The malware installs itself on a vulnerable, unpatched system when a targeted employee opens the email and subsequently opens the infected attachment.
This technique is old hat, tried and true. Unfortunately, it just keeps working, which is why the criminals keep using it. We should be able to defend against and defeat this technique much more effectively than we currently do. The problem is, we still seem to have trouble finding the

resources to dedicate to keeping our employees properly trained and aware of these threats, as well as keeping our systems up-to-date and properly patched.
Here is a quick list of four things your credit union can do to help thwart these types of attacks….

Provide regular security awareness training to your employees.

Put procedures/processes in place to ensure your systems are being patched with the latest security updates for all installed software, including the operating system.

Put procedures/processes in place to ensure your systems have anti-malware software installed and that the systems are being regularly scanned and updated.

Ensure you are conducting vulnerability scanning of your network, from both an external and internal perspective. Externally scanning your network is great, but these types of threats are being introduced directly into your internal network by your employees receiving and opening email. That is why internal scanning is absolutely necessary as well.
There are many more security controls that should also be in place, but the four listed above will get you off to a good start if they are not already established within your credit union. There is no
“silver bullet” for keeping Carbanak or other intruders off of our networks, but we need to do our best to mitigate the risk and keep Dr. Evil and the “multinational gangs of cyber criminals” away from our credit unions’ and our members’ sensitive information and valuable assets.
For additional information on Sollievo and our products/services, please contact our senior consultants at (855) 605-5664 or seniorconsultant@sollievo.com
.
About Richard Carberry
Richard Carberry is senior consultant, information security risk management services for Sollievo. Carberry has over 13 years of experience in the information technology field. Throughout his career, he has been responsible for network and firewall administration, security awareness training, physical and data security, security program development, information security risk assessments, and protecting the confidentiality, integrity, and availability of information systems data.
About Sollievo
Sollievo Group, LLC is a wholly owned CUSO of Mid-Atlantic Corporate Federal Credit Union located in Middletown,
PA. Sollievo (pronunciation: sol ˈ lj ɛ vo), an Italian word that means relief, offers a comprehensive collection of riskmanagement products and services to credit unions. Sollievo’s mission is to provide peace of mind and help meet compliance obligations and improve the overall risk posture of credit unions. Services include enterprise risk management, information security services, training, business continuity services, and more. For more information, please visit www.sollievo.com
.