The United States Computer Emergency Readiness Team (US-CERT), in collaboration with the Department of Homeland Security (DHS), the FBI, and the Treasury, has issued a technical alert regarding a rising threat from the North Korean Advanced Persistent Threat (APT) group known as Hidden Cobra. This group, also referred to as the Lazarus Group, has gained notoriety for conducting cyberattacks against various sectors, including media, finance, and critical infrastructure globally.
Hidden Cobra, believed to be state-sponsored, has executed significant cyber operations in the past, including the infamous WannaCry ransomware attack, which disrupted hospitals and major corporations worldwide. Additionally, they were implicated in the SWIFT banking system breaches and the cyber assault on Sony Pictures in 2014.
Recently, authorities detailed a new cyber exploitation scheme named “FASTCash,” employed by Hidden Cobra since at least 2016, targeted primarily at extracting cash from ATMs through server compromises at financial institutions. The technical alert indicates that the hackers manipulate payment switch application servers that facilitate transactions at ATMs and point-of-sale systems.
In essence, these switch application servers are crucial components that validate users’ bank account information during transactions. By successfully breaching these servers, Hidden Cobra attackers have gained the means to execute fraudulent transactions without proper verification of account balances. Their methods involve deploying malware that intercepts transaction requests, allowing cash withdrawals from ATMs, often without alerting the banks involved.
Investigations revealed that the threat actors are capable of facilitating simultaneous cash withdrawals from ATMs in multiple locations, leading to substantial financial losses. In one notable instance in 2017, they managed to withdraw cash from ATMs across 30 different countries. The scale and sophistication of their operations indicate extensive planning and execution.
While the precise method of initial infiltration into bank networks remains unclear, U.S. authorities suspect that spear-phishing techniques targeting bank employees using malicious email attachments could be the entry point. Once compromised, these networks allow lateral movement and the deployment of malware necessary to target critical switch application servers.
Many of the compromised servers were found to be running outdated versions of the IBM Advanced Interactive eXecutive (AIX) operating system. However, investigators have not identified specific exploits used to compromise these systems. This underlines a significant failure in network security practices, emphasizing the critical need for enhanced cybersecurity measures.
US-CERT has recommended stringent security practices, including the implementation of two-factor authentication for all access to switch application servers and adherence to best practices for network security. They have also made available indicators of compromise (IOCs) to aid organizations in fortifying their defenses against such advanced threats.
The threat landscape is further compounded by the variety of malware associated with Hidden Cobra, including Remote Access Trojans and DDoS tools, highlighting the need for continuous vigilance in cybersecurity strategy and risk management.
As the situation evolves, U.S. authorities continue to monitor and investigate these cyber incidents, ensuring that businesses and financial institutions remain aware of the tactics and techniques used in these sophisticated attacks. Understanding the MITRE ATT&CK framework, including tactics like initial access and privilege escalation, is essential for organizations to prepare their defenses effectively against such evolving threats.
