U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Why Carbanak C&C points to Russia Federal Security Service?

A security researcher at Trend Micro discovered that the malware used by the Carbanak cybergang is using a C&C server linked to the Russian FSB. Maxim Goncharov, security expert at Trend Micro, revealed that one of the most sophisticated malware used by the popular gang Carbanak is now pointing to Russia’s Federal Security Service (FSB). The […]

Why Carbanak C&C points to Russia Federal Security Service?

A security researcher at Trend Micro discovered that the malware used by the Carbanak cybergang is using a C&C server linked to the Russian FSB.

Maxim Goncharov, security expert at Trend Micro, revealed that one of the most sophisticated malware used by the popular gang Carbanak is now pointing to Russia’s Federal Security Service (FSB).

The Carbanak Cybergang is the criminal gang that swiped over $1 Billion from banks worldwide, the experts discovered that the hackers hit more than 100 institutions in 30 countries, the attacks started in 2013 and may still be ongoing.

Goncharov discovered that the Carbanak trojan’s command and control servers are now pointing to the FSB. A few days ago, I received the same information from the malware researcher at RedSocks  that also noticed the thing.

There are several plausible explanations for this, one of them is that malware authors wanted to mock the Russian secret services.

Carbanak cybergang NYT

 

“Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 213.24.76.23. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.” Goncharov reveals in a blog post. “I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service.” “It is also possible that the owner of the domain had done this as a prank.”

carabanak C2

carbanak 23

The attack technique adopted by the Carbanak cybergang is composed of the following phases:

  • The attackers used malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.
  • In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once they had infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of the victims’ screens and studied their daily activities in the bank.
  • In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Experts at Kaspersky that discovered the Carbanak cybergang described the campaign as probably the “most sophisticated attack the world has seen”, due to its very low profile and high impact.

If the campaign was state sponsored, would it be possible that the redirection of C&C domain to the FSB website, is a red herring meant to distract attention from a possible involvement of the Russian Government?

Goncharov promised to update us on its investigation.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – Carbanak Gang, cybercrime)