“Hello darkness, my old friend”—Simon & Garfunkel couldn’t have said it better when it comes to describing ideal conditions for APTs. New targeted attacks against banks in Russia, Armenia, and Malaysia have been detected and attributed to the Silence group. Silence represents an ongoing cybercrime shift from targeting end users (bank account fraud) to carrying out advanced direct attacks against the banks themselves. According to Web India, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN, and Carbanak, which succeeded in stealing millions of dollars from financial organizations.
Silence operates under the cover of legitimate users’ email addresses from a bank that is already compromised, sending spear phishing emails to employees at other banks (see diagram below). These emails include attachments that once clicked, drop a malicious executable to disk which downloads additional payloads designed to capture screenshots, exfiltrate data, and perform other reconnaissance tasks. Once inside the network, the Silence group monitors victims’ activities. They take multiple screen shots, recording daily activity on bank employee PCs. This takes very few system resources, so the attacker stays beneath the radar, harvesting credentials and additional artifacts that tell him where to go next Eventually after gathering enough information, the Silence group malware had used a PsExec-like tool (called winexe) which allowed him to move laterally within the network, towards his objective.
Darkness is indeed the Silence Trojan’s friend, because it needs persistent access to an internal network for a long period of time before it can succeed. As with other APTs, it may be difficult for an organization to prevent the attacker’s initial infiltration, however - they can be stopped from reaching crown jewels. This is exactly where deceptions come into play. They can be used to “poison the wells” of information that the Silence group and similar actors need to accurately construct its understanding of a bank’s network. With layers of deceptions planted throughout the environment, the attacker will inevitably “trip” on one and reveal himself. At this point, incident responders can take action.
But with Illusive’s deception solution, incident responders can do more than react. They can act deliberately – because in addition to knowing where the attacker is, they also know how far the attacker is from high-value systems in the environment. So, while detecting the presence of the attacker is a primarily objective, deceptions can also power a rich counter-intelligence function. Once the attacker gains enough information about the bank, he will most likely attempt to move laterally toward a lucrative target, such as SWIFT wire transfer systems, a mainframe, account settlement services, or other high-value systems.
By applying a business risk lens – by asking “what assets and systems are the attackers really after?”—deceptions can be designed specifically to mimic high-value assets and service components. With time on their side, analysts can study the attacker’s behavior and gain a deeper understanding of the adversary’s interests and tactics so they can take other kinds of preemptive actions to protect what’s critical to the business.
Breaches might be inevitable, but losing millions of dollars of assets, industry trust, and customer goodwill doesn’t have to be the result. For more information about use cases for deception technology within financial institutions, check out our white paper, Three Use Cases for Deception Technology in Financial Services: