What is the Issue?
The FBI – in partnership with U.S. government partners, DHS, and Treasury – identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme – dubbed by the U.S. Government as “FASTCash.” This attack is being used to cash out ATM machines by compromising bank servers. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.
Why is this noteworthy?
The FBI – in partnership with U.S. government partners, DHS, and Treasury – identified malware and other indicators of compromise (IOCs) used by the North Korean government in an Automated Teller Machine (ATM) cash-out scheme – dubbed by the U.S. Government as “FASTCash.” This attack is being used to cash out ATM machines by compromising bank servers. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.
What is the exposure or risk?
Financial loss is the main risk associate with this campaign. It is estimated that HIDDEN COBRA actors have stolen tens of millions of dollars. In 2017, they enabled simultaneous cash withdrawal from ATMs in over 30 different countries, and in 2018 from ATMs in 23 different countries.
Since at least late 2016, HIDDEN COBRA actors have used FASTCash tactics to target banks in Africa and Asia. At this time the U.S. Government has not confirmed any FASTCash incidents affecting institutions within the United States.
Some other impacts of this campaign are:
- Temporary or permanent loss of sensitive or proprietary information,
- Disruption to regular operations,
- Financial costs to restore systems and files, and
- Potential harm to an organization’s reputation.
What are the recommendations?
In accordance with NCCIC and the U.S. Government, SkOUT recommends that:
- Administrators review bash history logs of all users with root privileges, and should log and monitor all commands
For institutions with Retail Payment Systems, SKOUT recommends the following mitigations:
- Require Chip and Personal Identification Number Cryptogram Validation
- Isolate Payment System Infrastructure
- Logically Segregate Operating Environments
- Encrypt Data in Transit
- Monitor for Anomalous Behavior as Part of Layered Security
For Organizations with ATM or Point-of-Sale Devices, SkOUT recommends the following mitigations:
- Implement chip and PIN requirements for debit cards.
- Require and verify message authentication codes on issuer financial request response messages.
- Perform authorization response cryptogram validation for Europay, Mastercard, and Visa transactions.
References:
For more in-depth information about the recommendations, please visit the following link at US-CERT:
For more information, please contact our Security Operations Center.