PIR Bank, a Russian financial institution, recently admitted that thieves had stolen around $1m through a cyber-attack. The cybercriminals gained access to the bank’s internal systems through a compromised router at one of their regional branches. The use of certain tools and the manner of the attack has led the investigators, Group-IB, to point toward the group named MoneyTakers (based on the name of one of the tools they have authored).
This group was implicated in multiple attacks between 2016 and 2017, all following a similar modus operandi (MO). This is a clever group who have successfully stolen a considerable sum across these attacks. This isn’t some small operation either, the money is extracted using Money Mules (people who withdraw the funds using legitimate or stolen debit and credit cards) across multiple locations often almost immediately after funds were available. This takes some coordination and planning.
Where this story takes a particularly unpleasant turn is in the mechanisms used for establishing the initial access into the bank systems. Group-IB indicates that Metasploit is commonly used to breach accessible systems. Metasploit is one of the most used tools for penetration testing; there is even a free version available with well over 1500 exploits available within it. As you might expect, all of the exploits in the tool fall into the “well-known and entirely preventable” category and that’s where this whole thing turns nasty in my opinion.
How Vulnerability Management Can Help
Effective vulnerability management involves targeting the riskiest vulnerabilities in your environment first. This sounds simple and, with the right tools, it is. However, well-known and entirely preventable vulnerabilities continue to be the main point of entry in most documented breaches. Even if the initial access was via a phishing attack, it was only to deliver malware that exploited one of these vulnerabilities. In 2016, the Data Breach Investigation Report (DBIR) from Verizon highlighted vulnerabilities known since as far back as 1998 being used in attacks. This clearly shows that we aren’t doing something right and that PIR Bank, while not doing everything they could, are far from being unique.
Vulnerabilities are measured a number of ways, most commonly using the CVSS (Common Vulnerability Scoring System) which provides a number from 0 (lowest) to 10 (most severe) developed from a number of criteria. For those interested in exploring the CVSS mechanism, I recommend the Wikipedia page. Each vulnerability commonly carries a severity, one of the following: High, Medium, Low, Informational. This gives you an indication of the potential impact of the exploit of the vulnerability. It’s common to start with the vulnerabilities scoring highly on the CVSS scale or with high severity vulnerabilities, but this approach misses something fundamental, something fully exploited (pun intended) by the MoneyTakers – the vulnerabilities with known exploits.
What does this mean? We are talking about the vulnerabilities for which someone has worked out how to take advantage of them… and published that information in a public forum. Tools like Metasploit (and many, many dark/deep web toolkits) take that published exploit and turn it into a fully automated tool. The hacker only needs to identify that your system has the vulnerability and then point the exploit tool at it and, in many cases, they have access. Your environment is compromised in minutes.
Where CVSS and vulnerability severity falls down is that there are many vulnerabilities ranked low on one or both schemes that will provide a foothold into your environment for a hacker. Once they are in, they can look around for other vulnerabilities that have been missed and can provide them with the privileged credentials they need to move across your network stealing your most precious data as they go.
PIR Bank Highlights for Us the Importance of Targeting Those Well-Known Exploits First and Foremost
Solutions like Retina CS Enterprise Vulnerability Management enable you to target and address those vulnerabilities first. This removes the “low hanging fruit” that groups like MoneyTakers are dependent on and stops you from being a soft target. You will find far fewer vulnerabilities with known exploits than in any severity category in your system and by mitigating each will deliver the maximum return on investment as well as maximum risk reduction.
If you only make one change in your cybersecurity strategy this year, make it prioritizing vulnerabilities with known exploits. For a personalized strategy session, contact us today.
Brian Chappell, Chief Security Strategist, EMEA & APAC
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.