Watering hole attacks on Polish Banks Linked to Lazarus Group

According to security experts from Symantec and BAE Systems, the recently discovered attacks aimed at Poland banks are linked to the Lazarus Group.

Last week, several Polish banks confirmed their systems were infected with a malware after their staff visited the site of the Polish Financial Supervision Authority.

The cyber attack was first reported by the Zaufana Trzecia Strona, a local Polish news site on Friday, last week.

The interesting aspect of the attack is that crooks used the Polish financial regulator, the Polish Financial Supervision Authority (KNF), to spread the malware.

A spokesman for the KNF confirmed that internal systems of the regulator had been compromised by hackers “from another country”. The attackers dropped on the servers the malicious files that were used in the attacks against the Polish banks.

In order to avoid spreading the malware, the authorities took the decision to shut down the entire network at the KNF “in order to secure evidence.”

The malware-based attack was confirmed by a number of banks that are currently investigating the security breach.

At the time I was writing there is no evidence that attackers successfully stolen money from Polish banks or their customers, but some of the target organizations confirmed to have noticed large outgoing data transfers.

Both security firms BAE Systems and Symantec started their investigation on the attacks. According to Symantec, the threat actor behind the attack is the same that targeted financial organizations in 31 countries since at least October 2016.

According to Symantec, the Polish website used to target the Polish banks delivered a strain of malware known to be part of the toolkit of the Lazarus Group.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

“Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.” reads the analysis published by Symantec.

Malware researchers at Symantec have identified roughly 150 targeted IPs associated with more than 100 organizations across 31 countries. The attackers focused their activities on the banks, but the list of victims also includes ISPs and telecom operators.

“The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.” continues Symantec.”

 

Experts at Kaspersky have linked the group to the hacking operations Dark Seoul and Operation Troy. Kaspersky Lab, alongside with a number of security firms  including Novetta, AlienVault, Invincea, ThreatConnect, Volexity, Symantec, and PunchCyber have published reports related to the activities of the Lazarus Group.

The group of security firms formed an alliance called Operation Blockbuster that issued the detection signatures to neutralize the hacking tools used by the APT.

In June 2016, the analysis of SWIFT attacks revealed five additional pieces of malware containing portions of code shared by Lazarus Group.

According to the analysis published by BAE Systems, one of the domains used in the Poland attack was also involved in a watering hole attack targeting the National Banking and Stock Commission of Mexico (cnbv.gob.mx), the Mexican organization that is equivalent of Poland KNF.

“The eye-watch[.]in domain appears to have been used in watering-hole attacks on other financial sector websites. On 2016-11-08 we observed connections to the site referred from:

hxxp://www.cnbv.gob[.]mx/Prensa/Paginas/Sanciones.aspx

This is the page for the Comisión Nacional Bancaria y de Valores (National Banking and Stock Commission of Mexico), specifically the portion of their site that details sanctions made by the Mexican National Banking Commission. This organisation is the Mexican banking supervisor and the equivalent of Poland’s KNF.” reads the analysis published by BAE Systems.

Below the key findings of the analysis conducted by BAE Systems:

There has been a series of watering hole attacks on bank supervisor websites in Poland & Mexico, and a state owned bank in Uruguay in recent months. These leverage Silverlight and Flash exploits to deliver malware.

Investigators in Poland have identified known Lazarus group implants on bank networks and associated this with the recent compromise of the Polish Financial Supervision Authority’s website.

The technical/forensic evidence to link the Lazarus group actors (who we believe are behind the Bangladesh Bank attack and many others in 2016) to the watering-hole activity is unclear. However, the choice of bank supervisor / state-bank websites would be apt, given their previous targeting of Central Banks for Heists – even when it serves little operational benefit for infiltrating the wider banking sector.  

Give a look at both reports, they are full of information and also includes IoCs.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Polish banks, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]