UPDATE: “Carbanak” Advanced Persistent Threat Advisory

We have further information regarding recent media events reported regarding the cybercriminals dubbed “Carbanak” by Kaspersky Labs, attacking banks and other financial services companies to transfer funds.

What We Know

• Several Indicators of Compromise (IoC’s) have been listed within the Kaspersky report.
• As appropriate, the IP addresses listed within the IoC’s have been blacklisted within eSentire’s Asset Manager Protect (AMP) module.
• eSentire has performed a “Targeted Retrospection” review of saved forensic data across our entire client base, searching for these IoC’s
• Through this “Targeted Retrospection”, we have found no evidence whatsoever that any eSentire client has been subject to a successful exploit by the “Carbanak” cybercrime group.
• On a daily basis, eSentire deals with these (and many other) malware attacks as part of standard operating procedure and will continue to do so going forward.
• Nevertheless, we highly recommend that our clients use every defense method at their disposal to reduce the attack surface and susceptibility to exploitation.

eSentire Defenses

eSentire features that help protect you:

• EXEcutioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it. If you would like the EXEcutioner enabled, please contact the ESOC.
• AMP can stop the communication to known command and control servers. This service is enabled by default for our customers.
• Behavioral analysis tools can detect anomalous network behavior.
• The ESOC can quarantine suspected systems at your direction or based on established policy.
  
  

Further (Future) Protection

How to further protect yourself from these (and other) emerging threats:

• Ensure that all Microsoft Office products are up-to-date.
• EMET can help further prevent memory protection bypasses (microsoft.com/emet)
• Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
• User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
• Remind users to be cautious when clicking on links in emails coming from trusted sources
  
  

If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against malware infections because it can require all programs to be signed by a legitimate software publisher.

• Create a new GPO.
• Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
• Click Configure Rule Enforcement.
• Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
• In the left pane, click Executable Rules
• Right-click in the right pane and select Create New Rule.
• On the Before You Begin screen, click Next.
• On the Permissions screen, click Next.
• On the Conditions screen, select the Publisher condition and click Next.
• Click the Browse button and browse to any executable file on your system. It doesn't matter which.
• Drag the slider up to Any Publisher and then click Next.
• Click Next on the Exceptions screen.
• Name the policy something like "Only run executables that are signed" and click Create.
• If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.
  
  

Resources

Original Release: (no longer posted) securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Open Indicators of Compromise List: (no longer posted) securelist.com/files/2015/02/c36e528f-d48e-4ad0-b822-da1c610e9710.ioc