We have further information regarding recent media events reported regarding the cybercriminals dubbed “Carbanak” by Kaspersky Labs, attacking banks and other financial services companies to transfer funds.
What We Know
- Several Indicators of Compromise (IoC’s) have been listed within the Kaspersky report.
- As appropriate, the IP addresses listed within the IoC’s have been blacklisted within eSentire’s Asset Manager Protect (AMP) module.
- eSentire has performed a “Targeted Retrospection” review of saved forensic data across our entire client base, searching for these IoC’s
- Through this “Targeted Retrospection”, we have found no evidence whatsoever that any eSentire client has been subject to a successful exploit by the “Carbanak” cybercrime group.
- On a daily basis, eSentire deals with these (and many other) malware attacks as part of standard operating procedure and will continue to do so going forward.
- Nevertheless, we highly recommend that our clients use every defense method at their disposal to reduce the attack surface and susceptibility to exploitation.
eSentire Defenses
eSentire features that help protect you:
- EXEcutioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it. If you would like the EXEcutioner enabled, please contact the ESOC.
- AMP can stop the communication to known command and control servers. This service is enabled by default for our customers.
- Behavioral analysis tools can detect anomalous network behavior.
- The ESOC can quarantine suspected systems at your direction or based on established policy.
Further (Future) Protection
How to further protect yourself from these (and other) emerging threats:
- Ensure that all Microsoft Office products are up-to-date.
- EMET can help further prevent memory protection bypasses (microsoft.com/emet)
- Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
- User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
- Remind users to be cautious when clicking on links in emails coming from trusted sources
If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against malware infections because it can require all programs to be signed by a legitimate software publisher.
- Create a new GPO.
- Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
- Click Configure Rule Enforcement.
- Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
- In the left pane, click Executable Rules
- Right-click in the right pane and select Create New Rule.
- On the Before You Begin screen, click Next.
- On the Permissions screen, click Next.
- On the Conditions screen, select the Publisher condition and click Next.
- Click the Browse button and browse to any executable file on your system. It doesn't matter which.
- Drag the slider up to Any Publisher and then click Next.
- Click Next on the Exceptions screen.
- Name the policy something like "Only run executables that are signed" and click Create.
- If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.
Resources
Original Release: (no longer posted) securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Open Indicators of Compromise List: (no longer posted) securelist.com/files/2015/02/c36e528f-d48e-4ad0-b822-da1c610e9710.ioc