Based on data collected through Kaspersky Lab’s incident response observations in 2017 and 2018, researchers noted that in each attack, bad actors managed to smuggle an unknown and attacker-controlled device into a company building and directly connect it to the company’s local network.
The attackers were reportedly using one of three different types of devices, including a laptop, a Raspberry Pi (a single-board computer the size of a credit card) or a Bash Bunny (a specially designed tool for automating and conducting USB attacks). According to a press release, some of these devices are equipped with a GPRS, 3G or LTE modem, which the attackers use to remotely access the corporate network of the financial organization.
After establishing a connection, the threat actors try to gain access to the web servers so that they can steal the data they need to run remote desktop protocol (RDP) on a selected computer. If successful, they can then seize funds or data.
A fileless attack, the method also leveraged the use of Impacket, winexesvc.exe or psexec.exe remote execution toolkits. During the final stage of the attack, the criminals used remote control software to maintain their control over the infected computer.
“Over the past year and a half, we’ve been observing a completely new type of attacks on banks, quite sophisticated and complex in terms of detection,” said Sergey Golovanov, security expert at Kaspersky Lab, in the press release.
“The entry point to the corporate network remained unknown for a long time, since it could be located in any office in any region. These unknown devices, smuggled in and hidden by intruders, could not be found remotely. Additionally, the threat actor used legitimate utilities, which complicated the incident response even more.”