Sophisticated? Palo Alto Networks Traps Would Have Prevented the Carbanak Campaign

Feb 17, 2015
2 minutes

This post is also available in: 日本語 (Japanese)

A recent report from Kaspersky Lab disclosed a gargantuan cyberattack, dubbed Carbanak, targeting banks worldwide. According to the report, threat actors have managed to steal up to $1 billion from over 100 banks. These attacks started in late 2013 and are still active.

This campaign was described in the press as “the most sophisticated” the world has seen so far. But let’s look a little closer at what actually happened here based on the information available.

Based on Kaspersky's report we can clearly see that the Carbanak campaign is following its predecessors' patterns: spear phishing weaponized documents leveraging Office vulnerabilities, followed by backdoor drop, malware download, lateral movement, server compromise and data exfiltration.

This pattern is by no means innovative compared to campaigns we have experienced in recent years. So what makes it “sophisticated”?

First, the unique feature of this campaign is that the methods we listed above have only been previously seen in cyber espionage campaigns where the attacker's object is information. The Carbanak campaign is the first time we’ve seen APT methods applied to large scale stealing.

Second, the actual sophistication manifested itself only after the initial foothold was gained, both in the lateral movement and the fraud protection bypass. Attackers have demonstrated thorough knowledge of financial services software and networks, and also that they can stay under the radar while they steal money.

If we look at how that initial foothold was gained, however, we find that the attackers have sent spear phishing emails to the victims, weaponized with exploits of Office vulnerabilities (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761).

Palo Alto Networks Traps prevents attacks by obstructing the core techniques used in exploitation, even before the malicious code has a chance to run. This certainly includes exploits utilizing CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 vulnerabilities. Traps would have prevented the attacks seen in the Carbanak campaign -- their "sophistication," in other words, would be a moot point.

By limiting the attack surface to the exploitation phase, all attacks are reduced to a clearly-defined set of techniques that are efficiently addressed. Learn more about Traps Advanced Endpoint Protection here.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.