Hackers hijacked DNS bank infrastructure with compromising 36 domain

Experts of "Kaspersky lab" at the conference "Security Analyst Summit" talked about an interesting attack. At the end of 2016 unnamed Brazilian bank servicing more than 5 million customers was damaged. Attackers decided not to hack bank accounts of separate users, but they compromise the bank entirely. Hackers got control over all 36 domains belonging to the financial organization.

Researchers said that firstly this case was seemed to them like a usual hacking of a site. Later they found out that bank site is distributing Malware. Each visitor received an archive with Java-Malware. Malicious program was built into index file of site, by means of which iframe was loaded. This Malware redirected victim to malicious resource. At the same time the site had a valid SSL-certificate issued by Let's Encrypt, and at first glance there was no suspicion. Looking to it, researchers asked question, “how it is possible that hackers compromised the entire bank”?

Attack really was bigger than usual hacking of the a web site. Attackers got control of all 36 domains belonging to the bank, including the domains of the main sites, mobile resources, point-of-sale and so on. All domains, including corporate, ended up in the hands of criminals. Researchers emphasize that hackers got control even to the infrastructure of corporate mail and disabled it. For this reason the employees of the bank were not able to warn users about what was happening, as well as to contact register or DNS - provider.

The hackers managed to compromise DNS hosting of the bank . After that they could do anything to the 36 domains. So, part of domains showed to the visitors phishing pages, simulating present bank site, to steal account data of the users.

Analyze of Malware detected eight modules, including the files of configuration with URL bank, modules for updating, modules for theft of data from Microsoft Exchange, Thunderbird and local address book, as well as modules for control and decryption data of Internet banking. All modules kept in contact with controlling server located in Canada. One of the modules (Avenger) turned out to be legitimate tool for pentesting. Usually it is used for removal rootkits, but in this case it was modified and was applied for removing protective defenses from compromised computers. Through Avenger the experts managed to find similar attacks on additionally 9 banks in different countries of the world.

"Bad guys wanted to use this opportunity to compromise the Bank's operations, but also for distribution Malware that can steal money from banks of other countries," said the researchers.

From the the fact that the attackers used a Let's Encrypt certificate that was registered five months before the attack, the operation was planned long and carefully. Also, experts have managed to detect phishing emails, in which criminals were presented by the staff of an unnamed Brazilian Registrar. Now researchers warn that such attacks can be very dangerous: "Imagine that an employee has been the victim of phishers and attackers gained access to the DNS tables. It would be very bad. If DNS is controlled by the criminals,very bad things will happen".

Share this with Your friends: