Alert : FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
by CIRT Team
North Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks’ retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging).
The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).
The BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia.
The BeagleBoyz have used a variety of techniques, such as spearphishing and watering holes, to enable initial access into targeted financial institutions. Towards the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing attacks using the following publicly available malicious files.
The BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer network.
Email an attachment with malware to a specific individual, company, or industry (Phishing: Spearphishing Attachment)
Compromise a website visited by users in specific communities, industries, or regions (Drive-by Compromise)
Exploit a weakness (a bug, glitch, or design vulnerability) in an internet-facing computer system (such as a database or web server) (Exploit Public Facing Application)
Steal the credentials of a specific user or service account to bypass access controls and gain increased privileges (Valid Accounts)
Breach organizations that have access to the intended victim’s organization and exploit their trusted relationship (Trusted Relationship)
Use remote services to initially access and persist within a victim’s network (External Remote Services)
The BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected to a financial institution’s corporate network. After gaining initial access to a financial institution’s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems.
Once inside a financial institution’s network, the BeagleBoyz appear to seek two specific systems—the SWIFT terminal and the server hosting the institution’s payment switch application.
The BeagleBoyz likely change tools—such as CROWDEDFLOUNDER and HOPLIGHT—over time to maintain remote access to financial institution networks and to interact with those systems.
Analysis of the following CROWDEDFLOUNDER samples was first released in October 2018 as part of the FASTCash campaign.
MD5 hash: 5cfa1c2cb430bec721063e3e2d144feb
MD5 hash: 4f67f3e4a7509af1b2b1c6180a03b3e4
Recommendations for Institutions with Retail Payment Systems
Require chip and personal identification number (PIN) cryptogram validation.
Implement chip and PIN requirements for debit cards.
Validate card-generated authorization request cryptograms.
Use issuer-generated authorization response cryptograms for response messages.
Require card-generated authorization response cryptogram validation to verify legitimate response messages.
Isolate payment system infrastructure.
Require multi-factor authentication for any user to access the switch application server.
Confirm perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
Confirm perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system, especially if your payment switch application server is internet accessible.
Logically segregate your operating environment.
Use firewalls to divide your operating environment into enclaves.
Use access control lists to permit/deny specific traffic from flowing between those enclaves.
Give special considerations to segregating enclaves holding sensitive information (e.g., card management systems) from enclaves requiring internet connectivity (e.g., email).
Encrypt data in transit.
Secure all links to payment system engines with a certificate-based mechanism, such as Mutual Transport Layer Security, for all external and internal traffic external.
Limit the number of certificates that can be used on the production server and restrict access to those certificates.
Monitor for anomalous behavior as part of layered security.
Configure the switch application server to log transactions and routinely audit transaction and system logs.
Develop a baseline of expected software, users, and logons and monitor switch application servers for unusual software installations, updates, account changes, or other activities outside of expected behavior.
Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.
Recommendations for Organizations with ATM or Point of Sale Devices
Validate issuer responses to financial request messages.
Implement chip and PIN requirements for debit cards.
Require and verify message authentication codes on issuer financial request response messages.
Perform authorization response cryptogram validation for chip and PIN transactions.
Recommendations for All Organizations
Users and administrators should use the following best practices to strengthen the security posture of their organization’s systems:
Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up to date.
Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
Enforce a strong password policy and require regular password changes.
Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
Scan all software downloaded from the internet before executing.
Maintain situational awareness of the latest threats.
Implement appropriate access control lists.
For further detail information, please visit following URL: