The hacking group known as MoneyMaker has pulled off a $1 million cyberheist after gaining access to a Russian bank through an outdated router used in one of its regional branches.
Vulnerabilities in the PIR Bank router were exploited to first give the hackers access to the router, and then to the Automated Work Station Client of the Russian Central Bank via network tunnels configured in the router.
Once access to the Automated Work Station Client of the Russian Central Bank was gained, the hackers were able to initiate fraudulent bank transfers to 17 accounts held at other Russian banks. Money was transferred, and as soon as it cleared, cash was withdrawn from ATM machines. The hacking group uses money mules to withdraw the funds.
By the time PIR Bank discovered the fraudulent transfers, the bank accounts had been emptied and the money could not be recovered.
The latest attack was investigated by the cybersecurity and threat Intelligence firm Group-IB, which notes that the hacking group is well known for highly complex attacks on financial institutions, many of which take months before funds are stolen. The group often uses fileless malware to gain a foothold in a network, sets up a whole new infrastructure for each attack, and goes to considerable lengths to thwart forensic investigators.
Group-IB notes that most of the hacking group’s successful cyberheists have seen initial access to the network gained through vulnerable routers. Routers typically do not have any security software running, firmware may not be updated regularly, and vulnerabilities can persist for some time before they are discovered and remediated. By attacking routers, cybercriminals can gain a persistent foothold in local networks and can then move laterally to other systems.
MoneyMaker has been attacking banks in Russia, the United Kingdom and the United States since 2016 and is a major threat to financial institutions. Group-IB suggests the best way to prevent attacks is to make sure all routers in use are running the latest firmware version, to ensure routers are regularly scanned for configuration changes, and to ensure testing takes place to identify brute force vulnerabilities.
Router vulnerabilities are also being exploited to create IoT botnets that are used to conduct massive DDoS attacks, with the Trojan VPNFilter known to have infected at least half a million vulnerable routers. The sophisticated malware has already been used to launch devastating attacks on critical infrastructure in Ukraine, including a recent attack on a liquid chlorine processing plant that supplies chlorine for treating Ukraine’s water supply.