Middle Eastern Banks Hacked After $81 Mil Bangladesh Heist: FireEye
reEye (FEYE) researchers say a series of cyberattacks on Middle Eastern banks isn’t related to an earlier digital heist of Bangladesh Bank that netted $81 million, but didn’t say whether it has ties to similar assults on banks in Ecuador and Vietnam.
This month, FireEye’s DTI (dynamic threat intelligence) discovered “a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region,” according to a company blog post Sunday.
“The threat actors appear to be performing initial reconnaissance against would-be targets,” researchers wrote, “and the attacks caught our attention since they were using unique scripts not commonly seen in crimeware campaigns.”
A FireEye spokesman told IBD the Middle Eastern assault doesn’t appear to be related to a recent attack on Bangladesh Bank, but didn’t say whether it could be tied to breaches of banks in Ecuador and Vietnam.
The Bangladesh breach is one of the biggest in history. FireEye reportedly was hired to investigate.
In the Middle East case, hackers sent malware-infused emails with themes related to IT infrastructure “such as a log of sever status report or a list of Cisco Iron Port Appliance details,” FireEye researchers wrote.
Employees forwarded the email on, containing an infected, macros-enabled Microsoft Excel file. Microsoft Office documents are frequently used in crimeware campaigns because default settings require users to order macros to run.
“Attackers may convince victims to enable risky macro code by telling them that the macro is required to view ‘protected content,’” researchers wrote. But this campaign took it a step further, hiding the malware in plain sight.
“This was done for the purpose of social engineering — specifically, to convince the victim that enabling the macro did, in fact, result in the ‘unhiding’ of additional spreadsheet data,” researchers wrote.
Hackers installed a batch file to collect important system data including user and group accounts, network configuration data and running processes. Unusually, the malware used DNS (domain name system) queries to extract the data.
“This was likely done because DNS is required for normal network operations,” researchers said. “The DNS protocol is unlikely to be blocked and its use is unlikely to raise suspicion among network defenders.”
Users can protect themselves by disabling Microsoft Office macros “and also by being more vigilant when enabling macros,” FireEye said.
Source | Investors