{"id":8185,"date":"2015-02-17T16:45:32","date_gmt":"2015-02-18T00:45:32","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=8185"},"modified":"2016-12-09T11:38:41","modified_gmt":"2016-12-09T19:38:41","slug":"sophisticated-palo-alto-networks-traps-would-prevent-the-carbanak-campaign","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2015\/02\/sophisticated-palo-alto-networks-traps-would-prevent-the-carbanak-campaign\/","title":{"rendered":"Sophisticated? Palo Alto Networks Traps Would Have Prevented the Carbanak Campaign"},"content":{"rendered":"

A recent report<\/a> from Kaspersky Lab disclosed a gargantuan cyberattack, dubbed Carbanak, targeting banks worldwide. According to the report, threat actors have managed to steal up to $1 billion from over 100 banks. These attacks started in late 2013 and are still active.<\/p>\n

This campaign was described in the press as \u201cthe most sophisticated\u201d the world has seen so far. But let\u2019s look a little closer at what actually happened here based on the information available.<\/p>\n

Based on Kaspersky's report we can clearly see that the Carbanak campaign is following its predecessors' patterns: spear phishing weaponized documents leveraging Office vulnerabilities, followed by backdoor drop, malware download, lateral movement, server compromise and data exfiltration.<\/p>\n

This pattern is by no means innovative compared to campaigns we have experienced in recent years. So what makes it \u201csophisticated\u201d?<\/p>\n

First, the unique feature of this campaign is that the methods we listed above have only been previously seen in cyber espionage campaigns where the attacker's object is information<\/strong>. The Carbanak campaign is the first time we\u2019ve seen APT methods applied to large scale stealing. <\/strong><\/p>\n

Second, the actual sophistication manifested itself only after the initial foothold was gained<\/strong>, both in the lateral movement and the fraud protection bypass. Attackers have demonstrated thorough knowledge of financial services software and networks, and also that they can stay under the radar while they steal money.<\/p>\n

If we look at how that initial foothold was gained, however, we find that the attackers have sent spear phishing emails to the victims, weaponized with exploits of Office vulnerabilities (CVE-2012-0158<\/a> and CVE-2013-3906<\/a>) and Microsoft Word (CVE-2014-1761<\/a>).<\/p>\n

Palo Alto Networks Traps prevents attacks by obstructing the core techniques used in exploitation, even before the malicious code has a chance to run. This certainly includes exploits utilizing CVE-2012-0158, CVE-2013-3906 and CVE-2014-1761 vulnerabilities. Traps would have prevented the attacks seen in the Carbanak campaign -- their \"sophistication,\" in other words, would be a moot point.<\/p>\n

By limiting the attack surface to the exploitation phase, all attacks are reduced to a clearly-defined set of techniques that are efficiently addressed. Learn more about Traps Advanced Endpoint Protection here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

A recent report from Kaspersky Lab disclosed a gargantuan cyberattack, dubbed Carbanak, targeting banks worldwide. According to the report, threat actors have managed to steal up to $1 billion from over 100 …<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[598,416,7],"tags":[1082,1080,1057,778],"coauthors":[716],"class_list":["post-8185","post","type-post","status-publish","format-standard","hentry","category-endpoint-2","category-financial-services","category-threat-advisory-analysis","tag-carbanak","tag-cyberattack","tag-prevention","tag-traps"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/8185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=8185"}],"version-history":[{"count":9,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/8185\/revisions"}],"predecessor-version":[{"id":8196,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/8185\/revisions\/8196"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=8185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=8185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=8185"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=8185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}