Carbanak

Carbanak Is a financial threat actor that primarily targets financial institutions. Why, you ask? Because that’s where the money is. Carbanak is often called FIN7. Carbanak has been active since approximately 2015. They have been very active in targeting point-of-sale systems, with custom malicious skimmer software. Carbanak has also targeted and successfully exploited systems in hotels, casinos, and restaurants. In context, Carbanak has acquired and exfiltrated the identities of 20+ million credit card holders. Over the past few years, since approximately 2020, Carbanak has also started using ransomware. The total losses due to Carbanak’s extended wave of cybercrime have likely exceeded over $1 billion.

As Carbanak has moved into ransomware, they have used payloads such as REvil or Ryuk. They carefully inspect their targets and do research, purportedly using commercial databases, to determine their targets. Once identified, they perform surveillance, establish penetration and access, and continue through the ransom process to successful payment.

Carbanak has a strong reputation for extensive research and careful execution. They are known to use custom scripting, deploying custom tools, “living off the land” through tools they can find within the target’s networks, and developing and deploying other custom technologies.

In approximately 2016, Carbanak developed new custom malware tools using Cobalt Strike, a legitimate penetration testing framework. You may recall that Cobalt Strike was initially designed as a penetration testing team (or red team) command and control framework. Cobalt Strike is one of the leading red team platforms for the U.S. government and large enterprise organizations.

The anatomy of the attack for these tools developed using Cobalt Strike was similar. First, the threat actors would target employees within the financial institution operating well-crafted phishing emails. Then, once the victim engaged through a clickable malicious URL or a download, the criminals gained remote control of the victim’s endpoint workstation. This technique quickly allowed the threat actors to access the internal bank network and often the automated teller machine (ATM) network.

Carbanak was so sophisticated that they could program the ATMs to start dispensing cash at a predetermined time. Bagmen would show up to collect the money as the ATM dispensed the funds. This plan was outrageous in its audacity and scope—databases with bank account information were often modified so that the decrease in the account balances was not detected. The account balances were often increased. Once discovered by the bank, perhaps due to shortfalls in cash within ATMs, it took extensive forensic work, at a high cost, to understand how the fraud was achieved. When the theft was purely electronic, the Carbanak group would rapidly move the funds into cryptocurrency for subsequent withdrawal and access worldwide and careful and methodical money laundering.

Ultimately a principal within the Carbanak threat group was sentenced to 10 years in prison for having served as a manager and systems administrator for Carbanak. This individual was associated with cyberattacks that impacted over 100+ financial institutions worldwide. The identity and location of most of the threat actor group’s members remain unknown.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.