Cyber Threat Advisory: HIDDEN COBRA: BeagleBoyz and FASTCash 2.0

Date: 28 August 2020

TLP: WHITE

1. Executive Summary

On 26 August, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory based on analytic efforts with the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI), U.S. Cyber Command (USCYBERCOM), and government partners.¹ The report describes tools and techniques used by an element of the North Korean government to carry out attacks against automated teller machines (ATMs), efforts the U.S. government refers to as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”

Malicious cyber activities associated with the North Korean government are commonly referred to as HIDDEN COBRA. The BeagleBoyz is a hacking group that robs banks via remote internet access, and their activity is a subset of HIDDEN COBRA. According to CISA’s report, the BeagleBoyz “overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima.” The United Nations (UN) considers the BeagleBoyz’ activity a means to circumvent UN resolutions and generate funds to support prohibited nuclear weapons and ballistic missile programs.

The BeagleBoyz group is part of North Korea’s Reconnaissance General Bureau, and has been carrying out FASTCash campaigns against the retail payment infrastructure of banks since 2016. Since CISA’s 2018 report on it, there have been two significant changes: the use of FASTCash against banks that are hosting switch² applications on Windows servers, and the targeting of interbank payment processors. The group has also attacked cryptocurrency exchanges to convert the stolen funds into fiat currency.

The report profiles the group, lists its known current and historical targets, provides technical analysis of its known tools and techniques, and incorporates the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework.

2. Analysis

• Pre-Infection

BeagleBoyz uses many techniques to gain initial access to victim computers, including spear phishing and job application-themed phishing, watering holes and drive-bys, exploiting weaknesses in public facing applications, stealing credentials, using external remote services, and breaching an organization that has a trusted relationship with the ultimate target.

The report authors also assess that BeagleBoyz may collaborate with or employ criminal hacking groups such as TA505 as part of its efforts to gain access to victims.

• Post-Infection

BeagleBoyz is selective in terms of which systems it exploits after it gains initial access. The group uses a variety of techniques to escalate its privileges, establish persistence, and evade detection.

CISA’s report provides a link to a technical report about an information stealer referred to as ELECTRICBANDWAGON,³ which is used to log and encrypt data, as well as capture screenshots, but does not have network functionality. This malware is reportedly only one of several techniques that BeagleBoyz uses to steal credentials. When available, the group also appears to favor legitimate administrative tools such as Powershell for reconnaissance.

The North Korean group appears to search for two things once it has gained access to a financial institution: the SWIFT terminal and the payment switch application server. Once found, the group uses the stolen credentials to move laterally in the corporate network and access those systems.

BeagleBoyz has used multiple tools over the years to maintain access to and interact with victim networks, including remote access trojans (RATs) such as CROWDEDFLOUNDER, HOPLIGHT, and COPPERHEDGE for cryptocurrency exchange exploitation. It has also used network proxy tunneling tools such as VIVACIOUSGIFT and ELECTRICFISH. Full technical reports of these malware are available at https://us-cert.cisa.gov/northkorea.

• FASTCash

FASTCash malware can reply to financial request messages with ISO 8583 format affirmative responses that are not legitimate despite their appearance. BeagleBoyz has both UNIX⁴ and Windows versions of the malware.

• FASTCash for UNIX

FASTCash for UNIX is made up of AIX executable files that use process injection. One of the executables enables an application to manipulate transactions on financial systems using the ISO 8583 international standard for financial transaction card-originated interchange messaging. The injected executables interpret financial request messages and construct fraudulent financial response messages.

• FASTCash for Windows

FASTCash for Windows also manipulates ISO 8583 messages by injecting itself into software already running on Windows, and then taking over the software’s network send and receive functions. However, it checks incoming messages for specific information, possibly certain account numbers, and if it finds it, the malware sends a fraudulent response that will not be processed by the switch application and therefore, not raise suspicion of the transaction.

The report indicates that two variants of this version have been identified: one supports ASCII encoding, the other supports Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding.

3. Prevention and Mitigation 

CISA’s report outlines recommendations for institutions with retail payment systems, organizations with ATM point of sale devices, as well as for all organizations. We are providing them all below directly.

• Recommendations for Institutions with Retail Payment Systems

Require chip and personal identification number (PIN) cryptogram validation.

• Implement chip and PIN requirements for debit cards.
• Validate card-generated authorization request cryptograms.
• Use issuer-generated authorization response cryptograms for response messages.
• Require card-generated authorization response cryptogram validation to verify legitimate response messages.

Isolate payment system infrastructure.

• Require multi-factor authentication for any user to access the switch application server.
• Confirm perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
• Confirm perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system, especially if your payment switch application server is internet accessible.

Logically segregate your operating environment.

• Use firewalls to divide your operating environment into enclaves.
• Use access control lists to permit/deny specific traffic from flowing between those enclaves.
• Give special considerations to segregating enclaves holding sensitive information (e.g., card management systems) from enclaves requiring internet connectivity (e.g., email).

Encrypt data in transit.

• Secure all links to payment system engines with a certificate-based mechanism, such as Mutual Transport Layer Security, for all external and internal traffic external.
• Limit the number of certificates that can be used on the production server and restrict access to those certificates.

Monitor for anomalous behavior as part of layered security.

• Configure the switch application server to log transactions and routinely audit transaction and system logs.
• Develop a baseline of expected software, users, and logons and monitor switch application servers for unusual software installations, updates, account changes, or other activities outside of expected behavior.
• Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.
• Recommendations for Organizations with ATM or Point of Sale Devices

Validate issuer responses to financial request messages.

• Implement chip and PIN requirements for debit cards.
• Require and verify message authentication codes on issuer financial request response messages.
• Perform authorization response cryptogram validation for chip and PIN transactions.
• Recommendations for All Organizations

Users and administrators should use the following best practices to strengthen the security posture of their organization’s systems:

• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up to date.
• Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators’ group unless required.
• Enforce a strong password policy and require regular password changes.
• Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations and configure it to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs).
• Scan all software downloaded from the internet before executing.
• Maintain situational awareness of the latest threats.
• Implement appropriate access control lists.

4. Indicators of Compromise

CISA provides indicators of compromise in each Malware Analysis Report on its site https://us-cert.cisa.gov/northkorea. 

Endnotes

1. https://us-cert.cisa.gov/ncas/alerts/aa20-239a
2. “Switch is a tool that facilitates communication between different payment service providers. It typically provides a merchant-driven rules-based authorization and switching solution. It dynamically routes payment transactions between multiple acquirers and Payment Service Providers.” (https://lyra.com/in/what-is-payment-switch/)
3. https://us-cert.cisa.gov/northkorea
4. https://www.us-cert.gov/ncas/alerts/TA18-275A