Security researchers from Kaspersky have reported on thousands of notifications of attacks on major banks in the sub-Saharan Africa region. The malware in the attacks has been linked to Silence Group – a hacking organisation which has targeted banks and stolen millions in the past.
The group which is reportedly one of the most active Advanced Persistent Threat (ATP) actors, begin these attacks with a social engineering scheme. Attackers send a phishing email that contains malware to a bank employee. The malware gets inside the banks’ security perimeter and gathers information on the victim organisation. To do this the malware “captures screenshots and video recordings of the day to day activity on the infected device.
Once attackers are ready to take action, they activate the capabilities of the malware which can include cash withdrawals via ATM.
Kaspersky Researchers say the attacks began in the first week of 2020 and indicated that the group is about to activate the malware and cash out the funds. The researchers didn’t disclose which banks are under threat but one would assume if they know they would have reached out to the banks to warn them.
Silence group has been quite productive in the past years, as they live up to their name; their operations require an extensive period of silent monitoring, with rapid and coordinated thefts. We noticed a growing interest of this actor group in banking organisations in 2017 and since that time the group would constantly develop, expanding to new regions and updating their social engineering scheme,” said Sergey Golovanov, security researcher at Kaspersky. “We urge all banks to stay vigilant, as apart from the large sums Silence group also steal sensitive information while monitoring the Banks activity as they video record screen activity. This is a serious privacy abuse that might cost more than money can buy.
The malware used in the operation is identified as HEUR:Trojan.Win32.Generic,PDM:Exploit.Win32.Generic and Kaspersky say financial institutions can guard against it by applying the following measures:
- Introduce basic security awareness training for all employees so that they can better distinguish phishing attempts.
- Monitor activity in enterprise information systems information security operations centre.
- Use security solutions with dedicated functionality aimed at detecting and blocking phishing attempts.
- Provide security teams with access to up to date, to keep pace with the latest tactics and tools used by cybercriminals.
- Prepare an incident response plan to be ready for potential incidents in the network environment.