October 15, 2024 at 05:31PM
North Korean threat actors are leveraging a Linux variant of the FASTCash malware to conduct a financial cyber campaign, targeting banks and interbank processors. Originally aimed at Windows systems, the malware manipulates transaction messages to authorize unauthorized withdrawals. Researchers recommend enhanced security measures, including chip and PIN requirements for debit cards.
### Meeting Takeaways
1. **Threat Overview**: North Korean threat actors are utilizing a Linux variant of the FASTCash malware to execute financially motivated cyber campaigns.
2. **Background on FASTCash**:
– First documented by the US government in October 2018.
– Initially employed in ATM schemes targeting banks in Africa and Asia.
3. **Recent Developments**:
– The malware can now target banks using Windows Server for their switch applications.
– Expansion of the campaign to include interbank payment processors.
4. **Targeted Systems**:
– While earlier versions targeted Microsoft Windows and IBM AIX, recent findings indicate that FASTCash can now infiltrate Linux systems as well.
5. **Malware Operation**:
– The malware modifies ISO 8583 messages to initiate unauthorized withdrawals.
– Capable of manipulating declined transactions to approve withdrawals amounting to 12,000 to 30,000 Turkish lira ($350 to $875).
6. **Detection Recommendations**:
– The process injection technique used by the malware can be detected by commercial or open-source Linux endpoint detection and response systems if properly configured to monitor the ptrace system call.
7. **CISA Recommendations**:
– Implement chip and PIN requirements for debit cards.
– Verify message authentication codes on financial request responses.
– Perform authorization response cryptogram validation for chip and PIN transactions to mitigate exploitation risks.
### Action Items
– Ensure endpoint detection systems are configured to detect ptrace usage.
– Review and consider CISA’s recommendations for enhancing security against potential FASTCash exploitations.