Massive FASTCash ATM Scheme Attributed to HIDDEN COBRA

The Department of Homeland Security, Department of the Treasury, and the Federal Bureau of Investigation released a joint technical alert (TA18-275A) identifying malware and IOCs used by the North Korean APT group known as HIDDEN COBRA in an ATM cash-out scheme dubbed “FASTCash.” Threat actors remotely compromised payment switch application servers to conduct fraudulent transactions, allowing them to steal tens of millions of dollars at ATMs in over 30 countries. Spear-phishing emails were likely used to steal legitimate bank employee credentials and infiltrate servers. Transaction requests were intercepted and replied to with fraudulent confirmation responses that allowed money to be deposited into accounts controlled by the threat group. All of the compromised servers were found to be running an unsupported version of the IBM operating system, Advanced Interactive eXecutive (AIX). The U.S. Government assesses that HIDDEN COBRA will continue to use FASTCash tactics to compromise retail payment systems. The alert contains technical details of the attack, mitigation techniques, and IOCs in the Malware Analysis Report (AR18-275A). The NJCCIC recommends users and administrators review the Technical Alert and use the IOCs provided to determine whether malicious activity associated with HIDDEN COBRA has been observed within your organization. If detected, this activity should be given the highest priority for mitigation and reported to the NJCCIC as soon as possible.

AlertNJCCICATM, Spear-phishing