Kaspersky Lab discovered a series of attacks to financial and telecommunication companies in Eastern Europe and Central Asia, whose main goal was to steal money.
Out of every attacked financial institution, the attackers tried to withdraw tens of millions of dollars. In corporate networks of telecom companies, they searched for data to access the financial information of interest to them.
All these incidents were united by a common attack technique and a single entry point for attackers. During the study of these failed robbery attempts, the researchers found that the criminals exploited the vulnerability in the VPN solutions that were installed in all the attacked organizations. This problem is known by the identifier. CVE-2019-11510, tools for its use can be freely found in the public domain (for the first time Devcore specialists told about this problem at the Black Hat conference). In this way, the attackers obtained data from the accounts of the administrators of corporate networks and secured access to valuable information.
It was previously reported that various hack groups managed to exploit the vulnerability CVE-2019-11510, but the incidents detected by Kaspersky Lab are most likely to be Russian-speaking attackers – experts came to such conclusions after studying the techniques and tactics with which they were committed attacks.
“Despite the fact that the vulnerability was discovered in the spring of 2019, many companies have not yet installed the necessary update. In the fall, Kaspersky Lab took part in the investigation of several such incidents. Given the availability of the exploit, such attacks can become more widespread, ”said Sergey Golovanov, a leading antivirus expert at Kaspersky Lab. “Therefore, we strongly recommend that companies install the latest version of the VPN solution used, do not forget about security solutions and follow the news about the current landscape of cyber threats.”