{"id":5847,"date":"2024-10-15T16:20:51","date_gmt":"2024-10-15T21:20:51","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/north-korea-hackers-cash-linux-cyber-heists"},"modified":"2024-10-15T16:20:51","modified_gmt":"2024-10-15T21:20:51","slug":"north-korea-hackers-get-cash-fast-in-linux-cyber-heists","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/10\/15\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists\/","title":{"rendered":"North Korea Hackers Get Cash Fast in Linux Cyber Heists"},"content":{"rendered":"<div class=\"media_block\"><a href=\"https:\/\/i0.wp.com\/eu-images.contentstack.com\/v3\/assets\/blt6d90778a997de1cd\/bltb73f88f57745b899\/670ed4947eeb84b5c2247d6d\/atm1800_Panther_Media_GmbH_alamy.jpg?ssl=1\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists.jpg?w=640&#038;ssl=1\" class=\"media_thumbnail\"><\/a><\/div>\n<div><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists.jpg?w=640&#038;ssl=1\" class=\"ff-og-image-inserted\"><\/div>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">North Korean threat actors are using a Linux variant from a malware family known as &#8220;FASTCash&#8221; to conduct a financially motivated cyber campaign.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">FASTCash is a payment switch malware, <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/www.darkreading.com\/cyber-risk\/symantec-offers-new-details-of-north-korean-backed-fastcash-attack\" rel=\"noopener\">first documented by the US government in October 2018<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"> when it was being used by North Korean adversaries in an ATM scheme targeting banks in Africa and Asia.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Since that time, there have been two significant developments within the campaign. The first is its capability to conduct the scheme against banks hosting their switch application on Windows Server, and the second is its expansion of the campaign to target interbank payment processors.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">Prior versions of the malware targeted systems running Microsoft Windows and IBM AIX, though the latest findings of the malware now indicate that it is designed to infiltrated Linux systems.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The malware modifies ISO 8583 transaction messages used in debit and credit card transactions to initiate unauthorized withdrawals, even managing to manipulate declined transactions due to insufficient funds, then approve them to withdraw money in Turkish currency ranging from 12,000 to 30,000 lira ($350 to $875).<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">&#8220;The process injection technique employed to intercept the transaction messages should be flagged by any commercial [endpoint detection and response] or opensource Linux agent with the appropriate configuration to detect usage of the&nbsp;ptrace&nbsp;system call,&#8221; <\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\"><a class=\"ContentText-BodyTextChunk ContentText-BodyTextChunk_link\" target=\"_blank\" href=\"https:\/\/doubleagent.net\/fastcash-for-linux\/\" rel=\"noopener\">noted the researchers in the report<\/a><\/span><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">.<\/span><\/p>\n<p class=\"ContentParagraph ContentParagraph_align_left\" data-testid=\"content-paragraph\"><span class=\"ContentText ContentText_variant_bodyNormal\" data-testid=\"content-text\">The researchers also highlight Cybersecurity and Infrastructure Security Agency (CISA) recommendations of implementing chip and PIN requirements for debit cards, requiring and verifying message authentication codes on issue financial request response messages, and performing authorization response cryptogram validation for chip and PIN transactions to prevent exploitation attempts.<\/span><\/p>\n<p><a href=\"https:\/\/www.darkreading.com\/cyber-risk\/north-korea-hackers-cash-linux-cyber-heists\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>North Korean threat actors are using a Linux variant from<\/p>\n","protected":false},"author":12,"featured_media":5848,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5847","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=2560%2C1440&ssl=1",2560,1440,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=2048%2C1152&ssl=1",2048,1152,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/10\/north-korea-hackers-get-cash-fast-in-linux-cyber-heists-scaled.jpg?fit=2560%2C1440&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5847","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5847"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5847\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5848"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}