The US-CERT together with multiple governmental agencies are warning of a new type of attack on bank servers, dubbed “FASTCash”. Through infecting specialized switch servers “FASTCash” allows for ATMs to spit out cash – Even if none is present on the account.

Behind the attack are North Korean threat actors HIDDEN COBRA. The attack, which has been in use since at least 2016, has earned the group tens of millions of dollars and is not expected to stop any time soon.

 

North-Korean HIDDEN COBRA responsible for FASTCash attacks

The United States Computer Emergency Readiness Team (US-CERT) together with multiple US government agencies are warning of a new type of attack dubbed “FASTCash”, on banking systems in Africa and Asia. The actors behind the attack are the infamous North-Korean hacking group HIDDEN COBRA.

HIDDEN COBRA, also known as Lazarus Group or Guardians of Peace is responsible for multiple high-profile attacks. These include massive DDoS campaigns on South Korean infrastructure in 2011 and the breach of Sony Pictures in 2014. Through linking technical details from their 2018 attack on cryptocurrencies Bitcoin and Monero the group has also been tied to the WannaCry ransomware attacks.

 

Millions of dollars lost in ATM attacks

The “FASTCash” attack itself works by targeting the switch application server used between the ATM and other internal banking systems. The role of this server is to handle financial requests, such as whether a payment will go through depending on the balance. The HIDDEN COBRA group infects these servers and intercept the requests, sending fradulent but legitimate affirmative response messages back – even if the transaction was set to fail.

Using the fradulent responses the group can perform fraudulent ATM withdrawals Essentially forcing ATMs to spit out cash. The image below shows the anatomy of the “FASTCash” attack.

The attack is thought to have been employed since at least 2016 according to the US-CERT technical alert. Asia and Africa are the primary targets, with no attacks having been detected in the US. Even so, “FASTCash” is estimated to have earned the group tens of millions of dollars and US-CERT does not believe it will stop any time soon.

“FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions. The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.”, the agency stated in their report.