Kasablanca, a hacker group, has targeted cyberattacks on at least six well-known Bangladeshi financial and government organisations, says the e-Government Computer Incident Response Team (e-Gov CIRT), the state organisation responsible for securing the country’s cyberspace.
The organisations are Bangladesh Bank, Bangladesh Police, bKash, BRAC Bank, Islami Bank Bangladesh and Corona.gov.bd.
The reason the institutes was singled out for attack remains unclear.
Earlier on February 10, The Hacker News reported that a previously known Windows remote access Trojan (RAT) with credential-stealing capabilities has now expanded its scope to set its sights on users of Android devices to further the attacker’s espionage motives.
Kasablanca, the group behind the malware, is said to have deployed the new RAT in an ongoing hybrid campaign targeting Bangladeshi users, the report said quoting researchers of Cisco Talos.
The reason why Bangladesh-based organisations have been specifically singled out for this campaign remains unclear, as is the identity of the threat actor, it said.
The malware is a lot alike in that they come with a full set of data-gathering features that constitute a stalker application.
The attack on either an Android or Windows device begins with a phishing campaign: an email or SMS text recipient is enticed to open a malicious attachment hiding the malware.
While the Android version of the malware can take photos and screenshots, read SMS and call logs, send SMS and perform calls to specific numbers, and intercept SMS messages or phone calls, its latest Windows counterpart comes with new commands that enable remote access to the target machine and a “Sound” command that can capture audio from a connected microphone.
The attacks by Kasablanca, which originated in October last year, have targeted banks and carrier-grade voice-over-IP software vendors, with clues pointing to the malware author being based in Morocco, The Hacker News report added.
Then on February 17, e-Gov CIRT alerted the local financial and government organisations of the cyber threat after identifying the ongoing development of attack variants and dedicated malware campaign by the threat actor Kasablanca, Tarique M Barkatullah, its project director, told Dhaka Tribune.
E-Gov CIRT identified 18 phishing websites targeting cyberattack to the Bangladeshi financial and government organisations while eight phishing sites were created in the name of six well-known institutions.
The eight phishing sites are bkashagent.com; corona-bd.com; bkash.club; bdpolice.co; isiamibankbd.com; Bangladesh-bank.com; Bangladesh-bank.com and bracbank.info.
“We have already asked the Bangladesh Telecommunication Regulatory Commission to stop those sites,” Barkatullah said.
The threat actor’s motives behind this campaign are merely to spread their botnets within Bangladesh and possibly to tweak for espionage rather than purely from breaching accounts for financial gains, according to e-Gov CIRT.
The users of those institutions are Kasablanca’s target group and they collect confidential information including the National ID card number of customers through fake sites, according to IT experts.
e-Gov CIRT asked the local financial and government organisations to enhance their capability to combat growing cyber threats; ensure proper information and cybersecurity awareness training among all the employees, customers and consumers; ensure appropriate controls; and minimise attack surface by assessing need-to-know basis.
Such hacker groups create phishing sites to mislead users and steal their confidential information, said Tanvir Hassan Zoha, managing director of Backdoor Private, a cybersecurity firm.
The hacker group conducts major cyberattacks after stealing confidential information through those phishing sites.
“The e-Gov CIRT or other authorities’ role should not be to only identify the hacker group — legal action must be taken against the hacker group.”
To reduce the cyberattacks, awareness building among employees and legal action against hackers is much needed, said Zoha, adding that if necessary, seek help from the International Court of Justice.
A threat-generating actor may create domain names with the word ‘bKash’ or other popular brands to impersonate a reputed company’s entity but bKash’s domains and IPs are protected by multilayer security arrangements, Kamal Quadir, chief executive officer of bKash, told Dhaka Tribune.
The arrangements include network firewall, IPS (Intrusion Prevention System), DDOS protection solutions, advanced web application firewall, secure email gateway and security web gateway and so on.
“These are all globally recognised cutting-edge technologies to ensure appropriate security.”
Generally, phishing elements attack internal systems through email content and web link.
“bKash’s protections are preventing internal systems and users from those emails efficiently. All user information and data are completely safe and secured inside the system.”
Moreover, bKash has communicated alerts to all its employees to create the appropriate awareness on the matter.
“We are fundamentally protected,” Quadir added.
Sabbir Hossain, chief operating officer of BRAC Bank, acknowledged receiving the warning letter from e-Gov CIRT.
“Since then, BRAC Bank has strengthened its cybersecurity measures.”
The automated teller machine services, where identity theft often takes place, have not been shut but security measures have been tightened round-the-clock.
“We are building awareness among our clients through SMS and notice about the phishing sites. e-Gov CIRT is playing a proactive role as it alerted us before any possible cyber-attack, which helps us to take precautionary measures,” he added.
Bangladesh Bank Spokesperson Md. Serajul Islam could not be reached for comment at the time of filing this report.
The latest round of cyber threat comes after hackers who go by the name of ALTDOS broke into the system of Beximco, one of the leading business groups of Bangladesh, on January 21 and stole hundreds of gigabytes of files, source coding and databases from 34 of Beximco websites, including its telecom subsidy BOL-ONLINE.COM
ALTDOS operates mainly in the ASEAN region and has been involved in cyberattacks in stock exchanges and financial institutes in different countries, including Thailand, Bangladesh, the Philippines and Malaysia.
Earlier on January 10, the central bank issued an emergency cyber alert to its staff and officials after malware was detected in its server, which resulted in the internet connection being cut off in the Bangladesh Bank headquarters for a week.
The $101 million cyber heist from the BB’s account with the Federal Reserve Bank of New York in February 2016, also happened because of malware in the central bank’s Swift-RTGS system, which gave the band of hackers an entry into the central bank’s server.