SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (TA18-275A), centered around an Automated Teller Machine (ATM) cash-out attack scheme attributed to the North Korean government (dubbed HIDDEN COBRA) — this attack is referred to by the U.S. Government as “FASTCash.”

FASTCash, is an attack that allows for unauthorized withdrawal of cash from ATMs at compromised banks. This is a multi-staged attack, with initial compromise thought to be via phishing attacks on bank employees, then moving to a combination of targeted malware as well as legitimate administrative tools.

These attacks have successfully targeted banks in Africa and Asia, and managed so far to extract tens of millions of dollars. SafeBreach recommends that financials and related businesses in all regions simulate this attack to identify whether or not they are protected against this campaign. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations as necessary.

To assess security control effectiveness against techniques involved in this attack, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook #1675 & #1678 - Email FASTCash malware

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #1668 - Transfer of FASTCash malware over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #1666 - Write to disk of FASTCash malware

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Additional breach methods added recently include:


Subscribe to blog post