Dhaka, Bangladesh (BBN)– Kaspersky Lab has uncovered compromised servers around the world being used by the notorious cybercrime group Lazarus for its hacking activities including last year’s US$81-million reserve heist on the central bank of Bangladesh.

These hacked servers were part of the groups’ global command and control infrastructure and were found in Indonesia, India, Bangladesh, Malaysia, Vietnam, South Korea, Taiwan and Thailand, among others, the Manila-based Inquirer.net reported quoting a press statement of the Russian cybersecurity firm.

These hacked servers “could be used by Lazarus to launch targeted attacks against a company or organization,” the firm said, adding that “the Korean language group is thought to be state-sponsored.”

The researchers discovered the servers had been infected using malware called “Manuscrypt,” which the hackers had been using since 2013. The malware was installed by exploiting a vulnerability in Microsoft Internet Information Services 6.0 that was patched by Microsoft in June 2017.

“Many servers worldwide remain at risk of this exploit,” Kaspersky Lab said. “Three of the top five countries that still have servers carrying this vulnerability are in the Asia-Pacific region: China (with 7,848 servers), India (1,524) and Hong Kong (1,102).”

“The US tops the list with the most vulnerable servers (11,949), while United Kingdom ranks fifth with 805,” it added.

Successful exploits allow the malware to hand control of the compromised host to the attacker and easily implant additional malware on the server. Kaspersky Lab researchers have also found several tools on the servers, including an information harvester. Using this information gathering tool, the attacker can then steal information from the victim’s own infrastructure.

Apart from the Bangladesh bank heist, Lazarus is also believed to be behind the 2014 hacking of Sony Pictures and the recent WannaCry ransomware epidemic.

“Companies are increasingly worried about being hit by advanced targeted attack groups like Lazarus,” Kaspersky Lab senior security researcher Park Seongsu said. “Unknown to them, their own corporate servers could be infected and manipulated by the hackers against them, or used to launch attacks on others.”

Park predicts that with these incidents targeting enterprise networks, IT security priorities and processes will need to adapt as customers will require technology that is combined with intelligence and expertise, to protect them from both known and unknown threats.

Meanwhile, the Federal Reserve Bank of New York, Bangladesh Bank (BB) and SWIFT had reiterated their commitment to work together for recovering the remaining stolen money of $65.75 million from the Philippines.

They had also decided to continue discussions about the cyber fraud event that occurred in early February last year.
The decisions were taken at the third tripartite meeting, held in New York on May 21 this calendar year.

The first tripartite meeting was held in Basel of Switzerland on May 10, 2016 while the second and third meetings in New York on August 16 last year and May 21, 2017 respectively.

A four-member BB team, headed by Deputy Governor Abu Hena Mohd Razee Hassan, participated the third tripartite meeting, according to the BB officials.

Later, a high-powered team comprising senior officials of the central bank and CID (Criminal Investigation Department) visited the Philippines during June 5-9 to follow the overall recovery process of the heist money.

A senior official of the BB, who is familiar with the recovery process, is hopeful about retrieving $1.2 million more from the Philippines shortly. “We’re working on the issue.”

Earlier on November 12 last year, Bangladesh retrieved US$15.25 million more of its central bank’s stolen money from the Southeast Asian country.

With the return of the money from Manila, the total recovered amount stood at $35.25 million as the central bank of Bangladesh was able to bring back $20 million from Sri Lanka shortly after the trans-national cyber-heist.

Unknown hackers tried to steal nearly $1.0 billion from the BB account at the Fed early February last year, and succeeded in digitally burgling out $81 million into four accounts at RCBC (Rizal Commercial Banking Corp) in Manila in what is dubbed biggest such cyber heist.

The cyber fraud took place on the night of February 04, sending a total of 35 transfer orders into the Fed where the central bank of Bangladesh maintains its foreign-exchange account.

Of the 35 transfer orders placed, 30 were blocked. Four transfers to the Philippine bank for a total of $81 million went through. The rest $20 million transferred to a Sri Lankan non-government organisation was reversed because the hackers misspelled the name of the entity.

Nearly $20 million of the total amount of $101 million siphoned off was recovered from Sri Lanka. The lion’s share of the money landed in the Philippines.