How to hack a bank (theoretically)
Cyber security consultancy Context shares the techniques it has used to infiltrate financial institutions in 'red team' exercises
One service that some security consultancies provide is called 'red teaming'. This simply means trying to infiltrate a client's IT systems through any means possible, in order to highlight security vulnerabilities they may not have identified.
UK security firm Context Information Security has been commissioned by a number of major financial institutions to attack their systems. Last week, it presented some of the techniques it has used successfully - and how the targets could have thwarted them.
The general plan of attack for infiltrating a bank's IT systems is to mimic the so-called 'advanced persistent threat', understood to be the Chinese army's preferred method of cyber attack.
This means using a previously undiscovered or 'zero day' software vulnerability to create targeted malware; using social engineering to inject that malware into an organisation's IT infrastructure; using that malware to gain remote access to the company's network; and finally extracting the desired information.
Find a zero day vulnerability
Programming platform Java has been a particularly bountiful source of zero day flaws recently, with companies including Apple, Microsoft and Facebook all falling victim to Java-borne exploits.
"If you want to know why people try to hack Java, just ask Oracle," said James Forshaw, a researcher at Context. "As it says in its marketing materials, 3 billion devices run on Java. That's a lot of attack surface."
The most powerful Java exploits are those that attack Java plug-ins for web browsers, as this makes practically every Internet-connected machine a target.
Forshaw explained that many of the emerging Java vulnerabilities work by interfering with the 'stack walking' process, the way in which the different components of the platform exchange information about security privileges. "There are some fundamental techniques that allow you to trick the stack walking process so that you can break out of the Java sandbox," he said.
And he should know. Forshaw used a newly identified zero-day flaw to compromise Java in this year's Pwn2Own hacking competition in Las Vegas (the vulnerability he identified has yet to be patched by Oracle, Forshaw says).
When a new vulnerability has been identified, it can be used to build a new malware infection that will not be identified by anti-virus software. Context says that in one successful red team operation, it built a malware infection that looked exactly like a calculator application, but when run it connected the user's machine to a remote command and control server.
Infect the target's IT infrastructure
Most major financial institutions are armed to the teeth with IT security systems. Often the easiest way to infect their infrastructure, therefore, is to target their weakest link: their employees.
There are many ways to do this. One of the most common is spearphishing - sending targeted emails that look legitimate but contain a malicious link or attachment.
According to Michael Jordon, security consultant at Context, the key to a successful spearphishing attack is to pick specific individuals to target. "If you send a spearphishing email to everybody in the organisation, someone will notice it. But if you put a lot of effort into targeting one person, either it works or it doesn't but no-one else knows about it."
There are other ways to use social engineering to inject malware into a company's system, Context said.
Hackers might cross check a company's website with LinkedIn to find a legitimate employee who does not have an account on the social networking site, for example. They can then set up an account in that employee's name, use it to contact other workers in the organisation, and trick them into clicking a link or open a malicious attachment that way.
Another approach is to place the infection on a USB drive and give it to one of the organisation's employees. Context has found in its red team exercises that the best way to do this is to hand an envelope bearing an employee's name containing the USB drive into reception, and labelling the malware-infected file something like 'Top Secret'.
Locate sensitive information
Once an employee's PC has been infected, the malware can call back to a remote command and control server. This means a hacker can use the infected PC to investigate the corporate network.
Of course, simply having control of an employee's PC does not mean the hacker can access sensitive information. It helps if the hacker knows something about the organisation's IT infrastructure.
LinkedIn is again a useful tool for hackers, Jordon says. "If you look at the kind of skills their IT staff have, you can see what technology they use."
In one red team exercise, Context discovered from LinkedIn that the target company employed a number of engineers with experience in working with open source middleware platform JBoss. It therefore scanned the network for JBoss servers, found one, and logged in via the web interface using the factory preset username and password.
The server did not contain any sensitive information but, given that it was called 'JBoss 2', Context deduced that there was also one called 'JBoss 1'. There was indeed, and on it Context found private details of a high net worth customer's bank account - the conclusion of a successful red team exercise.
The Kill Chain defence
Defending against this kind of attack demands an approach, pioneered by US military contractor Lockheed Martin, called the Cyber Kill Chain. This means addressing every stage of the attack, preventing them if possible and if not, accumulating enough information to defend against later stages.
For the hackers, the first stage is reconnaissance. There is not a lot organisations can do about this, as much of the information a hacker might want is already available on the Internet.
"Your marketing and PR department might actively encourage you to do stuff that makes it easy for attackers," explains Peter Barbour, senior security consultant at Context IS.
Still, Barbour says, an organisation can understand what their exposure is, look at what information is available on the web, and position their security defences accordingly.
There is, by definition, no defence against an unpatched zero-day flaw. However, organisations can greatly improve their security by making sure Java is patched and, if possible, disabled. Oracle provides guidance on how to manage Java across the enterprise.
The best defence against social engineering is, of course, user education. A poorly informed employee might be easily hoodwinked into clicking on a link or opening an attachment, but if they receive the proper training users can serve detect suspicious activity better than any automated tool. "Users can be your worst line of defence, or your best," says Barbour.
When a suspicious email or attachment is identified, he adds, "the important thing is to analyse the specimen. You can analyse Exchange logs to find out whether there other recipients, or if there are other emails with similar subject lines."
Similarly, if an email containing a malicious link is detected, the company should analyse their web logs to see if any employees have visit the URL or one like it. If they have, that machine can be quarantined. The point is that any information that can be gleaned about an attack can be used to contain its potential impact.
Preventing hackers from impersonating employees on LinkedIn is difficult, but companies can brief their employees on the fact that it happens, and warn them against opening documents they are sent over the network.
As for the USB drive attack vector, companies can reduce the risk of infection by switching off AutoRun, the function that automatically executes files when a USB drive is inserted (this is turned off by default in Windows 7). There are also security information and event management (SIEM) tools than can detect unauthorised external devices, Barbour adds.
As for hackers searching the infrastructure for sensitive information, Barbour says there are some standard techniques they will use that can be identified by SIEM tools.
“They will typically try to gain access to a local admin account, and they may try to disable the anti-virus,” he says. “We've seen Chinese attackers using some of the standard penetration testing tools.”
Indeed, Barbour says, anti-virus software should not be overlooked as a defence mechanism against advanced attacks, as they often rely on known malware. “Poison Ivy, for example, is an implant often used by state actors.”
In all, Context’s insight reveals that cutting-edge cyber attacks are complex and by no means easy to defend against. Still, understanding the pattern of attack can help organisations spot potential dangers as they arise.