Equation Group Exploit Could Potentially Target More Than SWIFT Users
Warning: A dumped Equation Group exploit can be used to bypass Oracle database authentication.
See Also: Balancing Fraud Detection & the Consumer Banking Experience
The attack tool in question, called PassFreely, dates from 2013. Based on leaked documents, tools and exploits tied to the Equation Group – the nickname for a group of hackers that experts believe is part of the National Security Agency’s Tailored Access Operations group – it appears that PassFreely may have been used to hack into two or more SWIFT service bureaus (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).
The interbank messaging system from Brussels-based SWIFT – formally known as the Society for Worldwide Interbank Financial Telecommunication – is designed to guarantee that money-moving messages between more than 11,000 banks worldwide are authentic. While some banks host the related infrastructure themselves, many instead use one of 74 accredited SWIFT bureaus.
PassFreely first came to light April 14, when the shadowy online group that calls itself the Shadow Brokers released a suite of tools it somehow obtained from the Equation Group, dating from 2013 and earlier.
“PassFreely is an exploit for patching Oracle in memory,” according to an analysis published by Norwegian managed security services firm Mnemonic. In this case, “patching” refers to altering software behavior to suit an attacker’s needs. “The exploit patches the Oracle binary in memory to allow unauthenticated access to the data stored in Oracle databases,” it says.
Based on leaked documentation, PassFreely appears to tie to money-moving monitoring efforts by the NSA. But the exploit could also be used to access or modify any Oracle database – without leaving a trail – provided a hacker or malicious insider first gains access to the systems on which those databases run.
“The tool is related to Oracle and not specifically for SWIFT users,” security researcher Tal Be’ery tells Information Security Media Group. “Using this tool, an attacker that already has high privileges on the Oracle instance can perform actions and queries that wouldn’t be logged by the database.”
In the wake of the this month’s Equation Group dump, SWIFT issued a statement saying that some users’ communications may have been compromised. “SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus,” a spokesman says. “There is no impact on SWIFT’s infrastructure or data, however, we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties.”
SWIFT also promises that “whenever we believe there is any risk to the security of our services, we investigate very thoroughly and take whatever actions we deem appropriate to mitigate the risk.”
But what if there’s no fix for the underlying Oracle flaws? An Oracle spokeswoman told ISMG that the company wasn’t immediately able to comment on the potential risk posed by PassFreely, as well as when – or if – it plans to patch the bug that the tool targets. To date, the bug doesn’t appear to have been assigned to the Common Vulnerabilities and Exposures list.
Oracle Databases Targeted
Numerous versions of the Oracle database appear to be at risk. French security researcher Matt Suiche, who heads Dubai-based incident response firm Comae Technologies, warns in a blog post that “according to the strings contained in the implant, 386 versions – Oracle 7.2 to 11.2 – of Oracle [databases] are affected by this four-year-old version of PassFreely.”
The most recently released version of Oracle’s database was 18.104.22.168. Of course, it’s possible that the Equation Group has developed newer versions of its attack tool since 2013.
Paired With DoublePulsar
Based on his analysis of the leaked tools, Suiche says that PassFreely appears to have been paired with DoublePulsar, an Equation Group backdoor (see DoublePulsar Pwnage: Attackers Tap Equation Group Exploit).
DoublePulsar often appeared to get installed via another attack tool, such as EternalBlue, which targeted a server message block (SMB) server vulnerability present in every Windows operating system from XP to Server 2008 R2. Microsoft issued a related patch in March. It was apparently tipped off to the flaw by the NSA, after the name of the attack tool – but not the tool itself – was previewed in January by the Shadow Brokers (see No Coincidence: Microsoft’s Timely Equation Group Fixes).
“PassFreely forces a compromised – with DoublePulsar – Oracle database server to accept every incoming connection,” Suiche says. “It disables the authentication requirements directly by modifying the Oracle database application in the server’s memory.”
Michael Sabo, vice president of marketing at database security firm DB Networks, likens the PassFreely exploit to a buffer overflow, in that it enables attackers to execute arbitrary code in memory. “We’re assuming it came from the NSA … it’s a very, very sophisticated, multi-dimensional attack,” he says, in that it allows attackers to gain ongoing access to a database and “stay under the radar.”
The security researcher Be’ery, however, emphasizes that the exploit does not involve a buffer overflow but rather built-in operating system functionality that be used for both good and bad purposes. “The tool changes the logic of an Oracle process by changing the process’s code in memory,” he says. “Code is just values in the computer’s memory, and the attacker’s tool can modify these values. Specifically, attackers had removed the instructions that check for authentication. So if the original code was something like ‘if user credentials are valid then …’ the modified code instead performs no such checks.”
This type of attack is not new. “For example, it was used in the 1990s to bypass copyright protections in games,” Be’ery says. “In a sense, it’s not an Oracle vulnerability, but more of an operating system feature that can also be used for good, for example, for debugging or developing ‘friendly’ security patches.”
Several security experts who have reviewed the Equation Group dump say its SWIFT-targeting effort appears to be designed to allow the NSA to “follow the money,” for example, to trace suspected payments to terrorist organizations or which violate U.S. sanctions.
Suiche says the leaked Equation Group documentation included two scripts for Oracle database servers – “initial_oracle_exploit.sql” and “swift_msg_queries_all.sql,” designed “to back up the entire transactions stored in the Oracle databases” and obtain a complete list of Oracle database administrator accounts as well as related access credentials.
Analysis: Attacks Against SWIFT-Using Banks
In terms of SWIFT, this isn’t the first time attacks that access or alter its messaging software have come to light (see Inside Look at SWIFT-Related Bank Attacks).
For example, in February 2016, attackers attempted to steal $1 billion from the central bank of Bangladesh’s account at the Federal Reserve Bank of New York, using fraudulent SWIFT messages injected by malware installed on a Bangladesh Bank endpoint that was disguised as a PDF reader. Ultimately, the attackers made off with $81 million.
That attack and others like it have been attributed to hackers known as the Lazarus Group, which appears to have begun operating by 2009 and historically primarily targeted South Korea and the United States.
One concern is that with PassFreely now in circulation, it could be adapted by outfits such as the Lazarus Group to inject fraudulent messages into SWIFT and steal funds.
Lazarus Group Has Defeated SWIFT Defenses
SWIFT, of course, may be able to update its software to block related attacks. But the Lazarus Group has a history of defeating such defenses, according to security firm Kaspersky Lab.
In a recently released report, for example, Kaspersky Lab looks at two incidents that have been attributed to Lazarus Group: one targeting an unnamed, southeast Asian country’s banks in August 2016, and another campaign this year targeting banks in Poland and beyond.
In both campaigns, attackers who had gained backdoor access to bank systems running SWIFT Alliance software then ran malware dubbed “SWIFT Alliance Access Protection Mangler.” It is designed to update – aka “patch” – SWIFT software, deactivate security features added following the Bangladesh Bank attack and give attackers access to the backend Oracle database, according to Kaspersky Lab.
“SWIFT Alliance software binary tools are linked with file ‘saa_check.cpp,’ which provides basic security checks and validates the integrity of the database,” according to its report. “The patches are applied to the modules to disable these checks and prevent the detection of database inconsistency. … [The] attackers identified all executables that implemented new security features and patched them off. “
Security firm Symantec says the exact same malware was used by the Lazarus Group to target banks in Mexico and Uruguay, and that banks in Brazil, Chile, Denmark, Venezuela, Columbia and Great Britain also appear to have been targeted.
Not all of those attacks were successful, Symantec and Kaspersky Lab say, despite attackers sometimes spending months inside targeted networks conducting reconnaissance.
But PassFreely could give the Lazarus Group and other would-be bank hackers a highly effective, NSA-developed exploit tool for gaining access to SWIFT messaging software used by 11,000 financial firms worldwide.
“My feeling is that Lazarus doesn’t require any ‘favors’ – they have proved that they know how to do it for themselves,” Be’ery says. “But I think PassFreely’s modus operandi may provide inspiration for other attackers.”
Blocking related attacks will require more than organizations such as SWIFT updating its software with better defenses. Enterprises must also ensure their infrastructure is appropriately locked down and monitored. “The response to multidimensional threats, such as the attacks on banks’ SWIFT environment, should be addressed through a ‘defense in depth,’ such as layers of endpoint and network protection, and not only by making each product safer by itself,” Be’ery says.