Hackers Reveal Apparent NSA Targeting of SWIFT BureausShadow Brokers Attack-Tool Dump Also Includes Now-Patched Microsoft Exploits
New documents dumped online by the Shadow Brokers group have revealed an apparent National Security Agency program designed to target SWIFT service bureaus in the Middle East as well as a slew of exploits designed to infect Windows systems.
The dump was released April 14 by the shadowy group calling itself Shadow Brokers, which has been releasing tools from the Equation Group - the nickname for a group of hackers that experts believe may be part of the NSA's Tailored Access Operations group. Many of the documents are labeled as being "top secret."
One of the biggest surprises in the latest dump, which includes information that dates from 2013 and before, are details relating to what appear to be two separate programs designed to hack into SWIFT "service bureaus" and spy on their customers.
Information Security Media Group couldn't independently verify the leaked documents. But multiple security experts undertaking a detailed analysis of the documents claim that they appear to be legitimate and correlate with information that was previously leaked by former NSA contractor Edward Snowden.
"NSA's modus operandi is to gain total access and hack, using multiple 0days, an entire infrastructure of the intended target," security researcher Matt Suiche says in a blog post. "In this case, if Shadow Brokers' claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God's eye into a SWIFT Service Bureau - and potentially the entire SWIFT network."
Communications Potentially Intercepted
SWIFT tells ISMG that it's aware of the purported attack campaigns.
"SWIFT is aware of allegations surrounding the unauthorized access to data at two service bureaus," a spokesman says. "There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties."
SWIFT says that it also continues to monitor for any unusual activity or related attacks, and that it's working with the potentially targeted service bureaus to ensure they have appropriate defenses in place. "We take the privacy and the protection of our members' data very seriously. We constantly monitor threats, and whenever we believe there is any risk to the security of our services, we investigate very thoroughly and take whatever actions we deem appropriate to mitigate the risk," the spokesman says. "We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."
Target: SWIFT Bureaus
The messaging system maintained by the Belgium-based SWIFT cooperative - formally known as the Society for Worldwide Interbank Financial Telecommunication - is designed to guarantee that money-moving messages between banks are authentic. The system, used by more than 11,000 institutions worldwide, has faced questions about its security and integrity following the theft of $81 million from the central Bank of Bangladesh, among other attacks.
SWIFT has continued to state that its messaging network has not been hacked. Instead, investigators say the Bangladesh Bank heist - and other, similar attempts - involved attackers hacking into a bank's systems, replacing its SWIFT software and using it to issue fraudulent money-moving messages while hiding their tracks.
Financial institutions can run their own SWIFT infrastructure. But there are also 74 certified SWIFT service bureaus that many organizations use instead. As of 2010, 70 percent of corporate SWIFT users relied on these bureaus. And the Shadow Brokers dump has revealed that as of 2013, the NSA had apparently hacked into one service bureau - after targeting one of the bureau's engineers - and had plans to exploit another.
Of course, the number of attempts to target organizations involved in SWIFT may be much larger. As Suiche asks in a blog post: "How many of those service bureaus may have been or are currently compromised?"
SWIFT Software Attack Tools
The latest Shadow Brokers dump includes an archive named "swift," which mentions two program codenames: JEEPFLEA_MARKET and JEEPFLEA_POWDER.
The JEEPFLEA codename first appeared in public in 2014 via documents leaked by former NSA contractor Edward Snowden.
In the latest leaks, JEEPFLEA_MARKET is the codename for a 2013 program that targeted EastNets, a SWIFT service bureau that primarily counts customers in the Middle East. The Shadow Brokers dump contains lists of compromised machines at banks that use EastNets, as well as "reusable tools to extract the information from the Oracle database such as the list of database users, but also the SWIFT message queries," Suiche says.
The leaked documents also list a number of banks that appeared to have been hacked using Equation Group tools, such as FUZZBUNCH attack code, which is designed to exploit Windows systems.
The leaks also detail a second SWIFT-focused program, codenamed JEEPFLEA_POWDER, which was designed to target BCG Business Computer Group, which is a business partner of EastNets that serves Panama and Venezuela, Suiche says. But related documents, also dated 2013, say that such exploits had not yet been launched.
Suiche says there are numerous reasons why NSA might want to hack into a SWIFT service bureau, including attempting to "follow the money" for any suspected terrorism financing. "If the U.S. had a specific target in the region's financial system, NSA penetration offers redundancy and other options than merely relying upon good-faith compliance procedures, standard diplomatic requests or collaborating with SWIFT Service Bureau," he says.
Revealed: EwokFrenzy, Windows Exploits
Security researcher Kevin Beaumont, based in Liverpool, England, notes that the attacks might be paired with previously released exploits designed to gain network access via flaws in Cisco firewalls or VPN gateways, among many other types of products.
The latest Shadow Brokers dump also includes details of never-before-seen Equation Group exploits, such as "EwokFrenzy," which is designed to exploit Lotus Domino 6 and 7, Beaumont says in a blog post.
The tool dump also includes numerous exploits designed to compromise a variety of current and legacy Microsoft operating systems, ranging from Windows XP and Windows 8, to Server 2003 and Server 2012.
Microsoft: Ensure Latest Security Updates Installed
Phillip Misner, principal security group manager for Microsoft Security Response Center, says that the exploits described in the latest Shadow Brokers release have largely been patched via security updates issued in March, as shown in this table:
|"EternalBlue"||Addressed by MS17-010|
|"EmeraldThread"||Addressed by MS10-061|
|"EternalChampion"||Addressed by CVE-2017-0146 & CVE-2017-0147|
|"ErraticGopher"||Addressed prior to the release of Windows Vista|
|"EsikmoRoll"||Addressed by MS14-068|
|"EternalRomance"||Addressed by MS17-010|
|"EducatedScholar"||Addressed by MS09-050|
|"EternalSynergy"||Addressed by MS17-010|
|"EclipsedWing"||Addressed by MS08-067|
Three other exploits - "EnglishmanDentist," "EsteemAudit" and "ExplodingCan" - were also described in the April 14 dump, but Microsoft says they pose no threat to users of its currently supported operating systems. "None reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Misner says in a blog post. "Customers still running prior versions of these products are encouraged to upgrade to a supported offering."
Legacy Windows Alert
While Microsoft notes that these exploits no longer work against supported operating systems, unfortunately they do still work against older operating systems, such as Vista, which Microsoft ceased supporting April 11.
"If your business has any legacy XP - 2003 left you have bigger problems - they are permanently vulnerable with no fix forthcoming," according to the U.K.-based security researcher known as Hacker Fantastic.
If you work in the financial sector and have interactions with or dealings with SWIFT, review your Oracle DB's and apply MS17-010 urgently.— Hacker Fantastic (@hackerfantastic) April 16, 2017
Regardless, he also recommends that all organizations that work with SWIFT review the integrity of their Oracle databases as well as ensure they have installed Microsoft's MS17-010 security update, released March 14, which patches Windows against a Microsoft Server Message Block flaw targeted by the Equation Group.