Mainframe security is a concern for all mainframe-using organizations. However, many people working with mainframes are unaware of just how professional hacker groups are. Some people still have the idea that a hacker is some kind of disaffected teenager who plays at accessing corporate data. The truth is that hacker gangs are using the same tactics, techniques, and procedures (TTPs) as legitimate businesses. Plus, they are able to offer various hacking techniques as-a-Service. This means almost anyone can use them to hack your mainframe.
Cyber-crime allows criminal gangs to make huge profits, which means that there has been a massive growth in their activity and the underground marketplace where products and services can be bought and sold. Most IT people are familiar with the idea of Ransomware-as-a-Service (RaaS), but not all bad actors are looking to steal sensitive data, which they can sell, or extort money through ransomware attacks. Some bad actors are looking to steal processing power in order to mine cryptocurrency. Some simply gain access to a corporate network and sell that access to others. These are called initial access brokers (IABs). You can also find Crypter-as-a-Service (CaaS) and Malware-as-a-Service (MaaS) available to purchase.
Any IT security team has to be prepared for hackers, or more likely hacking gangs, to use encrypted anonymous routing tools (eg tor and I2P). When the gangs extract money from an organization, it can be hard to trace because of the use of cryptocurrency. On top of that, there are state-sponsored actors, who are not necessarily in business for the money, but are politically motivated in their attacks.
With the Ransomware-as-a-Service model, a hacker gang will create ransomware tools, infrastructure, and operating procedures or playbooks. Other people or gangs can then pay to access these tools etc and then carry out a ransomware attack. It’s a bit like shopping. The purchasers may use RaaS tools from multiple gangs, and what they do with them can vary. This makes identification harder because the users will have different TTPs. The benefit of this model for the users is that they have a tried and tested way to make money from legitimate organizations. The benefit for the gang that created the RaaS is that they can be making money without getting out of bed in the morning!
One of the first thing that hacker gangs do, is create backdoors into the network that they have just hacked. That means they can easily get back into that network in the future. It also means that they could sell this access to other people. Initial access brokers (IABs) make their money by selling access to victim networks on the dark web. They will have spent time gaining access in the first place, whereas the purchasers don’t need to spend any time before they start to attack their chosen target. Preferred methods of gaining access to an organization include: compromised emails; cloud misconfigurations; and software supply chain attacks.
Before we look at Crypter-as-a-Service, it’s useful to understand the three stages in a typical malware attack. Stage 1 is the dropper. This is the initial malicious file/command that retrieves the crypter. In stage 2, the crypter, which is a tool or process, obfuscates the malware payload so it can bypass the defences on the network. Stage 3 is the malware that supplies the functionality required by the attacker. This is typically some kind of remote administration. Antivirus and antimalware software is used to prevent crypters getting on to a network, and both sides are regularly updating their software in an unending battle.
Crypter-as-a-Service (CaaS) provides the latest generation of software tools and services would-be hackers can include in their workflows, without them needing to be completely up to date with the latest requirements. These bad actors may also, at the same time, purchase Malware-as-a-Service (MaaS).
Malware needs to be kept up to date to avoid detection, which makes Malware-as-a-Service such a popular purchase for less technically adept hackers. They may also purchase support contracts, access to updates, and affiliated services.
Obviously, these techniques are used on non-mainframe platforms. The reason that mainframers need to be aware of them is that mainframes are no longer separate islands of computing. They are increasingly being connected to the cloud, and the latest Cost of a Data Breach Report from IBM Security found that 82% of breaches involved data stored in the cloud – public, private, or multiple environments. Mainframe sites that have projects that embrace cloud computing may well wish to review their security policy for the cloud. The report goes on to say that 39% of breaches spanned multiple environments. In addition, mainframe APIs are often connected to mobile devices and the web. It makes reviewing the potential attack surface an important job.
What I’m suggesting is that mainframe breaches could be started from a different platform within an organization and then moved onto the mainframe. Criminal gangs, state sponsored actors, and even disgruntled staff could now be taking steps (if they haven’t already) to access your mainframe data.
You can read more in The Professionalization of Cyber Crime whitepaper from WithSecure.
No comments:
Post a Comment