Let us imagine that there is a room somewhere in Russia (but it could be anywhere else hostile to the West) and it’s full of hackers plotting their attacks for 2025. You can imagine that they are sharing stories of their successes in 2024. How they have targeted people with phishing emails and got them to open malware or download (unwittingly) malware that has not only given the hackers access to the servers of that company, but every other company in the supply chain.
The next hacker
speaks up explaining how he has got round the security of cloud providers and
managed to get into a variety of organizations that way. He proudly explains
that he hasn’t even exploited some of those hacks yet. They are now easy
targets for the New Year.
A third hacker
explains how he managed to access a security update to a frequently used piece
of software, and how he had added a back door that no-one had spotted. So, when
everyone downloaded the software and patched the vulnerability, they introduced
a back door that only he knew about. He suggested that this time next year he
would be rich from all the ransoms he was going to collect.
Another hacker
jumps up and explains that he was using AI to automate ransomware attacks, and
he is making lots of dosh from the people who were paying him for the
Ransomware as a Service software – sometimes people with very little IT
knowledge – and were then using it to attack companies that had upset them in
some way.
Lots of other
people want to speak up with stories of how they had attacked companies and
made money, but everyone stops speaking as an old general gets to his feet. He
looks very stern but smiles as he starts to speak. “Comrades”, he says, “you
have all done very well attacking companies in the West.” He pauses and his
face takes on a sternness that had scared many a junior officer. He continues,
“The problem is this: we have not defeated the West. What I need you to do is
find some way to bring down the whole infrastructure of western society. Can
you do that?”
The hackers
look round at each other, until one speaks up. “Capitalist society depends on
capital.” The audience is not overimpressed by the obviousness of the comment.
There is much murmuring from the audience, but the hacker continues, “Why don’t
we attack the banks and all the other financial institutions in North America
and Europe. If they don’t have access to money, everything else will come to a
stop.” The crowd nods in agreement. Some make additional useful comments to each
other.
“How do we do
that?” asks the general. “We attack the mainframes that are used by most of
these organizations”, replies the hacker. And that’s what they do. Attacks by
people who understood Windows and Linux continue in all their forms, but a
large tranche of the technical people are given the job of understanding how
mainframes work and their vulnerabilities. After all, the majority of financial
institutions use mainframes. A subgroup is given the task of looking at
employees on mainframes and seeing which ones could be manipulated into giving
access to these fintech mainframes. They are looking for staff with drug habits
and staff with financial problems or other issues that could be used against
them. Another group has the task of getting keyloggers onto the laptops of
systems programmers at mainframe sites.
A list of
potential hacking techniques that have been used before are circulated amongst
the hackers for them to see which still work and are useful for others to try.
They could
attack sites using CICS. There are automated tools like CICSpwn available that
could be used to identify potential misconfigurations, which could then be used
by the hackers to bypass authentication. They could use the CICS customer front
end and try a simple brute force attack to find a userid and password that would
get them into the system.
They could use
FTP. Two things need to happen first – keylogger software needs to capture the
login credentials from a systems programmer, and a ‘connection getter’ needs to
identify where to FTP to. Commands can be written to upload malicious binaries,
and JES/FTP commands can be used to execute those binaries.
They could use
TN3270 emulation software for their attack. Provided they have some potential
userids, they could try password spraying, ie a few commonly-used passwords can
be tried against every userid on the system.
NJE allows one
trusted mainframe to send a job to another mainframe that it’s connected to.
Hackers could use NJE to spoof a mainframe or submit a job and gain access to
that other mainframe.
Then there’s potential
vulnerabilities in Linux and other non-IBM software (like Ansible, Java, etc)
that runs on mainframes.
Other
techniques are available, but it’s not the function of this blog to make the
job of nation state hackers easier. It is the job of this blog to ensure that
every mainframe site is doing everything it can to ensure that it is secure
against all forms of attack, and that it has software installed that can alert staff
at the earliest opportunity that an attack has started, and the defence software
needs to be able to suspend any suspect jobs as soon as possible.
Meanwhile,
meetings like the one I’ve envisaged are probably going on, and mainframe-using
companies in the West are going to be the targets in 2025.
No comments:
Post a Comment