How hackers prepare attacks on banks



    There is an opinion that for hacking financial organizations, attackers use increasingly sophisticated techniques, including the most advanced viruses, exploits from the arsenal of special services and well-targeted phishing. In fact, analyzing the security of information systems, we see that it is possible to prepare a targeted attack on the bank using free publicly available means, without using active influence, that is, invisibly to the attacked. In this article, we will look at similar hacker techniques, built mainly on the excessive openness of network services, and also provide recommendations on how to protect against such attacks.

    Step 1. Defining goals


    In the offline world, it is not easy to figure out which services and networks belong to a particular organization. However, there are many special tools on the Internet that allow you to easily identify the networks controlled by the companies of interest to us, and at the same time not to shine in front of them. For passive intelligence, in the framework of collecting statistics on the network perimeters of financial organizations, we used:

    1. Search engines (Google, Yandex, Shodan).
    2. Industry websites for the financial sector - banki.ru , rbc.ru .
    3. Whois services 2ip.ru ; nic.ru .
    4. Search engines on databases of Internet registrars - Hurricane Electric BGP Toolkit, RIPE .
    5. Data visualization services for the domain name of the site - Robtex .
    6. A service for analyzing domain zones dnsdumpster , which contains historical data on domain zones (IP address changes), which greatly helps to collect data. There are many similar services, one of the most famous analogues is domaintools.com .

    This study did not address such methods as active scanning, determining the versions of the firewall and the presence of IPS, determining the antiviruses and other means of protection used, and also social engineering. There are several more techniques that we did not use for ethical and other reasons, but they are often used by hackers:

    1. Search for projects on GitHub . It often happens that on GitHub a test project, backup or working code is posted, access to which they forget to restrict or is incorrectly limited. The study of such projects requires high qualifications, but gives an almost 100% chance to penetrate the network using the errors of the investigated application or embedded credentials.
    2. Online vulnerability check services such as HeartBleed, Poodle, DROWN. These services are highly likely to detect specific vulnerabilities, if any, but these checks take a lot of time.
    3. Bruteforce DNS This technique is an active intervention. It allows you to iterate through the DNS names of systems, determining the available ones. This happens through DNS queries to the target DNS server, while traffic can be routed, for example, through Google DNS, and from the point of view of the attacked organization, these queries will look legitimate. To implement such techniques, KaliLinux tools or similar assemblies are usually used. Unfortunately, in practice, DNS logs do not look at or even keep them until something happens.

    So, for starters, we determine the list of organizations that we are going to “put in control”. To do this, you can use search engines, specialized sites and other aggregators of specialized information. For example, if we want to collect statistics on financial institutions, go to banki.ru and pick up the ready-made top of banks and insurance companies. Gathering a list takes virtually no time. We have identified the following categories of organizations:

    • banks (from 1st to 25th),
    • banks (from the 26th to the 50th),
    • banks (from the 51st to the 75th),
    • banks (from the 76th to the 100th),
    • microcredit organizations
    • payment systems,
    • insurance companies (from 1st to 50th),
    • insurance companies (from 51st to 100th).

    Now we define the networks owned by the organization. We find the sites of organizations in the search engine, to determine their addresses we use the whois web service . This resource allows you to find the IP address by the domain name of the site, as well as other important data for searching for networks. In this work, important data include:

    1. Netname (network name, very useful when searching through the Ripe database);
    2. Descr (the description can be applied to search using imagination);
    3. Address (search for networks registered to the same physical address);
    4. Contact (search in the Ripe database is possible for people who could also register networks);
    5. other information by which the organization can be identified.

    All this information can also be obtained through the whois Unix command. What to use is a matter of taste. In order not to compromise specific banks, we will show this search as an example of our company:



    Using the collected information about the organizations, we searched for their address ranges in the database of the Ripe registrar. The Ripe service allows you to freely search all registered networks in it. It is also worth paying attention to the Country field: we chose exclusively the Russian network segment.



    This stage of work required us a lot of manual labor, because some addresses can be given to a partner, leased or not owned by the organization. Therefore, to increase the accuracy of the results, we had to conduct additional checks in order to select only the necessary networks or hosts with the highest possible level of reliability. To verify the networks, we used the publicly available online service of the American telecom operator Hurricane Electris, which can provide information about the network in which it is located by the IP address of the site. At this stage of work, the Robtex service was also very useful. It shows all the connections for the specified domain name, this allowed us to find networks that could not be found when searching the Ripe database. In addition, Robtex allows you to see other sites located at this IP address, and this information may also be not superfluous. Search example:



    As already mentioned, the determination of the necessary networks is worst of all automated, because it requires the manual selection of relevant results. However, it took us only two days to gather information about financial sector networks. After completing this stage, we received a list of the type of "organization - network."

    Step 2. Identify available services


    To do this, you can use one of the two most famous tools designed to make the Internet safer: Shodan or Censys. They have similar capabilities, support working with the API, and can also complement each other. For a full search, both services require registration. Censys is more demanding: in order to remove restrictions on the search results, it is necessary to write to the developers, to convince them of the ethics of the study and the responsible use of the data. The argument would be CEH certification or detailed research information.

    We used the Shodan service because it is more convenient. In addition, Shodan scans in the same way as Nmap scanning with the “-sV” flag, which is a plus in our study: it is more familiar to process the results. The automation process is probably the most interesting, but it does not make sense to describe it in detail, because everything, including Python code examples, has already been described by its creator John Matherly, also known as @achillean, in a very convenient form . Moreover, there is a repository on GitHub , where you can get acquainted with the official Shodan library for Python.

    Detailed information on requests to Shodan can be found here . An example request via the web interface looks like this:



    As an example, it can be seen that UDP port 53 is available at address 8.8.8.8, the DNS service is located in the USA and owned by Google, and the version of the operating system used at this IP address is also visible. Queries to Shodan can reveal much more specific services, which are forgotten to restrict access from the Internet, although this should be done. Since you can get various banners and versions of these services, you can also compare the received data with various vulnerability databases.

    However, it turns out that we need to run every discovered IP address through Shodan, and we got them, for a second, about 100,000 - too much for manual verification ... What about the API?

    We wrote our own information collector. They started it - and after a week of work, the programs got a picture of the distribution of available services in the financial sector, absolutely not interacting with them! Tracking changes in infrastructures in this way is quite realistic. Here's what we found:





    From the most “terrible” on the perimeters of financial organizations found:

    • DBMS (for the sake of justice, we note that some of the banners contained the entry “is not allowed to connect to this SQL server”);
    • directory services (for banners you can find out LDAP);
    • services providing access to the FS (such as SMB and FTP);
    • printers (and here, judging by the payload, there is no mistake!), which can have the most dramatic vulnerabilities and are generally recognized as the least protected devices . Yes, yes, the vulnerabilities are old. But when was the last time you updated your printers on the perimeter?
    • Insecure remote management services such as Telnet, RDP;
    • RPC services;
    • Virtualization systems;
    • Multimedia Services.

    These services were distributed by organization as follows:





    The results did not surprise us: the larger the organization, the more services are located on the network perimeter, and with the increase in the number of services, the probability of a configuration error increases.

    Step 3. Identify vulnerable services


    The obtained results did not surprise us: the larger the organization, the more services are located on its network perimeter, and with the increase in the number of services, the probability of a configuration error increases.

    • IP - a unique network address of a node in a computer network built over IP;
    • Port - a digital number that is a parameter of transport protocols (such as TCP and UDP);
    • Protocol - a set of logical-level interface conventions that define the exchange of data between different programs;
    • Hostname is a symbolic name assigned to a network device that can be used to organize access to this device in various ways;
    • Service - the name of a particular service;
    • Product - the name of the software with which the service is implemented;
    • Product_version - version of certain software;
    • Banner - welcome information given by the service when trying to connect to it;
    • CPE - Common Platform Enumeration , a standardized way of naming software applications, operating systems and hardware platforms;
    • OS is the version of the operating system.

    Not for all open ports, Shodan can give a complete set of information, but if it succeeds, the data (in the example, the results that have already been processed in our system are selected) look like this:



    From the entire attribute space, fields were selected by which information can be found about the vulnerability of this host. A bunch of Product + Product_version or CPE might be fine for this. In our case, we decided to use the Product + Product_version bunch, and the search was carried out using the Positive Technologies internal vulnerability database.

    The network has a considerable number of publicly available sources for searching for vulnerabilities, here are some of them:

    SecurityLab.ru- this is not only news on the information security and forum, it is also a database of vulnerabilities! Information output example:

    • BDU FSTEC - a database of information security threats that differs from other similar resources in its ability to find vulnerabilities for software and PACs of domestic production;
    • nvd.nist.gov is the US Institute of Standards and Technology’s National Vulnerability Database, which brings together US publicly available US vulnerability research and analysis resources;
    • vulners.com - - a large updated database of information security content, allows you to search for vulnerabilities, exploits, patches, bug bounty results;
    • cvedetails.com is a user-friendly web interface for viewing vulnerability data. You can view a list of vendors, products, versions and CVE related vulnerabilities;
    • securityfocus.com is one of the top publicly available sources, especially in terms of populating exploit data.

    All the above resources allow you to quickly search for vulnerabilities on various grounds, including CPE. Also, these resources to one degree or another allow you to automate the search process. As a result, you can find a lot of useful information: detailed descriptions of vulnerabilities, information about the presence of PoC or recorded facts of exploitation, and sometimes links to exploits:



    We already have a set of services and their banners, it remains only to drive this information through the vulnerability database. Of course, I did not want to do this manually at all, and it would take a lot of time. Therefore, writing a simple script, we quickly processed all the services received, compared them with our vulnerability database (the same thing is easily done through the named services) and got the following statistics of the distribution of vulnerabilities by services:





    The results were as follows: from the total number of services found Shodan, vulnerabilities were found in 5%. This figure is small: for comparison, according to our own automated perimeter scans, vulnerabilities are usually found in 20-50% of services. But theoretically, the percentage of vulnerability detection can be increased. Let's see how this can be done.



    For example, for ROSSSH (on the screenshot the 4th line below), we can assume the availability of the ROSSSH Remote Preauth Heap Corruption vulnerability . Despite the fact that the vulnerability is not new at all, the probability of meeting it in this service is much higher than zero. Recall our previous studies , in which we said that about 30% of systems accessible from the Internet contain vulnerabilities older than 5 years. Similar figures in their studies are provided by Cisco , according to which the average presence of known vulnerabilities is more than five and a half years. These results are comparable with ours, and a slight difference is due to different samples and research methods.

    According to the example above, we can assume the presence of vulnerabilities in the RDP serviceCVE-2015-0079 , CVE-2015-2373 , CVE-2015-2472 , CVE-2016-0019 . This is an incomplete list of possible vulnerabilities; in all open sources, these vulnerabilities are linked by CPE to the OS version, ignoring the binding to RDP. The most striking example is the high-profile exploitable vulnerabilities, which we will return to later. For many other services, you can also build similar assumptions about the possible presence of vulnerabilities.

    Step 4. Search exploits


    The next step is to search for exploits for specific vulnerabilities. In the search engines described above, it is possible to find exploits in small numbers, but no one bothers to use special utilities for this, because the Pandora's box is already open. For example, there is a free PTEE utility. Another article is written about her in great detail . And there is Metasploit, which does not even collect anything, but ...

    Since our company has its own knowledge base where vulnerabilities are already compared with exploits, we did not need any additional actions at this step. According to the processing results, we received:

    • 88 out of 559 high-risk CVSS vulnerabilities have accessible exploits;
    • 178 out of 733 medium-risk vulnerabilities have accessible exploits;
    • 8 out of 309 low-risk vulnerabilities have exploits available.

    One of the old dogmas of information security says: the level of security of the system is equal to the level of security of the weakest link. Indeed, when planning an attack, as practice shows, a potential attacker will choose the most insecure system. If you carefully consider the results, it is clear that the probability of finding such systems is high for all categories of organizations:





    There is a simple explanation of the results: with the growth of infrastructure, monitoring it is becoming more difficult. More hosts - more old software and more vulnerabilities, including exploitable ones. In large companies, the perimeter is extremely dynamic: even within one week, up to several dozen new hosts can appear on the network border, as many can leave, we showed this in previous studies. If these changes are just the result of an error, then the probability that one of these nodes will have an “open door” is very high. For this reason, periodic monitoring of the state of the perimeter in the mode as close as possible to real time is very important for ensuring safety.

    How long will it take to search for vulnerable services if vulnerability information has just appeared on the Internet? In our system, the search for specified vulnerabilities takes less than a second. It takes more time to analyze the results, but this is also quite fast: in the framework of this study, analysis of one vulnerability took no more than 15 minutes.

    Step 5. Actually attack


    So, the attacker collects data about the target infrastructure and identifies vulnerable services; seeks information about vulnerabilities and selects exploitable ones from them; then, comparing the knowledge about the target infrastructure with the data on vulnerabilities, makes assumptions about the presence of these vulnerabilities in the system. In the last step, the attacker attacks the vulnerable systems using available tools.

    In our study, of course, there were no real attacks. But we can evaluate the capabilities of hackers at the last stage. For example, consider the last part of the famous exploit pack merged by The Shadow Brokers. There were many interesting exploits in this pack, for example, the SMB hacking kit, which became well known after the WannaCry virus outbreak.. In our sample, this exploit was suitable for 36 systems (data on the studied perimeter were collected before the publication of the archive with the exploits). At that time, the exploits contained in the pack were applicable to all versions of Windows. Consequently, they were very likely to be hacked. This is exactly what WannaCry showed. And this is just the tip of the iceberg, there were other interesting exploits in the pack:

    1. Esteemaudit (exploit for RDP) . We consider placing RDP services on the perimeter without an ACL (access control list) an error. In our unloading, 44 systems with the presence of this service were identified. According to the description, the exploit is applicable only to older versions of Windows Server 2003. For this reason, we excluded 10 addresses with banners of newer versions of Windows - there were 3 systems for which the exploit could be applicable, and 31 without confirmation.
    2. A set of exploits for web servers . For 37 systems, an assumption was made about the applicability of exploits aimed at hacking web servers.
    3. A set of exploits for mail servers . On 13 systems, mail servers were discovered whose versions were suitable for operation.

    As a result, out of all 3,764 available addresses, 111 were identified with potentially vulnerable services. And with high probability they could be hacked with the help of this exploit pack.

    At the beginning of the study, the level of danger seemed to us lower than received, but then WannaCry came and did not agree with us. The reason for the high level of danger was the lack of control of the external perimeter in organizations. Moreover, even after the publication of warnings and expert recommendations, there was no significant increase in the level of security. This was clearly shown by the epidemic of the next Petya / NotPetya cryptolockerthat used the same vulnerability (although its propagation vector does not apply to the network perimeter). To infect the infrastructure, only one vulnerable system is enough, and to overcome the perimeter, an attacker needs only one vulnerable service.

    Conclusions and recommendations for protection


    To summarize. If you use a conventional network scanner that looks for vulnerabilities, organization employees may suspect that someone is “watching” them. The facts of such scans are easy to identify using IDS and block. But who will track the work of the mass search engine? In this article, we have demonstrated that:

    1. to prepare a targeted attack on the financial sector does not require special financial costs;
    2. training may not be visible to attacked organizations and to those who defend them;
    3. to implement an attack, it is not necessary to have an exploit pack from the NSA, although its components also fall into open access.

    Perimeter security is one of the basic security vectors. But to protect, not knowing what you are defending, is a difficult and, frankly, meaningless task. If you do not know the boundaries of the perimeter you are protecting, you can use the network analysis methods described in this article. And if there are many external subnets (for example, infrastructure distributed across the country with multiple Internet connections) and the perimeter is difficult to inventory, then you can turn to specialists for help. For example, experts at Positive Technologies (abc@ptsecurity.com). All you need is a list of dedicated networks from the operator and consent to scan.

    Having received an idea of ​​what the perimeter consists of, we will deal with its protection. Achieving the most secure configurations of information systems is a difficult task, since it is people who are responsible for the software, its configuration and maintenance, and somewhere you have to make assumptions to please the business. Information security always balances between the functionality of the system and its security. Configuration errors are also present in network perimeters: as our study shows, many unnecessary, including vulnerable, services are exposed on the Internet, which makes it easier for an attacker to penetrate the organization’s network. A recommended perimeter protection plan might look like this:

    1. Identify those assets for which access from the Internet is justified.
    2. Services without access justification should be removed from the perimeter.
    3. Document and implement the procedure for placing new systems on the external perimeter.
    4. Create an ACL, restrict access to administrative interfaces, remote access services, databases and other important services with the minimum possible list of persons.
    5. Introduce the procedure for installing updates and determine the metrics for the success of its implementation.
    6. Perform security analysis work, such as scanning with specialized tools in audit mode (from the internal network), as well as scanning for vulnerabilities in pentest mode (scanning from an external site to understand how your infrastructure looks like for a potential intruder), at least once a month.
    7. Define a list of persons responsible for assets (both from the business side and from the IT side). This will reduce labor costs and reaction time during an urgent system upgrade.
    8. To prioritize vulnerability removal, determine the value of assets.
    9. Draw up a response plan in case of detection of critical vulnerabilities in systems located on the perimeter. The plan must take into account how to deal with critical vulnerabilities; What actions should be taken by system administrators and information security specialists; Are these actions consistent with the business owners of the systems?

    Of course, it should be remembered that in order to counter threats, an integrated approach to ensuring information security is necessary, and it’s worth starting from your “network borders”.

    Authors : Positive Technologies experts Vladimir Lapshin, Maxim Fedotov, Andrey Kulikov

    Also popular now: