By: Walker Rowe, April 17, 2017 (09:25 AM)

Looks Like The NSA Owns SWIFT

The anonymous leaker or leakers, Shadowbrokers, has dumped 300 MB of NSA source code and documentation onto the internet and published it at github. This is a large haul of zero-day exploits placed there with no advance warning. So affected vendors are not going to be able to patch right their software right away. Meanwhile hackers are going to download this material and see how they can use it. Security researchers will pour over this as well.

The NSA code includes Windows exploits including how to install executable code on the IIS 7 webserver. But far more worrisome is the NSA has apparently gained access to the SWIFT payment network. We discuss that below.

SWIFT: the Banker’s Baking Network
It would appear that the NSA has gained access to the mighty SWIFT payment system for purposes of tracking terrorist funding. That, by itself, might not be a bad thing.

SWIFT is what big banks use to send millions and billions of dollars to mainly international destinations. Smaller companies use it too. It has been around for decades and is not directly connect to the internet.

To give an example of how it works, I have used Swift to send money to Chile. Last week I sent money and it sat for 8 days (not sure where), which is their standard service level for many international destinations. Presumably someone at the Chilean government banking authority checked to see that it was not drug laundering money or other ill-gotten gains. (You are suppose to check off a reason code for the transfer. Money laundering is not a valid selection.)

My funds sat at my bank in Chile where I had to send an email authorizing the deposit. I understand from the process that the Chile central bank was involved in some way too.

Five years ago I sent money here to buy a house. Remarkably, my bank in Chile actually sent the money back to the USA because I had exceeded the deposit limit for that type of account. So I had to rush to another bank and open a checking account, which is not easily done in this country where there is a large paperwork requirement.

My point in telling you is much of what SWIFT does is handled manually. This presumably helps prevent large scale theft and accidents. For example, when the Bank of Bangladesh, the central bank of Bangladesh, was robbed in 2016, SWIFT persons called the bank to verify the first $20 million transaction which someone (perhaps an insider) approved. Then the Federal Reserve Bank of New York stepped in and blocked the remaining $850 millions wire transfer transaction.

There are many docs in the NSA store like the top part of this spreadsheet showing which show accounts they might have breached. As you can see most are in the Middle East. Note that they show internal IP addresses and firewall config names. And it might show MAC addresses although these are generally in this format 06:C9:62:00:00:7C.

But Swift is not a simple .dll WIndows hack. There are many parts here. Looking at the code, most of it looks like network device instructions. There are also many passwords embedded in the code. These presumably are bank passwords like firewall passwords.

Here is the Swift code. And look at the screen print below or part of that. Swift no doubt runs on an IBM mainframe running z/OS. We don’t see any COBOL or C++ code here, which are common languages for the mainframe. Instead most of it looks like VPN configuration scripts, network device instructions, and the aforementioned SQL initial_oracle_exploit.sql and swift_msg_queries_all.sql.

Some of it looks targeted to Cisco network devices that use the Cisco PIX network security device. (This is obviously a point of irony when the attack vector that is supposed to be running defense is itself breached.) Other code looks like VPN configuration settings commands.

But has the NSA gotten access to the central SWIFT mainframe or just devices peripheral to that? Is there any concern? It’s not likely that the NSA is going to steal your money. But it the NSA could access the SWIFT system then perhaps someone else can too.

Windows Exploits
There are many Windows exploits. They work on Windows 2008 R2, Vista, 2000, Windows Server 2003, 7, and XP. They do not work on Windows 10 or Windows Server 2016.

For those wondering how they work, there is no C or other source code for the Windows exploits. There is Python code. There is no SDK documentation or other technical document either that I see that explains how any of these exploits work or how to use them (except for IIS 7). So researchers will have to decompile the code or step through it with a debugger and have a deep knowledge of Windows internals to understand what it does.

Odd Job and IIS 7
There are clear instructions on how to exploits IIS 7.The NSA writes in its user manual, “This will cause ODDJOB to beacon every 60 seconds which is a terrible thing to do in practice because we’ll get caught.” Sounds like cheeky young people too as part of their instructions say “Play Minesweeper on Target,” whatever that means, Signing off with the salutation “Drink a beer because you’re done.”

The “beacon” is the server calling the NSA to send data it has captured and receive further instructions.

So what do you need to do? First of all, run Windows 10 or 2016, don’t engage in international terrorism, and get rid of all of those older Windows machines. There are still a large number of those used in the world, especially the developing world where such things are repaired and kept running for years and where people still use cybercafes. How long will it take Microsoft to fix this? Maybe they will not since some of those OS’s are EOL. Except Microsoft has said it will continue to provide security fixes for those.

Walker Rowe

Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies