- February 24, 2016
- Info notes
According to a report published by the Russian cybersecurity vendor Group-IB, a group of hackers managed to gain unauthorised access to a Russian trading system by infecting their trading system terminal with a Trojan. Trading systems have been targeted by malware before, eg the American stock exchange NASDAQ in 2010, and the Russian trading platform QUIK in 2012. These kind of systems are not necessarily limited to specific geographical regions, therefore such attacks pose a potential threat to trading institutions worldwide.
The attack had significant consequences, going as far as manipulating the Ruble-Dollar exchange rate for a period of 14 minutes. Group-IB claimed that as a result of the attack, "losses to the financial institution were estimated in the millions".
The exchange volatility caused by the price manipulation could have created a window of opportunity for the attackers to profit financially from the attack on another platform, whilst it is believed by Group-IB that this was a test aimed at demonstrating the malware's capabilities ahead of a future attack.
The entire attack extended over a 6 months period; starting with the initial infection in September 2014 up until the malware removal in February 2015. Figure 1 below demonstrates the timeline of the attack.
Figure 1: http://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
The Trojan used in this attack is known as Corkow. The timeline shows the main steps involved in the attack:
- Exploitation of a vulnerability
- Installation of the Trojan
- System information collection by the attackers
- The Trojan remained "dormant" for a long stretch of time whilst gathering information from traders using a keylogger
- Execution of unauthorised transactions
- The Trojan deleted itself as well as its traces
Corkow was able to remain undetected for over 6 months, thanks to its ability to constantly update itself.
Corkow contains modules specifically designed to attack popular trading system software such as QUIK and TRANSAQ. In this case it provided remote access to the ITS-Broker system terminal (by Platforma soft Ltd) allowing the attackers to launch tools and enter data at the same time as the infected terminal operator.
The attackers made a number of purchases and sales of US dollars in the Dollar/Rouble exchange program totalling $252 million. Trader graphs clearly displayed a sudden hike showing the volatility of the exchange from 55 to 66 Roubles (over 15%).
Vulnerability Exploitation/Installation of Trojan
Corkow is spread through drive-by downloads, whereby machines get infected when victims visit compromised, and often legitimate websites. In this case, the attackers managed to gain access to a computer in the trading system by using the Niteris Exploit Kit (formerly known as CottonCastle Exploit Kit). The vulnerability that was exploited was not mentioned in the report. However, research on the CottonCastle/Niteris Exploit Kits suggests that these exploit kits target vulnerabilities on the following software:
- Flash (CVE-2013-0634, CVE-2014-0515, CVE-2014-0569, CVE-2015-0311, CVE-2015-0336)
- Java (CVE-2013-2465, CVE-2013-0422, CVE-2013-2460)
- Internet Explorer (CVE-2013-2551, CVE-2014-6332)
- Firefox (CVE-2013-1710, CVE-2012-3993)
Of course this is a non-exhaustive list but it is an indication that the attack might have been initiated by the exploitation of a vulnerability on software that is known to be prone to vulnerabilities.
Antiviruses alone are not capable of effectively detecting such threats. The majority of the computers infected by this malware had antivirus software installed and activated.
Protection measures should be a reflection of the level of risk and potential impact associated to the assets. Below are some security policies that could help prevent such an attack.
The malware used in this case is typically delivered through drive-by downloads, and many of the websites found in the list of websites used to spread Corkow (provided in the report) seem to be non-work related. In critical systems such as trading systems, Internet access should be limited to the bare minimum required for the system to function.
The exploit kit used in this attack indicates that the infected system may have hosted software that is known to be prone to vulnerabilities. If this kind of software is able to compromise a machine, particularly if it is not required for the functionality of the system, then it should not be hosted on the same machine in the first place.
Such systems should only contain the software required for the system to function, and should not include any unnecessary and potentially vulnerable software. Certain systems completely remove any form of web browser, whilst others even go as far as creating a dedicated operating system that only runs the necessary software.
Limiting internet access and installed software may not always suffice. The report mentions that "access to any computer on a corporate network gives access to even the most highly protected banking systems". Because of this, the critical systems should be isolated from the rest of the network which may host machines that do not apply similar security policies.
It is possible to increase the level of protection of a system by implementing Exploit Mitigation techniques. Even if a particular piece of vulnerable software is needed for business purposes, these techniques make exploitation harder. Microsoft's EMET is an example.
Monitoring and Incident Response
Malware is constantly improving and evolving, introducing ingenious and stealthy techniques. Monitoring tools are also increasing in sophistication, finding new methods aimed at detecting even the slightest suspicious or uncommon behaviour. Critical systems should have the appropriate monitoring tools in place that are able to alert system admins when detecting suspicious activity such as unusual network traffic or C&C server communication. These tools together with a proper Incident Response plan play a crucial role in mitigating such incidents.
The level of security imposed on a system should be the result of a proper risk management process. At the end of the day this boils down to proper risk assessment and a security infrastructure that is reflective of the level of risk for a particular asset. The value of an asset is an essential measure and should correspond to the associated risk and impact it has to the organisation.
This particular case can indicate that the trading system terminal, which has the ability to handle hundreds of millions of dollars in transactions, might have been underestimated as an asset. Such an asset should have been extensively assessed to minimise the risk of such an attack to be successful.
Proper risk management is essential for every ICT environment and infrastructure. This attack demonstrated how the compromise of a trading system terminal had significant monetary consequences.
About "Info Notes" from ENISA
With the "Info Notes" series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the "Info Notes" series (email@example.com).