ShadowBrokers Expose NSA Access to SWIFT Service Bureaus

The latest ShadowBrokers dump includes exploits that allowed the NSA to target SWIFT data managed by outsourced service bureaus in the Middle East.

The NSA used exploits to target two SWIFT Service Bureaus in order to access banking data from a number of financial institutions in the Middle East. The access was likely used to monitor funding for terrorist operations, experts said today as analysis continues of the latest ShadowBrokers dump of Equation Group hacking tools.

The dump came early Friday and has had researchers busy digging deep into the array of not only SWIFT-related hacks, but also tools to compromise Windows systems, as well as a number of presentations and documentation for other tools.

Today’s release came six days the clandestine group exposed a number of UNIX-based hacks and documentation aimed at exploiting enterprise and business-critical servers worldwide.

“In this case, if Shadow Brokers claims are indeed verified, it seems that the NSA sought to totally capture the backbone of international financial system to have a God’s eye into a SWIFT Service Bureau — and potentially the entire SWIFT network,” said researcher Matt Suiche in a blog posted today explaining his analysis of the data dump. “This would fit within standard procedure as a covert entity entrusted with covert actions that may or may not be legal in a technical sense.”

SWIFT, meanwhile, said its infrastructure was not compromised.

“There is no impact on SWIFT’s infrastructure or data, however these we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties,” a SWIFT representative told Threatpost.

SWIFT Service Bureaus are third-party service providers that manage and host connections to SWIFTNet for financial institutions wishing to connect to the network, but choosing to outsource those operations. SWIFT said that service bureau services including sharing, hosting, or operating SWIFT connectivity components, and logging on, or managing sessions or security for SWIFT users.

The SWIFT-related archives were called JEEPFLEA and contains credentials and the architecture of EastNets, the Middle East’s largest SWIFT Service Bureau, Suiche said.

Suiche explained these bank transactions are handled on an Oracle database running SWIFT software. The archive includes tools used by the NSA to take data from the Oracle installation, including a list of users and SWIFT message queries, Suiche said.

EastNets, which also provides anti money-laundering and antifraud services, was a NSA target in the region and documents in the archive show credentials, account information and admin account information. In a statement on its website, EastNets CEO and founder Hazem Mulhim said there is no credibility to the claims its services were compromised.

“The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded. The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities. The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.

“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way, EastNets continues to guarantee the complete safety and security of its customers data with the highest levels of protection from its SWIFT certified Service bureau.”

Researcher Kevin Beaumont debunked claims by EastNets that its network is not publicly accessible with screenshots to the contrary.

Researcher x0rz told Threatpost that the NSA could have been using zero-day exploits against Cisco firewalls to access the SWIFT Service Bureaus.

“They may have breached [service bureau] networks through Cisco ASA and got deeper inside the networks using Solaris exploits (IMO),” x0rz told Threatpost. “They then collected data using SQL queries on the Oracle servers.”

X0rz added that he saw at least two Windows zero day vulnerabilities, something Suiche confirmed for Windows 8 and Windows Server 2012, meaning Microsoft may have to issue an emergency patch or wait until May 9, its next scheduled Patch Tuesday release date.

Suiche told Threatpost that many of the tools target older versions of Windows.

“Most relevant dump to date, lots of information on actual targets and PowerPoint documents, unlike the previous dumps which were only tools,” Suiche said.

The Windows implants are code-named Oddjob, and according to the NSA archive, there is little to no detection data on VirusTotal. Any zero-day exploits against XP, Vista or Windows 2003 or 2008 servers are likely not to be patched since support has ended for those platforms.

Last Saturday, the ShadowBrokers released the UNIX hacking tools along with the password for the original Equation Group file it planned to auction off. The wrapper for all this was a rambling open letter to President Donald Trump in which the group expressed its dissatisfaction with the new administration’s actions in Syria, and with healthcare in the U.S., among other things. The hacks included remote code execution exploits against enterprise servers running Sun Solaris, Netscape Server, FTP servers and a number of webmail clients. The dump also included a number of antiforensics tools, backdoors and post-exploitation remote access shells for large enterprise machines. There were also keyloggers, network monitoring tools and kernel-level implants for UNIX systems.

Suggested articles