The recent leak of NSA hacking tools designed to compromise SWIFT Service Alliance servers comes with a key to pry open thousands of Oracle databases around the globe, new research suggests.
While most of the hacking tools revealed April 14 by the group known as the Shadow Brokers target vulnerabilities in outdated versions of Microsoft Windows operating systems, the release also contained an implant and two scripts apparently engineered by the NSA to breach and exfiltrate data from Oracle databases. Those tools were part of an expansive U.S. espionage operation aimed at hacking into Middle Eastern SWIFT service bureaus.
SWIFT is an international computer network that acts as a ledger and enables financial institutions to send and receive information about financial transactions. Some banks rely on service bureaus to effectively access SWIFT’s architecture. Service bureaus in the Middle East commonly host and manage transaction data from regional banks on Oracle databases.
Oracle databases are among the most popular enterprise database systems in the world — employed by a wide array of different businesses, including telecommunications firms and airlines.
A complex and powerful implant codenamed PASSFREELY that is mentioned in the trove of documents allows for an attacker to bypass the authentication process behind Oracle servers, security researcher Matt Suiche told CyberScoop. To deploy the implant a hacker would first need to gain access to a target system through, for example, a remote code execution vulnerability.
The four-year-old implant is effective against 386 different versions of software that runs on Oracle databases, strings contained in the implant show. PASSFREELY forces an already compromised Oracle server to accept every incoming connection by modifying an Oracle application in the server’s memory. In short, it enables a hacker to overstep password protections that exist on the databases.
Because the Shadow Broker’s release provides readers with the executable code for PASSFREELY in full, random hackers can now recycle and redeploy the tool, Suiche explained.
The two scripts, initial_oracle_exploit.sqI and swift_msg_queries_all.sql — which would be used to query information after compromising a database and then running PASSFREELY — allow for an attacker to quickly pull out all transaction and user credential data from a system. In theory, this sort of capability could be useful for both espionage and criminal purposes.
“The availability of PASSFREELY in the wild is another addition to the belt of potential criminals targeting Oracle Databases, which is the most popular Enterprise database software,” said Suiche, founder of cybersecurity startup Comae Technologies.
Suiche predicts that criminal hacking groups with an interest in targeting banks and other financial intuitions will likely adopt PASSFREELY in the future.
“The main beneficiary of this tool will probably be Larazus Group, as they have showed and demonstrated extensive and in-depth understanding of Oracle Database and SWIFT Messaging services,” Suiche said. “Developing this sort of capability would take a long time and a lot of resources if someone wanted to do it one their own … that’s what makes this so attractive to pick up.”
The Lazarus Group is an active, sophisticated hacking group believed to be associated with the North Korean government. In the past, multiple cybersecurity firms have linked the Lazarus Group to a series of data breaches in the financial sector with the most notable case being an $81 million heist from the Bangladesh Bank. In that incident, the Lazarus Group hacked into Bangladesh Bank’s computer network, collected user credentials and other bank codes to then effectively request fraudulent fund transfer using SWIFT.