Tag Archives: virtualization

An $81 Million Heist from a Hypervisor Introspection Perspective

October 2016 was security awareness month, however no one really needed to raise awareness with the year’s seemingly endless list of attacks on global businesses. October itself saw a distributed denial of service (DDoS) attack on DYN, leaving numerous global enterprises’ websites unreachable, and resulted in customer impact and lost business revenue.

The Security Affairs website recently reported the global annual cybercrime costs to businesses in 2015 as being roughly $3 trillion, with 2021 projections reaching $6 trillion. As cybercriminals produced an average of 230,000 new malware samples per day during 2015, with twelve people online becoming victims of cybercrime every second of the day, global spending is expected exceed $1 trillion over the next five years.

Businesses are finally starting to wake-up to the fact that the damage being caused by cybercriminals, far exceeds the amount they are currently willing to spend on security for our data assets, with losses not just from sales revenue, as advanced persisted threats (APTs) are often about valuable corporate (and customer) data exfiltration.

One recent APT on an asian financial institution exploited vulnerabilities in the SWIFT financial platform, managing to issue a transfer of $951 million. In this instance, $81 million was actually successfully transferred, however what it proves is that cybercriminals are willing to spend time and effort developing targeted malware enabling attacks on financially-profitable data from individual organizations. Adrian Nish, BAE’s head of threat intelligence stated “he had never seen such an elaborate scheme from criminal hackers”.

So how did these cybercriminals carry out such an elaborate attack?

It seems that even months following the attack, not all technical details have been provided, however, BAE Systems’s published findings identifying tools believed to have been used in the heist, containing “sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure”. This included tools to cover the thieves tracks, and delay any attack identification and response, allowing greater time to complete the heist.

Essentially, the malware was able to patch a specific “liboradb.dll” library module, resulting in the host application to believe a failed security check had in fact succeeded, and granting the malware sufficient privileges to issue itself the capability to execute database transactions on the victim’s network. Further details on this, including how the malware also attempted to protect itself with printer manipulation can be found at the link above.

Are there any technologies that could have helped prevent heists such as these?

Zero-day protection through memory introspection comes from outside of the VM

Citrix XenServer 7, released in May 2017 includes a new security feature unique to the server and desktop virtualization market, called Direct Inspect APIs, which enable third party security companies to leverage memory introspection techniques from a hypervisor-layer security appliance.

Bitdefender HVI (Hypervisor Introspection) integrates with these XenServer APIs working with raw memory, and without any in-guest (VM) agents. Zero-day protection through memory introspection comes from outside of the VM, enabling the solution to even detect sophisticated unknown threats, such as APTs, intercepting and blocking them from tampering with the memory stack, and injecting remediation tools if necessary.

It should be highlighted that Bitdefender’s integration is squarely focused at malicious memory activity, and is complementary to traditional disk/file based endpoint solutions.

Take a more in-depth look at the revolutionary approach to malware protection with XenServer Direct Inspect and Bitdefender HVI.

No security software vendors can, or would in good-conscience, ever make retrospective assurances on whether they could have completely prevented a theft such as the above, however it was clear that existing, securely deployed traditional tools didn’t catch this new type of attack either. HVI, however, could have helped detect the attempt to patch the “liboradb.dll” file, which involves a write process to an area of memory that should be read-only. Patching this file was critical to the heist, and if able to prevent it, would have helped to thwart that portion of the APT, and the hackers ability to gain access to SWIFT’s Alliance software.

As global security threats and their perpetrators become more sophisticated, organizations must continue to evolve their business security postures using new approaches, enabling a greater depth to protection of corporate data. XenServer Direct Inspect APIs with Bitdefender HVI offers one such approach.

Further information can be found on Citrix’s XenServer product pages, or by following @XenServer on Twitter, or the XenServer Facebook page, and Marc Trouard-Riolle can be found @mtrouardriolle on Twitter to on my personal blog here.

This blog has been authored in conjunction with Bitdefender, their version of which can be found here. Bitdefender HVI is currently in technical preview, sign-up and learn more how Citrix XenServer & Bitdefender HVI can help secure your business.