back to article Metel malware pops bank, triggers 15 percent swing in Russian Ruble

Hackers caused the Russian Ruble to swing 15 per cent in minutes by hacking a bank with a newly-discovered and highly capable malware. The "Metel" or "Corkow" malware was used to break into the Kazan-based Energobank and place on its behalf some US$500 million (£344 million, A$702 million) in orders, sufficient to swing …

  1. Ole Juul

    but but

    I thought governments were all in favour of creating back doors these days.

  2. Anonymous Coward
    Anonymous Coward

    Ahhh Nuuuu Cheeki Breeki

    I thought governments were all in favour of killing cash dead these days.

  3. Pascal Monett Silver badge

    Seems like banks are going to have to beef up at last

    The entire banking industry has been surfing on security principles that date from last millennium.

    Looks like a few hundred million are going to have to be removed from bonuses and go to actually securing hardware and transactions a lot more than they are now.

    Maybe even ATMs will finally be upgraded from Windows XP Embedded to something secure, like a version of Linux.

    In any case, I'm shedding no tears for them. This is a much-needed learning experience, and ATM security has been neglected for far too long.

    1. Steve Medway

      Re: Seems like banks are going to have to beef up at last

      Yeah sure Pascal because no Linux machines have ever suffered from something called heartbleed.

      Linux isn't any more or less secure than Windows, it's the numptys that badly configure both OS's that are to blame for 99% of attack vectors.

      You can on the other hand say Linux is more secure by default than Windows, but that still doesn't stop numptys configuring it badly from a security point of view.

      1. Doctor Syntax Silver badge

        Re: Seems like banks are going to have to beef up at last

        "it's the numptys that badly configure both OS's that are to blame for 99% of attack vectors."

        Numpties clicking on unsolicited files attached to unsolicited emails is another vector. Tell me again, why Windows is configured out of the box to hide suffixes?

        1. Dan Wilkie

          Re: Seems like banks are going to have to beef up at last

          Because Windows is aimed at users who aren't technically astute. Barely any of my users at anywhere I've supported would know what a file extension does, or which ones they shouldn't open (even when they're provided a list). However that has never stopped them going through and removing all the file extensions because "the dot exe made it look untidy".

          I use Linux for everything. I'm glad however that my users do not. Because there'd probably be a loud gunshot and then blissful silence.

        2. goldcd

          erm because the people who randomly open attachments

          have no f'in idea what the extensions mean

          1. chivo243 Silver badge
            Headmaster

            Re: erm because the people who randomly open attachments

            Sorry, I thought you could be pwned opening any document that was 'crafted' correctly. .doc .xls .pdf .tiff .jpg shall I go on?

            1. Dan 55 Silver badge

              Re: erm because the people who randomly open attachments

              You can, partly because Windows or the software in question (Outlook) sometimes looks at the MIME type and sometimes looks at the extension.

      2. Tomato42
        Boffin

        Re: Seems like banks are going to have to beef up at last

        And Windows machines suffered from something even more catastrophic in TLS: CVE-2014-6321 (by some branded "Winshock")

        Linux may or may not have less security-critical bugs than Windows.

        But applications on Linux definitely have access (and more often than not, actually use) many more technologies for limiting the damage from those bugs; SELinux, ASLR, FORTIFY_SOURCE, stack protector, and so on.

        1. YetAnotherLocksmith Silver badge

          Re: Seems like banks are going to have to beef up at last

          Seriously, it's a ATM. You could get a group to base one on an Arduino in a long weekend hackercamp!

          The last ATM I used was so lagging on the touchscreen inputs that it wasn't fully usable.

        2. TheVogon

          Re: Seems like banks are going to have to beef up at last

          "But applications on Linux definitely have access (and more often than not, actually use) many more technologies for limiting the damage from those bugs"

          Nope - Windows has more native technology options in that space:

          Attack Surface Reduction (ASR)

          Export Address Table Filtering (EAF+)

          Data Execution Prevention (DEP)

          Structured Execution Handling Overwrite Protection (SEHOP)

          NullPage

          Heapspray Allocation

          Export Address Table Filtering (EAF)

          Mandatory Address Space Layout Randomization (ASLR)

          Bottom Up ASLR

          Load Library Check

          Memory Protection Check

          Caller Checks

          Simulate Execution Flow

          Stack Pivot

          Control Flow Guard

          Protected Processes

          Untrusted fonts

          Secure Boot

          Measured Boot

          Virtualization-based security / Hypervisor enforced code integrity

          Device Guard

          Credential Guard

          App Locker

          1. Roo
            Windows

            Re: Seems like banks are going to have to beef up at last

            "Attack Surface Reduction (ASR)

            Export Address Table Filtering (EAF+)

            Data Execution Prevention (DEP)

            Structured Execution Handling Overwrite Protection (SEHOP)

            NullPage

            Heapspray Allocation

            Export Address Table Filtering (EAF)"

            Did you mention two different versions of "Export Address Table Filtering" twice because it's really good, or did MS simply do half a job the first time around ?

            Can you explain how "Untrusted Fonts" work and what vulnerabilities they mitigate ?

            1. Michael Wojcik Silver badge

              Re: Seems like banks are going to have to beef up at last

              Did you mention two different versions of "Export Address Table Filtering" twice because it's really good, or did MS simply do half a job the first time around ?

              Poisoning the well. Attack mitigation mechanisms are always an arms race against attackers. The original EMF did a good job of blocking a lot of shellcode - it works by trapping read access to the export table, and when the trap is hit, it checks to see if the code attempting the read is in the associated module.

              But it was pretty easy to bypass, using e.g. return-into-library. So Microsoft came up with an enhanced version.

              That's typical for these things. It's certainly no grounds on which to criticize Microsoft.

              The Vogon's list is stupid dick-waving - counting named features is as meaningless a metric as one could hope for. And, frankly, in the greater scheme of things there's not a lot of difference in the protections of this sort offered by Linux and Windows, as they're both based on workstation OSes of the '70s and '80s and their developers pay attention to the mitigation strategies each employs. Compared to, say, a capability OS or an Orange Book B-level OS, they look pretty fucking similar.

              Oh, and anyone paying any attention to workstation vulnerabilities for the past decade or two ought to understand Untrusted Fonts. It's an option that says "don't load any fonts into the OS rendering engine if they didn't ship with the OS". And it's an excellent idea, since font rendering has been a huge source of exploits for years - in a number of cases, due to vulnerabilities in code supplied by third parties (such as Adobe).

              While it's true that font-rendering vulnerabilities are exacerbated by NT 4's rightly-maligned move of too much of the rendering code into the kernel, an exploit even in unprivileged userland code can have serious security consequences, like injecting keylogging into the user's browser (a great vector for font-rendering exploits, thanks to CSS font faces).

              1. TheVogon

                Re: Seems like banks are going to have to beef up at last

                "The Vogon's list is stupid dick-waving"

                If you like, but to correct other "stupid dick waving" claiming that Linux was great because there were no solutions in this space on Windows...

                Ooops at another big hole in GLIBC - less than a year after the GHOST one! So much for those Linux security mitigations...

                1. Roo
                  Windows

                  Re: Seems like banks are going to have to beef up at last

                  "If you like, but to correct other "stupid dick waving" claiming that Linux was great because there were no solutions in this space on Windows..."

                  More stupid dick waving doesn't "correct" anything, it just increases the number of dicks waving.

              2. Roo
                Windows

                Re: Seems like banks are going to have to beef up at last

                "The Vogon's list is stupid dick-waving - counting named features is as meaningless a metric as one could hope for."

                Precisely why I was being snarky. Giving you an upvote for going to the effort of adding some detail & colour to my snarks. :)

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems like banks are going to have to beef up at last

      "something secure, like a version of Linux."

      But Linux has a far worse security record than Windows for standalone servers like ATMs. If you had said something like Open BSD you might have had a point, but suggesting that Linux is a more secure option is just laughable.

      1. Anonymous Coward
        Anonymous Coward

        Re: Seems like banks are going to have to beef up at last

        So, go to OS/2. Problem delayed!

      2. Roo
        Windows

        Re: Seems like banks are going to have to beef up at last

        "But Linux has a far worse security record than Windows for standalone servers "

        You have presented bullshit as "Anon" in the hope that gullible readers will accept that for evidence and presumably base their purchasing decisions on said bullshit. That doesn't speak very well about your opinion of the readers some of whom may be potential customers.

        1. Anonymous Coward
          Anonymous Coward

          Re: Seems like banks are going to have to beef up at last

          "You have presented bullshit as "Anon""

          Nope - it's apparently the case that Linux based internet facing servers are more likely to be successfully attacked than Windows based ones. See for instance http://www.zone-h.org/news/id/4737

          Or perhaps you can find statistical evidence to refute this? I have yet to see any.

          1. Roo
            Windows

            Re: Seems like banks are going to have to beef up at last

            "Or perhaps you can find statistical evidence to refute this? I have yet to see any."

            There's no point in presenting statistical evidence, you are bringing up a blog post from 2011 about web site defacements broken down into categories of Linux (all versions ever released by every single vendor out there) and then one category for each version of Windows. Those stats appear to reflect the "market shares" of the time.

            All that you've shown is that Linux hosted most defaced websites because there are zillions more Linux hosts out there. That doesn't constitute evidence of "But Linux has a far worse security record than Windows for standalone servers", so I'm not going to any more waste time refuting it.

            1. Anonymous Coward
              Anonymous Coward

              Re: Seems like banks are going to have to beef up at last

              "All that you've shown is that Linux hosted most defaced websites because there are zillions more Linux hosts out there"

              Nope - when you add together all versions of Windows - and then adjust for market share (as per Netcraft) you still find Linux hosts are circa 4 times more likely to be successfully attacked.

              1. Roo
                Windows

                Re: Seems like banks are going to have to beef up at last

                "Nope - when you add together all versions of Windows - and then adjust for market share (as per Netcraft) you still find Linux hosts are circa 4 times more likely to be successfully attacked."

                To calculate the likelihood of a successful defacement you would need to divide the number of successful defacements by the number of unsuccessful defacement attempts. All you are showing there is that there are more defaced websites on Linux hosts.

                To quote the referenced zone-h article from 2011:

                "If you are look­ing at on the stats, the things remain the same: file inclu­sion, sql injec­tion, web­dav attacks and shares mis­con­fig­u­ra­tion are still at the top ranks of the attack meth­ods used by the defac­ers to gain first access into the server."

  4. Paul Smith

    What has hacking ATMs got to do with hacking back office systems?

    1. TheVogon

      "What has hacking ATMs got to do with hacking back office systems?"

      Quite a lot if you dont want the bank to realise it's happening....

  5. Anonymous Coward
    Joke

    Android malware strikes again ..

    When will people learn that all that freeware isn't as secure as the fully indemnified industry standard Microsoft Windows.

    1. MyffyW Silver badge

      Re: Android malware strikes again ..

      @Walter_Bishop you are a very naughty boy.

    2. Anonymous Coward
      Anonymous Coward

      Re: Android malware strikes again ..

      "When will people learn"

      Sony did. And Ashley Madison....

  6. allthecoolshortnamesweretaken

    I wonder whether this was a proof of concept attack, maybe in order to get the bankroll needed to develop this further. If you time this sort of thing precise (and go after a harder currency) there is real money in this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like