Logica, National Special Event: Morgan (part 3)
Logica Status report 2010-02-19, security incident
29th January 2010
Data is tranferred over FTP, large datasets are copied to an unknown address. The user identity that was used had at the time correct permissions and a valid password. The account used the NYTTPW (NEWPW) function to retrieve a valid password.
Logica has found that this account hasn’t been modified since September 2008, as far as RACF logs go.
2nd February 2010
An unauthorized person manages to log into an account in TPX, which isn’t protected by RACF. This account can be used to take over other active sessions and the attacker has that way hijacked another users permissions fully.
Besides the unprotected account the person has had full administrative permissions in the TPX system and used it for data manipulation. Due to RACF protection it hasn’t meant any risk for systems in the background.
The unprotected user identity in TPX has been set up this way since the last installation which was made circa one year ago. This is although the first known time that somebody has used the possibility to use this account to take over another user’s session.
The data stolen from the system on the 29th January contained a list of user identities without password protection. It is possible that this information made it possible, although it hasn’t been proven. The alternative being that the attacker knew beforehand.
4th February 2010
The possibility to log into TPX without RACF control was stopped. After this date there hasn’t been any successful attempts to take over an active session in TPX.
FTP to SYS19 and SYS3
On 29th January 2010 SEMA290 logged in through FTP and started retrieving files:
2010-01-29 20:39:21 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 20:59:42 SYS19 Resume password made through user E484RACF using routine NYTTPW
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:32 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:02:46 SYS19 Invalid password, FTP
2010-01-29 23:17:48 Connects through FTP and retrieves a large amount of datasets and files.
2010-01-29 23:37:39 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:38:50 Failed login attempt due to revoked user.
Tests run with FTP, mirror environment
Logins through FTP against SYS19 has been done with the following userids:
Has only tested login and listing the entire master directory.
Tests run with FTP, production environment
The following userids have been tested:
Has only tested to login and listing the entire master directory.
Tests have been made in the mirror environment, SYS19, to determine what kind of info can be retrieved over FTP.
All datasets in the USS part under TSO can be listed. This reveals some information e.g. usernames even though the libraries are protected via RACF.
Why it could happen
Userid and the possibility to change passwords for a couple demo users becomes known by an unauthorized person. This possibility is later used to log into and gathering data from the web interface. The same userid is later used for connecting over FTP to SYS19 and gather information.
It’s possible to sign in through FTP using demo users because RACF users in the environment are automatically assigned a UID at login. UIDs are assigned to enable the user to use resources under USS (ftp, telnet, sftp, webserver etc).
User that don’t need these functions shoul not be assigned a UID.
Sine the purpose of the system is to be accessible from anywhere it is possible to login with FTP having a userid and password.
TPX logins via userid without specifying passwords has been possible due to a modified parameter in TPX. This parameter was modified in connection with the production environment being upgraded on 8th February 2009. This was reconfigured by a job ran on SYS3 and SYS19, job name ADMIN.
Report extern deliveries, 2012-03-24
Applicate and Logica discovers unusual activity in the mainframe environment. After a small group of people did a quick investigation during the night they block specific accounts in the system. In the morning the group is expanded and additional managers are notified. On the 13th March the investigation reveals that the activity has occured since the 25th February 2012.
Logica calls in IBMs internaional incident investigators and security specialist. The 19th March the picture is so clear that a police report is handed from Applicate to the Security Service.
The intrusions are partially made over existing file transfer services using the FTP function, partially via interactive logins via ordinary remote control functionality, and finally via the attackers’ own placed backdoors. The intrusions have often occurred in combination with large data retrievals from the systems. Additionally intrusinos and abuse has been done in Applicate’s web services. The abuse has amongst others consisted of unauthorized credit checks.
The investigation finds that there are two points of intrusion, like shared accounts between the mainframe partitions, which allows the attackers to access data stored on both partitions in the cases where the attackers have been lucky to retrieve one of these accounts. Which they unfortunately did.
Estimated 10000 files/datasets have been retrieved from SYS19 by unauthorized people. Estimated 600 files/datasets have been retrieved from SYS3 by unauthorized people. The files and datasets that were retrieved contain various types of company information, including a list from 2007 over social security numbers with filename “E897.SPAR.SKYDD”.
Over 120 000 accounts were retrieved from the user database RACF. Retrieval has been done of user information, by which the investigation from forgotten files could conclude that important password information was missing. However it can’t be excluded that such information has leaked. Large amounts of these accounts have been blocked or revoked. Circa 70000 active customer accounts remain today in the system as preventative actions and cleaning continues.
Specifically interesting to note regarding the accounts:
– The first account that was verified cracked and used 25th February belongs to a file transfer job from the Swedish parliament. How somebody gained access to this account is still unknown.
– One of the accounts frequently used by the attackers originally belonged to Monique Wadsted, one of the lawyers hired by the entertainment industry in the so called Pirate Bay trial.
– Multiple accounts used, including Wadsted’s, have been manipulated in the RACF database to increase permissions. The work of both the incident and the investigation continues.
Status on whether the intrusion is stopped or continues
The attack surface has narrowed through various technical limitations.
Intrusion attempts to SYS19 is handled by whitelisting FTP traffic from approved IP addresses and protocol filtering previously used in the attacks (telnet traffic and traffic on port 443). Misc traffic that hasn’t been proven legitimate has been filtered.
Intrusion attempts to SYS3 is handled by whitelisting traffic to FTP and filtering illegitimate traffic.
All system administrator accounts have changed passwords, compromised administrator accounts are replaced.
Last found intrusion in SYS3 occurred on 23rd March through FTP and telnet. Last found intrusion on SYS19 occured on 16th March through telnet.
Continous intrusion attempts happen targeting web services based on the list of usernames stolen from SYS19.
Detailed information regarding known leaked information
Description of contents in the files copied from respective system.
– SPAR (Statens Person och Adressregister) information, list of social security numbers for citizens born 1964 and later.
– Infotorg invoice information – Invoices, amounts of transactions per customer.
– PI (logins on Infotorg) – Files sent to LIME (CRM). All information regarding customers in Infotorg and their permissions.
– Infodata (Postal service) – Adress matching
– Infotorg (PWC) – Specification of project marking for invoices
– The police – 2 million social security numbers, only.
– Applicate (Radiotjänst) – Invoice information
– Infotorg/Infodata/Police – Invoice information, transaction type and amounts.
– Police – Transaction statistics from 2006
– Infodata – Three datasets where the file name contains the text “protected”. The datasets are from year 2007. 10 793 social security numbers in total, a copy and two originals have been stolen.
– Applicate (mixed customers) – Invoice statistics
– Infodata – datasets containing social security numbers in relation to eachother
Infotorg – BASUN (company information from SCB). Base information, names, legal form, company size etc.
– FLISTEST – Handelsbanken’s invoices to their customers 2006 and 2007
– According to the bailiff agency circa 40 cleartext files containing customers and debtors that are normally sent to the UNIX systems have been copied from SYS3. The files contain social security numbers, debts, who the person owes money. The files also contain information about debts for people with protected identities.
– Payment files for Swedbank and signet for signing payment files have been copied from SYS3, the signet has been replaced.
– The Cobol source code for the program Navet has been copied together with KFM’s Navet certificate. The code was used by the intruder to find vulnerabilities in the Navet application. The application is however only available from the tax agency’s network and not publicly available.
Information about how the escalation was made during the intrusion
Applicate and Logica found on the 7th March that SEMCICA3 in SYS19 had an unusually high CPU usage, many transactions were running by a questioned user. The activity was considered unauthorized and a security incident was stated on the 8th March wherein an investigation began. (IM3107818).
Applicate found that the attacker established more access to the system and calls for a crisis meeting. Logica establishes Major Incident Manager and calls in specialist competence from IBM.
Applicate files a report at the Security Service on 19th March.
Intrusion is found in SYS3 whereas Logica contacts the Security Service with a report 21st March.
Information about accounts used at information retrieval
The first known account used was an account from the Swedish Parliament (AVIY356). This user has through zOS and USS began downloading approximately 400 datasets and files from Logica. It has been found that an amount of accounts have been used throughout time and that many of them have been manipulated to receive special and superuser permissions in the systems.
Which sort of traffic was queried from Dalarna
An investigation has been made on a selection of search queries done on Infotorg. As previously mentioned there have been searches done on Jim Keyzer, Gottfrid, PRQ, Police registered cars in the car registry etc.
Below follows a short selection with explanations:
LN: Swedish representative for space project Cospar
JE: Could be one of the attackers searching for himself (?)
MB: Police who took action against filmmaker and forced deletion
Håkan Marklund: Robinson participant (Swedish TV show)
Mikael Persbrandt: Actor
RÅ: Appears to be a technician certifying himself
LB: Cat owner and kindergarten teacher, possibly in Norrtälje
ET: Charged for knife stabbing in Ludvika
AB: 17 year old blogger
Young people have probably received login details for Infotorg by the more competent main actors. These younggsters have searched for famous people, a blogger and people in Ludvika/Smedjebacken and have most likely not had a slightest idea about the eventual risks of the searching. Probably anchoring in Ludvika/Smedjebacken.
Other affected organisations
After going through retrieved datasets it has been found that affected organisations can be limited to:
– Tax agency
– Bailiff agency