Santander IncidentIT security experts are constantly looking to devise new ways of monitoring security parameters in order to prevent, or at least detect, attempts to compromise computer systems used for security-sensitive tasks. Their counterparts, cybercriminals, are by no means trailing behind, in a fight similar to the weapons development race during the Cold War.

New ways to compromise security in electronic environments are being found and published online on a regular basis, and the ingenuity of some of these procedures is staggering.

How would we describe the ultimate method to compromise security critical assets? Most probably a method that grants complete access to a computer, without:

  • Logging on
  • Installing software or running malicious code
  • Installing devices that register with the operating systems and leave traces / can be detected
  • Leaving traces in the logs.

Most security experts would argue that such a method is utopic, and with all the security measures in place (endpoint security, antivirus, IDS /IPS systems, log data analysis software, application control, etc.), one should be safe.

However, the Santander incident in the UK has proven them wrong. Cybercriminals have developed a way of using electronic systems, in conjunction with inappropriate physical security controls and procedures, in order to gain complete control of one of the bank’s critical assets, and ultimately to an important part of the bank’s network. Their method fully complies with the ideal cybercrime attack described above.

The KVM switch used by the cybercriminals during this incident is a common piece of hardware used by companies to grant single point of interfacing (display, keyboard and mouse) for multiple computer systems, enabling a single user to interact with all of them at a switch of a button. The particularities of the KVM switches have deep security implications because the entire interfacing process passes through the electronic systems in a transparent manner for the endpoint computers being managed, rendering the switch an anonymous  “man in the middle” from this point of view.

The probable scenario that unfolded at Santander’s should be similar to the following:

  • The attacker penetrates physical security and impersonates an IT helpdesk guy;
  • He goes to the target computer and installs a KVM Switch (against company policies, without supervision or without being recorded by a security camera);
  • He plugs the target computer into the KVM Switch (keyboard, mouse and video) then the KVM switch into the company’s interfaces used by the employees (keyboard, mouse, display) so that the target machine can be seamlessly used by the employees;
  • At this point, input for the target computer, as well as video, go through the KVM switch, which acts like a “man in the middle” or proxy for these three means of interfacing;
  • Without modifying the KVM switch it is impossible to take control, as usually the KVM switch supports only one main interface (monitor, keyboard and mouse) and not two (required since both employees and attackers would need one in order to control the computer). So it is quite likely that the attackers used electronics or custom built gadgets to their advantage in order to carry the interfacing signal over longer distances and enable two-point interaction with a single computer;
  • The attackers watch employees using the payment software, accounting software or the internal bank management software;
  • When time comes, they input transactions to their benefit without really interfering with normal operations for longer than several seconds.

The end result may be that large amounts of money are stolen via fake transactions inputted straight into the bank’s systems, without leaving any kind of trace. There would be no logs / traces because the attackers:

  • Do not run a software environment: it is an electronics trick, 100% hardware – input signal interception and redirection
  • They do not logon – they are using employees’ sessions
  • They do not plug in devices that the operating system is aware of
  • They do not perform operations which are out of the ordinary (it is part of normal operations for the employees to input transactions, and the IDS does not watch over account numbers where the money goes to).

Although the gadget being used for this attack has ultimately been detected through observation by an “aware” employee, who knew that such a device should not be attached to a corporate machine, this incident comes to highlight again the ingenuity, resourcefulness and nerve that the cybercriminals are capable of. At the same time this it stresses the need for physical security in conjunction with cyber security, and highlights the fact that neither is effective if the other one is not present.

Had the perimeter been secured with movement sensors and IP cameras, equipped with software to detect anomalies in behavior and personnel activity, and complementary software that monitors and watches over the functionality of these devices via network management protocols, the incident would have failed during its initial stages.

GFI® offers solutions to monitor and manage physical security assets like IP cameras and sensors via SNMP, ensuring that the perimeter security is up and running. Interested in such a product? Have a look at GFI EventsManager® today!