Ransomware and the IBM z/OS Mainframe, Big Iron
By Paul F. Renda
December 15, 2021
Ten years ago, I would have said that it's impossible for a mainframe to become infected with ransomware. Today, I no longer feel so confident, having read a number of articles about methodologies for how such an infection could take place.
IBM’s modern mainframe series started with the 360 up to its current z/OS series. Mainframes are not dying; according to IBM, they still process over 70% of online transactions. According to DevOps.com, “One mainframe can process 2.5 billion transactions in a single day, which is the equivalent of handling 100 Cyber Mondays." Mainframes remain the backbone of processing for banks and insurance companies; although some people have the misconception that mainframe technology is obsolete, IBM is continuing to develop it. The IBM z/OS version 14 mainframe now enables pervasive encryption without any application changes.
Ransomware is a type of malware that encrypts computer files. The decryption key is often only released after the ransom has been paid by the victim. The first ransomware attack occurred in 1989, and the victim had to send $189 to a PO box in Panama to obtain the decryption key. In the decades since, the use of ransomware has increased dramatically, especially since 2015; one reason for this is the popularization of Bitcoin, a cryptocurrency that allows for perfect anonymity. So far, ransomware has affected mostly Windows-type systems and servers.
Because Windows machines run on discretionary access control, all that one has to do to become infected with ransomware on such computers is to click on a malware link. My article “The Orange Book” discusses discretionary and mandatory access control; based on the Department of Defense (DoD) Orange Book, it predicted the problems that we're currently having with Trojans and discretionary access control. An article from Norton talks about the myriad types of Trojan horse software, including ransomware.
Mainframes today do not actually run-on discretionary access control; rather, they run on a mezzanine level of control called role-based access control. This level of control is based on the groups to which an id is connected. For example, a payroll id would only be connected to payroll access groups. Role-based access control is a level of control between discretionary and mandatory.
Ransomware and Mainframes
Ransomware has been in the news lately, no doubt because of the Colonial Pipeline (June 2021) and Atlanta City (March 2018) hackings; these events spawned a whole series of articles about the potential for ransomware to infect mainframes. Most of these articles are just rhetoric and are generally not written by experts. Infecting a mainframe with ransomware is a difficult operation, requiring a multi-step process. First you must obtain or create a privileged account. The next step will involve downloading the public key for encryption; the final step will be running a batch job that will use that public key to encrypt data. However, two frightening resources have come to light.
The first is an article by Ray Overby, a mainframe security specialist, about a hack on Nordea (2012), a Swedish Bank. The hack was well documented in the article, and Overby described the use of job control language (JCL), phishing, and a keylogger in the attack. Some of the hacking software was published on GitHub, an open documentation website which has lately become a repository for hacking software.
The other resource was a PowerPoint demonstration given at Share 2017, a conference for end users of the IBM z/OS mainframe. The author, Chad Rikansrud, detailed several steps for infecting a mainframe with ransomware. One interesting exchange during the presentation came when a CEO noted, “You can’t just open an email on a mainframe,” to which Rikansrud responded, “Right, but there’s still at least 3–4 ways I can imagine this working.” What the author discovered in his research is that a multistep process can be used to infect a mainframe.
Reading these articles helped me put together the following minimal security requirements for mainframe security administrators:
Multi-factor authentication (MFA) must be used by all mainframe-privileged accounts, including
IDs that can write and modify security rules;
IDs with default access to all resources;
IDs that audit access and modify resource logging;
IDs run with a UNIX/Linux SUID of 0.
Check audit all software on pc/mac for keylogger programs
REASON: There are no dumber terminals; today, access to a mainframe session takes place through a PC or a Mac that can run TN3270-emulation software.
BACKGROUND: Keyloggers are used by hackers and run as software on a PC or Mac, it records keystrokes such as somebody’s ID and their password. A keylogger can also be a piece of hardware connected between the keyboard and the mainboard to record all keystrokes. All personal computers and Apple’s must be audited for keylogger software.
Mainframe sessions using TN3270 must also be secured through encryption between a PC or Mac and the mainframe itself.
All vendor-supplied and IBM software must be audited for SUID = 0.
The authorized program facility (APF) library must be monitored for all access because programs running from this library can change a normal ID to a privileged ID.
Computer operators are on the lookout for unusual activity on the Unix side of the mainframe.
REASON: Hackers have discovered z/os Mainframe is a great spam engine.
The belief that IBM z/OS mainframes aren’t hackable and that their security cannot be breached is a major problem, and reality is catching up with the rhetoric discussing mainframe ransomware attacks. The Nordea hack should be taken as a warning sign, as it was the first well documented hack of an IBM z/OS mainframe. More information is being published about how to attack a mainframe, thereby increasing the probability that such an attack will succeed.
Notes from the author:
Most Embodiments of protecting computers and networks entails externally monitoring what comes into a network and its computers. Hackers have a saying that if you have physical access to a computer, you own it. Keyloggers are the most effective way to access privileged IDs and passwords. Most security certificates or certifications that I see today say very little if anything about physical access. Keyloggers can be running software on a PC or as an external device that you attach to the computer keyboard. If you have physical access to a computer, you can also flash the BIOS. That changes the way that computer is going to boot up. If I want to do real damage to a corporation or government agency, I will look into how to become part of the cleaning staff.
About the Author
Paul Renda has over 30 years in information security. He has spoken at a number of above ground and below ground hacker conferences. He studied physics and math at Queens College and the University of Houston, and he has worked as a system administrator for IBM Z/OS and Linux systems.