The $81 Million Heist from a Hypervisor Introspection Perspective

Liviu Arsene

October 27, 2016

The $81 Million Heist from a Hypervisor Introspection Perspective

Note: This article was developed in collaboration with Marc Trouard-Riolle, Principal Product Marketing Manager, Citrix Systems Inc.


October 2016 is security awareness month, not that anyone really need to raise awareness on this; last week's distributed denial of service (DDoS) attacks on DYN left numerous global enterprises’ websites unreachable, resulting in customer impact and lost business revenue.

The Security Affairs website recently reported the global annual cybercrime costs to businesses in 2015 as being roughly $3 trillion, with 2021 projections reaching $6 trillion. As cybercriminals produced an average of 230,000 new malware samples per day during 2015, with twelve people online becoming victims of cybercrime every second of the day, global spending is expected exceed $1 trillion over the next five years.

Businesses are finally starting to wake-up to the fact that the damage being caused by cybercriminals, far exceeds the amount they are currently willing to spend on security for our data assets, with losses not just from sales revenue, as advanced persisted threats (APTs) are often about valuable corporate (and customer) data exfiltration.

One recent APT on a Bangladesh bank exploited vulnerabilities in the SWIFT financial platform, managing to issue a transfer of $951 million. In this instance, $81 million was actually transferred successfully internationally, and what it proves is that cybercriminals are willing to spend time and effort developing targeted malware enabling attacks on financially-profitable data from individual organizations. Adrian Nish, BAE’s head of threat intelligence stated "he had never seen such an elaborate scheme from criminal hackers”.

So how did these cybercriminals carry out such an elaborate attack?

It seems that even months following the attack, technical details are still scarce, however, BAE Systems's published findings identifying tools believed to have been used in the heist, containing “sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure”. This included tools to cover the thieves tracks, and delay any attack identification and response, allowing greater time to complete the heist.

Essentially, the malware was able to patch a specific “liboradb.dll” library module, resulting in the host application to believe a failed security check had in fact succeeded, and enabling the malware the privileges to grant itself the ability to execute database transactions on the victim network. Further details on this, including how the malware also attempted to protect itself with printer manipulation can be found at the link above.

Bitdefender has developed in collaboration with Citrix a technology that can help prevent attacks such as the $81 million theft.

Bitdefender HVI (Hypervisor Introspection) is a revolutionary technology that scans raw memory at the hypervisor level, without any in-guest (VM) agents, leveraging a recent XenServer API. Zero-day protection through memory introspection comes from outside of the VM, enabling the solution to even detect sophisticated unknown threats, such as APTs, intercepting and blocking them from tampering with the memory stack, injecting remediation tools if necessary.

Citrix XenServer 7, released in May 2017 includes a new security feature unique to the server and desktop virtualization market, called Direct Inspect APIs, which enables Bitdefender HVI to leverage memory introspection techniques from a hypervisor-layer security appliance.

It should be highlighted that Bitdefender’s integration is squarely focused at malicious memory activity and is complementary to traditional disk/file based endpoint solutions. 

It’s difficult to know whether the solution would have completely prevented the theft of $81 million, however it would have certainly detected the attempt to patch the “liboradb.dll” file, involving a write process to an area of memory that should be read-only. This patch was critical to the heist, and in preventing its execution would have stopped that portion of the APT and the hackers gaining access to SWIFT’s Alliance software. 

As global security threats and their perpetrators become more sophisticated, organizations must continue to evolve their business security postures using more in-depth approaches. XenServer Direct Inspect APIs together with Bitdefender offers one such approach.

Bitdefender HVI is currently in technical preview, for more information on how it works and how you can test it, check out the official webpage here.

Contact an expert



Liviu Arsene

Liviu Arsene is a Global Cybersecurity Researcher for Bitdefender, with a strong background in security and technology. Researching global trends and developments in cybersecurity, he focuses on advanced persistent threats and security incidents while assessing their impact in critical public and private business infrastructures. His passions revolve around innovative technologies and gadgets, focusing on their security applications and long-term strategic impact.

View all posts

You might also like