Mainframe Penetrations

Here are two anonymized case studies of mainframe penetrations that Net'Q has recently investigated.

Case 1

A large international financial institution discovered unusual transactions occurring during a maintenance shutdown.


The organization had in place state of the art and up to date IP firewall, had implemented network encryption protocols, and had implemented the usage of secure ID cards. The transactions were traced to an authorized user/administrator.  The user was contacted. He was neither in the data center nor working remotely.  Net’Q was contacted to investigate the situation.  We examined the system and identified the rogue intermediate software (man in the middle) that was tracking user usage and performing switching functions to enable an outside party to execute transactions appearing completely authorized.  Upon further analysis it was discovered that the infiltration had been going on for over 8 months completely undetected. The system was accessed using SNA/APPN/APPC based protocols from outside the financial organization’s network.


Case 2

In this instance, we essentially have a large financial organization whose system was infiltrated using an intermediate network. 


The intermediate network provided the means to spoof the target system. The target believes that it is interfacing with an authorized user/application and with a trusted partner network, when in fact the session is being routed through a rogue third party network which can then route the session to a rogue third party user or application.  In this case, all sessions sending searches/locates through the intermediate network regardless from which entry network and LU type are subject to being compromised. The financial organization was checking the session history in the attacked destination network when they discovered a session between one of the internal users and an LUCICS application in the intermediate network (LUCICS in NETI). After contacting the administrators for the intermediate network they realized there was an application LUCICS started periodically at one of their Cisco SNA switched entry nodes (EN).

In addition, they found sessions coming in from an entry network (NETE). It was a session which was not coming through their adjacent NETE but rather from a nonadjacent NETE.

After checking the LUCICS it was realized that the logic was initiating sessions to rogue networks NETR and NETE, and actually residing again at a different location.

Such an infiltration from an intermediate network can result in vulnerabilities and potential fraudulent activities across thousands of sessions using any application and with all network session types, in what appears as an authorized session.