Skip to main content

The Complete Beginners’ Guide to Hacking a Mainframe

Any movie or TV show makes hacking seem like a trivial affair. A couple of minutes of screen time and some nerdy kid shouts, “I’m in.” Five minutes later, all the data has been stolen and dangerous applications have been rewritten (compiled and executed). We know that’s not how it happens, but the worrying thing is that hacking into any organization’s network, including onto their mainframes, is getting easier and easier!

Hacking is now a business, using the techniques and skills that you’d find in any successful, legitimate business. And because hackers are like any other business, customers can now buy services and products from them—in this case, hacking services and products—which means those customers don’t need to be expert hackers themselves to succeed. They can be complete beginners.

How a Breach Occurs

Most organizations have already taken steps to ensure that their network is secure to prevent would-be hackers getting in. In addition, should a hacker somehow get onto their network and into their mainframe, the IT security team is confident they could identify the IP address of anyone copying information off the mainframe and sending it back to their computer. Similarly, should a ransom demand be received by the company, the IT team is confident they can trace where the payment in bitcoins is being sent. However, a false sense of confidence can be dangerous to IT security teams and their organizations.

To overcome the existing security measures, our beginners may use encrypted anonymous routing tools (e.g., Tor and I2P). IT security teams need to look out for anyone using these tools because they could be being used by hackers.

The next hurdle our beginner faces is how to access the mainframe. They need a user ID and a password, for example. For our beginner, going through the process of phishing is a long and complicated business. Wouldn’t it be handy if you could just purchase what you need to log in? That’s what initial access brokers (IABs) sell. If they have managed to get into a network or mainframe, they may well have left some backdoors that they could use in future to gain access. The most popular methods used by IABs to gain access to an organization in the first place include compromised emails, cloud misconfigurations and software supply chain attacks. After spending time getting in themselves, they can sell the information on the dark web and our beginner can purchase it and get into your mainframe right away.

Our beginner is now on the mainframe, and probably undetected. Their aim is to get their hands on some money, so they need to do something that will allow them to send a ransom demand. This has a couple of stages. First, they need to corrupt the backups. If they don’t do that, the next stage won’t work because the organization they are attacking will simply restore all its files from the most recent backups. The second stage is to encrypt an organization’s files. That stops the organization doing any work because no jobs or TSO users can access anything. At this stage, the organization will know that it has been breached. The final stage is to send the ransom demand. According the latest Cost of a Data Breach Report from IBM Security, the average cost of a breach is $4.45 million. These hacking steps all sound very straightforward when written down in a few sentences, but how would our beginner know what to do? The answer is, again, to go shopping on the dark web and purchase Ransomware as a Service (RaaS) tools. In fact, what our beginners are buying are ransomware tools, infrastructure and operating procedures or playbooks. In fact, they may use multiple RaaS tools. The benefit for our beginner is that they have access to tried and tested ways of breaking in.

Server Attacks

It’s not just mainframes that can be attacked using readily available tools from the dark web. Others include Crypter as a Service (CaaS) and Malware as a Service (MaaS). These can be used to get malware onto servers. These kinds of attack come in three stages:

Stage 1: The dropper, the initial malicious file/command that retrieves the crypter.
Stage 2: The crypter, a tool or process that obfuscates the malware payload so it can bypass the defenses on the network.
Stage 3: The malware, which contains the functionality required by the attacker. It is typically some kind of remote administration.

Although antivirus and antimalware software can prevent crypters and malware getting onto a network, it’s like a kind of arms race as the defenders and attackers both update their software to gain an advantage. The advantage of this approach to the beginner is that they can use the latest available techniques to beat the antivirus and antimalware software. They can also purchase support contracts, access to updates and affiliated services if they want.

It now means that individuals looking to make money, as well as disgruntled staff or ex-employees who don’t necessarily have the sophisticated knowledge required or great skills at launching attacks on an organization, can use the latest tools and techniques to launch their attack on a target company. The whole process has, in many ways, become deskilled. It also means that your mainframe is even more seriously at risk of an attack (assuming an attack isn’t taking place already). Consider what you can do to protect your systems.