data breach at target, demystified
DESCRIPTION
Cyphort research team discusses how the data breach at Target took place. These slides are from our Malware's Most Wanted series webinar.TRANSCRIPT
Target threats that target you. Target threats that target you.
Dissec1ng the Target® Malware
Cyphort Labs Malware’s Most Wanted Series
March 2014
Target threats that target you.
2
Your speakers today
3
Nick Bilogorskiy Director of Security Research
Anthony James VP of Marke5ng and Products
Agenda
o Inside Cyphort Labs o Target® breach overview and 1meline o Dissec1ng the malware o Lessons learned o Wrap-‐up and Q&A o Sign-‐up to receive
your free t-‐shirt
4
Cyphort Labs T-‐shirt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
We enhance malware detec1on accuracy
•••••
False posi1ves/nega1ves
•••••
Deep-‐dive research
Global malware research team
•••••
24X7 monitoring for malware events
About Cyphort Labs
5
Cyphort Labs Stats
6
50 million files analyzed daily
10,000+ malware samples received daily
Signatures are created for all malware
A day in life of a malware researcher
7
Help Customers
Advise Cyphort Security Team
Share Threat Intelligence
Security News Research
Review Cyphort Reports
Reverse Engineer Samples
Target Breach Introduc1on
8
What The… Happened? o Data breach at Target Stores o Affected 110 million credit cards
o Data sold in underground market
Catastrophic Impact o Cost to Target ~$420 Million
o CIO resignaIon o Massive security overhaul at Target
How Did The Breach Happen?
o U1lity contractor’s Target creden1als compromised
o Hackers accessed the Target network o Uploaded malware to a few POS systems o Tested malware efficacy and uploaded to
the majority of POS systems o Data drop loca1ons across the world
9
Login from the HVAC contractor
Target’s POS updater server
Target’s internal server with fileshare
Credit card info transfer to internal fileshare
Card info infiltra1on using FTP to external drop loca1on
Point of sale network
Compromised drop loca1ons
Poll ques1on
How do you think the HVAC contractor’s creden1al’s were compromised? A) Phishing B) Keylogger malware C) Password them
Target: The Breach Timeline
11
Nov. 27 -‐ Dec. 15
2013 Dec . 18-‐19
2013 Dec. 18
2013 Dec. 27 2013
Jan. 10 2014
Feb. 6 2014
Mar. 5 2014
Target reports 70 M addi1onal accounts compromised
Reported that HVAC vendor’s creden1als involved
Target CIO resigns
Reported that encryp1on PIN number also stolen Target admits the
breach
Reports of several retailers POS affected
Data breach at Target; Millions of accounts exposed
What is BlackPOS/Potato?
o Malware is a modified version of BlackPos or Kaptoxa (Russian for Potato). It runs on point of sale terminals and scans memory for credit card data.
o First samples of this malware date back to Jan 2013 and were coded by Rinat Shibaev aka “ree4”, aka “An1Killer” from Russia.
o Malware was sold by An1killer on hacker forum. However An1killer is not directly involved in the Target breach.
12
Malware on sale
ree4
Who wrote BlackPOS/Potato?
o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic”
o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-‐45 per card.
o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator.
13
Hel
Malware Workflow
14
1. Infect System o Adds to autostart
via service
o Download and run memory scraper
2. Steal Info o Use memory
scraping to find credit card data
o Output to a file locally
o Send the dump file to exfiltra1on server via SMB
3. Exfiltrate Info o Periodically scan
winxml.dll for updates
o Upload informa1on to the FTP server
Dissec1ng the malware
15
o This malware had 2 modules:
o Mmon module – is used for scanning the memory of the POS machine , extract credit card numbers and dump them to a file, then send them to another compromised system inside Target’s network via network share
o Bladelogic Uploader module – is used to upload those dumps into an mp server.
Dissec1ng the malware
o Mmon module adds itself as a service “POSWDS”
16
Dissec1ng the malware
o Mmon module will specifically look for a process named “pos.exe” which is the process name of Target applica1on. It will walk through the memory of the said process and save the dumps into a file %system%\winxml.dll
o It also creates a thread that will upload the stolen informa1on to another compromised system within Target’s network using a network share with the following creden1als: o hostname: 10.116.240.31 o username: wcopscli3acs\Best1_user o password: BackupU$r
o Amerwards, it deletes the mapping of the drive to avoid detecIon.
17
Dissec1ng the malware
o Bladelogic uploader -‐ Register itself as a service named “bladelogic”
o Bladelogic name is used for obfuscaIon here, it implies
connec1on with BMC Bladelogic -‐ a data center automa1on somware
o Uploads the stolen informa1on to an mp server in Los Angeles:
o Server: 199.188.204.182. o username: digitalw o password: Crysis1089
18
Dissec1ng the malware
o Both the mmon module and the uploader were coded to only exfiltrate card data between the hours of 10 AM and 5 PM.
o The awackers wanted their exfiltra1on to look like normal every day network traffic. They tried to avoid detec1on by blending it with the noise of the high ac1vity 1me of day.
19
Dissec1ng the malware
o Both of the modules of malware used in this awack were not caught by an1-‐virus. These tools were custom wriwen to avoid signature detec1on.
o Awackers downloaded the data from the Los Angeles FTP server into their virtual private server located in Russia over the period of 2 weeks.
o This awack was complex. It demonstrates how determined awackers can maneuver around security controls to gain access to what they want.
20
Key lessons from the breach -‐ 1
o It is not sufficient to monitor the egress point for threats
o Need to go deep and wide in the network
21
Poll ques1on
Target admiwed they ignored the alert from their network security device. What do you think the reason for that was? A) Alert overload from various security devices B) No common understanding of risk across the teams C) Negligence
Key lessons from the breach -‐ 2
o More alerts don’t necessarily contribute to enhanced security
o Automate correla1on of alerts and local context to assign risk ranking
o Have SLAs in place for taking ac1on on threats above risk threshold
23
Key lessons from the breach -‐ 3
o All networks, assets and users are not equal
o Segment and categorize o Networks o Users o Assets
o Priori1ze ac1on based on overall risk
24
Q and A
25
o Informa1on sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for iden1fying malware