StealthWatch & Point-of-Sale Malware

Tom Cross Director of Security Research tcross@lancope.com (770) 225-6557

2

“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors. We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.” - FBI

3

Thinking about the attacker’s Kill Chain

• What steps did these attackers go through as they compromised the network and stole information?

4

Recon Exploitation

Initial

Infection

Internal Pivot

Data Preparation

& Exfiltration

Command and

Control

• Insecure Wifi – Albert Gonzales cracked WEP encrypted wifi to get into retail networks – Many retailers provide customer wifi

• SQL Injection – Albert Gonzales launched SQL Injection attacks against websites – Databases are where the data is – A database server driving a website can be a lilly pad used to hop

behind the firewall

• Malicious Insider – Malware can be walked into a retail establishment via USB key

• Compromised Insider – HVAC vendor was reportedly compromised to gain access to retail

network

5

What avenues have attackers used to exploit retail environments?

Basic Corporate Network Diagram

6 © 2013 Lancope, Inc. All rights reserved.

Web Server

Database Server

• Domain account with a weak password created by BMC Software Automation Suite – BMC issued a statement denying that this was true

• Compromise of point-of-sale software distribution system • Compromise of application whitelisting management software

• Worm-like propagation

7

Speculation about vulnerabilities: (I am skeptical about the veracity of these.)

Moving the data out:

8 © 2013 Lancope, Inc. All rights reserved.

Staging Server

POS Terminal

POS Terminal

POS Terminal

Exfiltration Server

Compromised Third-Party

Server

FTP

• Highly distributed network environment – Very expensive to deploy security solutions at each POP

• Point of sale terminals may be difficult to segment – PCIDSS does not require segmentation – Lack of segmentation capability in POP infrastructure – Need to interconnect with SIEM, inventory management, NTP

• Points of presence may not have full time IT staff – Increased possibility of misconfiguration

• Point of sale terminals may be difficult to patch – Windows XP anyone?

• Compliance focused approach to security – PCI-DSS is important, but it isn’t everything

9

Retailers face unique IT security challenges:

• Economical visibility from the infrastructure itself. – No need for a truck roll to deploy appliances at each POP.

• Network relationship monitoring that can provide virtual segmentation in environments where physical segmentation is difficult to achieve or unreliable. – Segmentation can be monitored from the comfort of the head office.

• Anomaly detection that can identify attacks that other security solutions miss. – Stealthwatch is designed to automatically identify suspicious

movement of data within networks.

• A historical perspective that can help investigate incidents. – Incidents can take months to identify – when they happen its

important to be able to go back and investigate the attack.

10

StealthWatch can help meet these challenges:

Retail Network Diagram

11 © 2013 Lancope, Inc. All rights reserved.

USA HQ

POS Terminal

POS Terminal POS Terminal

New York Branch

Atlanta Branch

London Branch

Your Infrastructure Provides the Source...

Internet Atlanta

San Jose

New York

ASR-1000

Cat6k

UCS with Nexus 1000v

ASA Cat6k

3925 ISR

3560-X

3850 Stack(s)

Cat4k Datacenter

WAN

DMZ

Access

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow NetFlow

© 2013 Lancope, Inc. All rights reserved. 12

…for Total Visibility from Edge to Access.

Internet Atlanta

San Jose

New York

ASR-1000

Cat6k

UCS with Nexus 1000v

ASA Cat6k

3925 ISR

3560-X

3850 Stack(s)

Cat4k Datacenter

WAN

DMZ

Access

© 2013 Lancope, Inc. All rights reserved. 13

Transactional Audits of ALL activities

14 © 2013 Lancope, Inc. All rights reserved.

15

Actually see what’s happening inside each POP:

Secure Zone

15 © 2013 Lancope, Inc. All rights reserved.

16

Flow Statistical Analysis

16 © 2013 Lancope, Inc. All rights reserved.

Automated Data Loss Detection

17 17 © 2013 Lancope, Inc. All rights reserved.

18 © 2013 Lancope, Inc. All rights reserved.

Suspect Data Hoarding

Unusually large amount of data inbound from other hosts

19 © 2013 Lancope, Inc. All rights reserved.

Target Data Hoarding

Unusually large amount of data outbound from a host to multiple hosts

20

Profile the relationships between host groups

Secure Zone

20 © 2013 Lancope, Inc. All rights reserved.

• Initial Compromise: July 16th 2013

• Attack Completes: October 30th 2013

• Informed of Unauthorized Card Activity: Mid-December 2013

• Discovered Attack: January 1st 2014

Source: http://www.neimanmarcus.com/NM/Security-Info/cat49570732/c.cat?icid=topPromo_hmpg_ticker_SecurityInfo_0114

21

Neiman Marcus Compromise Timeline

22

Hunting in the network audit trails

CrowdStrike identified three different IP addresses associated with BlackPOS: 199.188.204.182 50.87.167.144 63.111.113.99

Cisco Identity Services Engine (ISE) • Cisco ISE is a context aware, policy based 802.1x authentication solution • Detect

– Device type, operating system and patch level – Time and location from which user attempting to gain access

23

User Name MAC Address Device Type

Bob.Smith 8c:77:12:a5:64:05

(Samsung Electronics Co.,Ltd)

Android

John.Doe 10:9a:dd:27:cb:70 (Apple Inc) Apple-iPhone

24

User Reports

http://www.lancope.com

@Lancope (company) @netflowninjas (company blog)

https://www.facebook.com/Lancope

http://www.linkedin.com/groups/NetFlow-Ninjas-2261596/about

https://plus.google.com/u/0/103996520487697388791/posts

http://feeds.feedburner.com/NetflowNinjas

Thank You

25 © 2013 Lancope, Inc. All rights reserved.

Tom Cross Director of Security Research, StealthWatch Labs

Thank You

Tom Cross, Director of Security Research tcross@lancope.com (770) 225-6557