Data breach at Target, demystified.


Published on

Cyphort research team discusses how the data breach at Target took place. These slides are from our Malware's Most Wanted series webinar.

Published in: Technology
1 Comment
  • for more information
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data breach at Target, demystified.

  1. 1. Target  threats  that  target  you.  Target  threats  that  target  you.   Dissec1ng  the     Target®  Malware   Cyphort  Labs   Malware’s  Most  Wanted  Series     March  2014  
  2. 2. Target  threats  that  target  you.   2  
  3. 3. Your  speakers  today   3   Nick  Bilogorskiy   Director  of  Security  Research     Anthony  James   VP  of  Marke5ng  and  Products  
  4. 4. Agenda   o  Inside  Cyphort  Labs   o  Target®  breach  overview  and  1meline   o  Dissec1ng  the  malware   o  Lessons  learned   o  Wrap-­‐up  and  Q&A   o  Sign-­‐up  to  receive     your  free  t-­‐shirt   4   Cyphort  Labs  T-­‐shirt  
  5. 5. We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   We  enhance  malware   detec1on  accuracy   •••••   False  posi1ves/nega1ves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   5  
  6. 6.  Cyphort  Labs  Stats   6   50  million  files  analyzed  daily   10,000+    malware  samples  received  daily   Signatures  are  created  for  all  malware  
  7. 7. A  day  in  life  of  a  malware  researcher   7   Help  Customers   Advise  Cyphort  Security  Team   Share  Threat  Intelligence   Security  News  Research   Review  Cyphort  Reports   Reverse  Engineer  Samples  
  8. 8. Target  Breach  Introduc1on   8   What  The…  Happened?   o  Data  breach  at  Target  Stores   o  Affected  110  million  credit  cards   o  Data  sold  in  underground  market   Catastrophic  Impact     o  Cost  to  Target  ~$420  Million   o  CIO  resignaIon   o  Massive  security  overhaul  at  Target  
  9. 9. How  Did  The  Breach  Happen?   o  U1lity  contractor’s  Target  creden1als   compromised   o  Hackers  accessed  the  Target  network   o  Uploaded  malware  to  a  few  POS  systems   o  Tested  malware  efficacy  and  uploaded  to   the  majority  of  POS  systems   o  Data  drop  loca1ons  across  the  world   9   Login  from  the   HVAC  contractor   Target’s  POS   updater  server   Target’s   internal  server   with  fileshare   Credit  card  info   transfer  to   internal  fileshare   Card  info   infiltra1on  using   FTP  to  external   drop  loca1on   Point  of  sale   network   Compromised   drop  loca1ons  
  10. 10. Poll  ques1on   How  do  you  think  the  HVAC  contractor’s  creden1al’s   were  compromised?     A) Phishing   B) Keylogger  malware   C) Password  them  
  11. 11. Target:  The  Breach  Timeline   11   Nov.  27  -­‐  Dec.  15     2013   Dec  .  18-­‐19   2013   Dec.    18     2013   Dec.    27   2013   Jan.  10   2014   Feb.    6     2014   Mar.  5   2014   Target  reports   70  M   addi1onal   accounts   compromised   Reported  that   HVAC  vendor’s   creden1als   involved   Target   CIO   resigns   Reported  that   encryp1on  PIN   number  also  stolen  Target  admits  the   breach   Reports  of  several   retailers  POS  affected   Data  breach  at   Target;  Millions   of  accounts   exposed  
  12. 12. What  is  BlackPOS/Potato?   o  Malware  is  a  modified  version  of   BlackPos  or  Kaptoxa  (Russian  for   Potato).   It  runs  on  point  of  sale  terminals  and   scans  memory  for  credit  card  data.     o  First  samples  of  this  malware  date   back  to  Jan  2013  and  were  coded  by   Rinat  Shibaev  aka  “ree4”,  aka   “An1Killer”  from  Russia.     o  Malware  was  sold  by  An1killer  on   hacker  forum.  However  An1killer  is   not  directly  involved  in  the  Target   breach.     12   Malware  on  sale   ree4  
  13. 13. Who  wrote  BlackPOS/Potato?   o  The  suspect  in  the  breach  is  a   person  called  “Rescator”  aka   “Hel”.  He  is  part  of  a  larger  hacker   network  called  “Lampeduza   Republic”     o  Rescator  sold  the  stolen  Target   card  info  in  bulk  in  underground   markets  at  a  price  of  $20-­‐45  per   card.   o  Brian  Krebs  named  Andrey   Hodirevski  from  Ukraine  as   Rescator.   13   Hel  
  14. 14. Malware  Workflow   14   1.  Infect  System   o  Adds  to  autostart   via  service   o  Download  and  run   memory  scraper   2.  Steal  Info   o  Use  memory   scraping  to  find   credit  card  data   o  Output  to  a  file   locally   o  Send  the  dump  file   to  exfiltra1on   server  via  SMB   3.  Exfiltrate  Info   o  Periodically  scan   winxml.dll  for   updates   o  Upload  informa1on   to  the  FTP  server  
  15. 15. Dissec1ng  the  malware   15   o  This  malware  had  2  modules:   o  Mmon  module  –  is  used  for  scanning  the  memory  of   the  POS  machine  ,  extract  credit  card  numbers  and   dump  them  to  a  file,  then  send  them  to  another     compromised  system  inside  Target’s  network  via   network  share   o  Bladelogic  Uploader  module  –  is  used  to  upload   those  dumps  into  an  mp  server.  
  16. 16. Dissec1ng  the  malware   o  Mmon  module  adds  itself  as  a  service  “POSWDS”   16  
  17. 17. Dissec1ng  the  malware   o  Mmon  module  will  specifically  look  for  a  process  named  “pos.exe”  which   is  the  process  name  of  Target  applica1on.  It  will  walk  through  the   memory  of  the  said  process  and  save  the  dumps  into  a  file  %system% winxml.dll   o  It  also  creates  a  thread  that  will  upload  the  stolen  informa1on  to  another   compromised  system  within  Target’s  network  using  a  network  share  with   the  following  creden1als:   o  hostname:   o  username:  wcopscli3acsBest1_user   o  password:  BackupU$r     o  Amerwards,  it  deletes  the  mapping  of     the  drive  to  avoid  detecIon.   17  
  18. 18. Dissec1ng  the  malware   o  Bladelogic  uploader  -­‐  Register  itself  as  a  service  named   “bladelogic”     o  Bladelogic  name  is  used  for  obfuscaIon  here,  it  implies   connec1on  with  BMC  Bladelogic  -­‐  a  data  center  automa1on   somware   o  Uploads  the  stolen  informa1on  to  an  mp  server  in  Los   Angeles:     o  Server:   o  username:  digitalw   o  password:  Crysis1089   18  
  19. 19. Dissec1ng  the  malware   o  Both  the  mmon  module  and  the  uploader  were  coded  to  only  exfiltrate   card  data  between  the  hours  of  10  AM  and  5  PM.         o  The  awackers  wanted  their  exfiltra1on  to  look  like  normal  every  day   network  traffic.  They  tried  to  avoid  detec1on  by  blending  it  with  the   noise  of  the  high  ac1vity  1me  of  day.     19  
  20. 20. Dissec1ng  the  malware   o  Both  of  the  modules  of  malware  used  in  this  awack  were  not   caught  by  an1-­‐virus.    These  tools  were  custom  wriwen  to   avoid  signature  detec1on.   o  Awackers  downloaded  the  data  from  the  Los  Angeles  FTP   server  into  their  virtual  private  server  located  in  Russia  over   the  period  of  2  weeks.   o  This  awack  was  complex.  It  demonstrates  how  determined   awackers  can  maneuver  around  security  controls  to  gain   access  to  what  they  want.   20  
  21. 21. Key  lessons  from  the  breach  -­‐  1   o  It  is  not  sufficient  to   monitor  the  egress  point   for  threats   o  Need  to  go  deep  and   wide  in  the  network   21  
  22. 22. Poll  ques1on   Target  admiwed  they  ignored  the  alert  from  their   network  security  device.  What  do  you  think  the  reason   for  that  was?     A) Alert  overload  from  various  security  devices   B) No  common  understanding  of  risk  across  the  teams   C) Negligence  
  23. 23. Key  lessons  from  the  breach  -­‐  2   o  More  alerts  don’t  necessarily   contribute  to  enhanced   security   o  Automate  correla1on  of  alerts   and  local  context  to  assign   risk  ranking   o  Have  SLAs  in  place  for  taking   ac1on  on  threats  above  risk   threshold   23  
  24. 24. Key  lessons  from  the  breach  -­‐  3   o  All  networks,  assets  and  users   are  not  equal   o  Segment  and  categorize   o  Networks   o  Users   o  Assets   o  Priori1ze  ac1on  based  on   overall  risk   24  
  25. 25. Q  and  A   25   o  Informa1on  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  iden1fying   malware