3. Your
speakers
today
3
Nick
Bilogorskiy
Director
of
Security
Research
Anthony
James
VP
of
Marke5ng
and
Products
4. Agenda
o Inside
Cyphort
Labs
o Target®
breach
overview
and
1meline
o Dissec1ng
the
malware
o Lessons
learned
o Wrap-‐up
and
Q&A
o Sign-‐up
to
receive
your
free
t-‐shirt
4
Cyphort
Labs
T-‐shirt
5. We
work
with
the
security
ecosystem
•••••
Contribute
to
and
learn
from
malware
KB
We
enhance
malware
detec1on
accuracy
•••••
False
posi1ves/nega1ves
•••••
Deep-‐dive
research
Global
malware
research
team
•••••
24X7
monitoring
for
malware
events
About
Cyphort
Labs
5
6. Cyphort
Labs
Stats
6
50
million
files
analyzed
daily
10,000+
malware
samples
received
daily
Signatures
are
created
for
all
malware
7. A
day
in
life
of
a
malware
researcher
7
Help
Customers
Advise
Cyphort
Security
Team
Share
Threat
Intelligence
Security
News
Research
Review
Cyphort
Reports
Reverse
Engineer
Samples
8. Target
Breach
Introduc1on
8
What
The…
Happened?
o Data
breach
at
Target
Stores
o Affected
110
million
credit
cards
o Data
sold
in
underground
market
Catastrophic
Impact
o Cost
to
Target
~$420
Million
o CIO
resignaIon
o Massive
security
overhaul
at
Target
9. How
Did
The
Breach
Happen?
o U1lity
contractor’s
Target
creden1als
compromised
o Hackers
accessed
the
Target
network
o Uploaded
malware
to
a
few
POS
systems
o Tested
malware
efficacy
and
uploaded
to
the
majority
of
POS
systems
o Data
drop
loca1ons
across
the
world
9
Login
from
the
HVAC
contractor
Target’s
POS
updater
server
Target’s
internal
server
with
fileshare
Credit
card
info
transfer
to
internal
fileshare
Card
info
infiltra1on
using
FTP
to
external
drop
loca1on
Point
of
sale
network
Compromised
drop
loca1ons
10. Poll
ques1on
How
do
you
think
the
HVAC
contractor’s
creden1al’s
were
compromised?
A) Phishing
B) Keylogger
malware
C) Password
them
11. Target:
The
Breach
Timeline
11
Nov.
27
-‐
Dec.
15
2013
Dec
.
18-‐19
2013
Dec.
18
2013
Dec.
27
2013
Jan.
10
2014
Feb.
6
2014
Mar.
5
2014
Target
reports
70
M
addi1onal
accounts
compromised
Reported
that
HVAC
vendor’s
creden1als
involved
Target
CIO
resigns
Reported
that
encryp1on
PIN
number
also
stolen
Target
admits
the
breach
Reports
of
several
retailers
POS
affected
Data
breach
at
Target;
Millions
of
accounts
exposed
12. What
is
BlackPOS/Potato?
o Malware
is
a
modified
version
of
BlackPos
or
Kaptoxa
(Russian
for
Potato).
It
runs
on
point
of
sale
terminals
and
scans
memory
for
credit
card
data.
o First
samples
of
this
malware
date
back
to
Jan
2013
and
were
coded
by
Rinat
Shibaev
aka
“ree4”,
aka
“An1Killer”
from
Russia.
o Malware
was
sold
by
An1killer
on
hacker
forum.
However
An1killer
is
not
directly
involved
in
the
Target
breach.
12
Malware
on
sale
ree4
13. Who
wrote
BlackPOS/Potato?
o The
suspect
in
the
breach
is
a
person
called
“Rescator”
aka
“Hel”.
He
is
part
of
a
larger
hacker
network
called
“Lampeduza
Republic”
o Rescator
sold
the
stolen
Target
card
info
in
bulk
in
underground
markets
at
a
price
of
$20-‐45
per
card.
o Brian
Krebs
named
Andrey
Hodirevski
from
Ukraine
as
Rescator.
13
Hel
14. Malware
Workflow
14
1.
Infect
System
o Adds
to
autostart
via
service
o Download
and
run
memory
scraper
2.
Steal
Info
o Use
memory
scraping
to
find
credit
card
data
o Output
to
a
file
locally
o Send
the
dump
file
to
exfiltra1on
server
via
SMB
3.
Exfiltrate
Info
o Periodically
scan
winxml.dll
for
updates
o Upload
informa1on
to
the
FTP
server
15. Dissec1ng
the
malware
15
o This
malware
had
2
modules:
o Mmon
module
–
is
used
for
scanning
the
memory
of
the
POS
machine
,
extract
credit
card
numbers
and
dump
them
to
a
file,
then
send
them
to
another
compromised
system
inside
Target’s
network
via
network
share
o Bladelogic
Uploader
module
–
is
used
to
upload
those
dumps
into
an
mp
server.
17. Dissec1ng
the
malware
o Mmon
module
will
specifically
look
for
a
process
named
“pos.exe”
which
is
the
process
name
of
Target
applica1on.
It
will
walk
through
the
memory
of
the
said
process
and
save
the
dumps
into
a
file
%system%
winxml.dll
o It
also
creates
a
thread
that
will
upload
the
stolen
informa1on
to
another
compromised
system
within
Target’s
network
using
a
network
share
with
the
following
creden1als:
o hostname:
10.116.240.31
o username:
wcopscli3acsBest1_user
o password:
BackupU$r
o Amerwards,
it
deletes
the
mapping
of
the
drive
to
avoid
detecIon.
17
18. Dissec1ng
the
malware
o Bladelogic
uploader
-‐
Register
itself
as
a
service
named
“bladelogic”
o Bladelogic
name
is
used
for
obfuscaIon
here,
it
implies
connec1on
with
BMC
Bladelogic
-‐
a
data
center
automa1on
somware
o Uploads
the
stolen
informa1on
to
an
mp
server
in
Los
Angeles:
o Server:
199.188.204.182.
o username:
digitalw
o password:
Crysis1089
18
19. Dissec1ng
the
malware
o Both
the
mmon
module
and
the
uploader
were
coded
to
only
exfiltrate
card
data
between
the
hours
of
10
AM
and
5
PM.
o The
awackers
wanted
their
exfiltra1on
to
look
like
normal
every
day
network
traffic.
They
tried
to
avoid
detec1on
by
blending
it
with
the
noise
of
the
high
ac1vity
1me
of
day.
19
20. Dissec1ng
the
malware
o Both
of
the
modules
of
malware
used
in
this
awack
were
not
caught
by
an1-‐virus.
These
tools
were
custom
wriwen
to
avoid
signature
detec1on.
o Awackers
downloaded
the
data
from
the
Los
Angeles
FTP
server
into
their
virtual
private
server
located
in
Russia
over
the
period
of
2
weeks.
o This
awack
was
complex.
It
demonstrates
how
determined
awackers
can
maneuver
around
security
controls
to
gain
access
to
what
they
want.
20
21. Key
lessons
from
the
breach
-‐
1
o It
is
not
sufficient
to
monitor
the
egress
point
for
threats
o Need
to
go
deep
and
wide
in
the
network
21
22. Poll
ques1on
Target
admiwed
they
ignored
the
alert
from
their
network
security
device.
What
do
you
think
the
reason
for
that
was?
A) Alert
overload
from
various
security
devices
B) No
common
understanding
of
risk
across
the
teams
C) Negligence
23. Key
lessons
from
the
breach
-‐
2
o More
alerts
don’t
necessarily
contribute
to
enhanced
security
o Automate
correla1on
of
alerts
and
local
context
to
assign
risk
ranking
o Have
SLAs
in
place
for
taking
ac1on
on
threats
above
risk
threshold
23
24. Key
lessons
from
the
breach
-‐
3
o All
networks,
assets
and
users
are
not
equal
o Segment
and
categorize
o Networks
o Users
o Assets
o Priori1ze
ac1on
based
on
overall
risk
24
25. Q
and
A
25
o Informa1on
sharing
and
advanced
threats
resources
o Blogs
on
latest
threats
and
findings
o Tools
for
iden1fying
malware