Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Data breach at Target, demystified.
Similar to Data breach at Target, demystified. (20)
More from Cyphort
More from Cyphort (20)
Recently uploaded
Recently uploaded (20)
Data breach at Target, demystified.
- 1. Target threats that target you. Target threats that target you. Dissec1ng the Target® Malware Cyphort Labs Malware’s Most Wanted Series March 2014
- 2. Target threats that target you. 2
- 3. Your speakers today 3 Nick Bilogorskiy Director of Security Research Anthony James VP of Marke5ng and Products
- 4. Agenda o Inside Cyphort Labs o Target® breach overview and 1meline o Dissec1ng the malware o Lessons learned o Wrap-‐up and Q&A o Sign-‐up to receive your free t-‐shirt 4 Cyphort Labs T-‐shirt
- 5. We work with the security ecosystem ••••• Contribute to and learn from malware KB We enhance malware detec1on accuracy ••••• False posi1ves/nega1ves ••••• Deep-‐dive research Global malware research team ••••• 24X7 monitoring for malware events About Cyphort Labs 5
- 6. Cyphort Labs Stats 6 50 million files analyzed daily 10,000+ malware samples received daily Signatures are created for all malware
- 7. A day in life of a malware researcher 7 Help Customers Advise Cyphort Security Team Share Threat Intelligence Security News Research Review Cyphort Reports Reverse Engineer Samples
- 8. Target Breach Introduc1on 8 What The… Happened? o Data breach at Target Stores o Affected 110 million credit cards o Data sold in underground market Catastrophic Impact o Cost to Target ~$420 Million o CIO resignaIon o Massive security overhaul at Target
- 9. How Did The Breach Happen? o U1lity contractor’s Target creden1als compromised o Hackers accessed the Target network o Uploaded malware to a few POS systems o Tested malware efficacy and uploaded to the majority of POS systems o Data drop loca1ons across the world 9 Login from the HVAC contractor Target’s POS updater server Target’s internal server with fileshare Credit card info transfer to internal fileshare Card info infiltra1on using FTP to external drop loca1on Point of sale network Compromised drop loca1ons
- 10. Poll ques1on How do you think the HVAC contractor’s creden1al’s were compromised? A) Phishing B) Keylogger malware C) Password them
- 11. Target: The Breach Timeline 11 Nov. 27 -‐ Dec. 15 2013 Dec . 18-‐19 2013 Dec. 18 2013 Dec. 27 2013 Jan. 10 2014 Feb. 6 2014 Mar. 5 2014 Target reports 70 M addi1onal accounts compromised Reported that HVAC vendor’s creden1als involved Target CIO resigns Reported that encryp1on PIN number also stolen Target admits the breach Reports of several retailers POS affected Data breach at Target; Millions of accounts exposed
- 12. What is BlackPOS/Potato? o Malware is a modified version of BlackPos or Kaptoxa (Russian for Potato). It runs on point of sale terminals and scans memory for credit card data. o First samples of this malware date back to Jan 2013 and were coded by Rinat Shibaev aka “ree4”, aka “An1Killer” from Russia. o Malware was sold by An1killer on hacker forum. However An1killer is not directly involved in the Target breach. 12 Malware on sale ree4
- 13. Who wrote BlackPOS/Potato? o The suspect in the breach is a person called “Rescator” aka “Hel”. He is part of a larger hacker network called “Lampeduza Republic” o Rescator sold the stolen Target card info in bulk in underground markets at a price of $20-‐45 per card. o Brian Krebs named Andrey Hodirevski from Ukraine as Rescator. 13 Hel
- 14. Malware Workflow 14 1. Infect System o Adds to autostart via service o Download and run memory scraper 2. Steal Info o Use memory scraping to find credit card data o Output to a file locally o Send the dump file to exfiltra1on server via SMB 3. Exfiltrate Info o Periodically scan winxml.dll for updates o Upload informa1on to the FTP server
- 15. Dissec1ng the malware 15 o This malware had 2 modules: o Mmon module – is used for scanning the memory of the POS machine , extract credit card numbers and dump them to a file, then send them to another compromised system inside Target’s network via network share o Bladelogic Uploader module – is used to upload those dumps into an mp server.
- 16. Dissec1ng the malware o Mmon module adds itself as a service “POSWDS” 16
- 17. Dissec1ng the malware o Mmon module will specifically look for a process named “pos.exe” which is the process name of Target applica1on. It will walk through the memory of the said process and save the dumps into a file %system% winxml.dll o It also creates a thread that will upload the stolen informa1on to another compromised system within Target’s network using a network share with the following creden1als: o hostname: 10.116.240.31 o username: wcopscli3acsBest1_user o password: BackupU$r o Amerwards, it deletes the mapping of the drive to avoid detecIon. 17
- 18. Dissec1ng the malware o Bladelogic uploader -‐ Register itself as a service named “bladelogic” o Bladelogic name is used for obfuscaIon here, it implies connec1on with BMC Bladelogic -‐ a data center automa1on somware o Uploads the stolen informa1on to an mp server in Los Angeles: o Server: 199.188.204.182. o username: digitalw o password: Crysis1089 18
- 19. Dissec1ng the malware o Both the mmon module and the uploader were coded to only exfiltrate card data between the hours of 10 AM and 5 PM. o The awackers wanted their exfiltra1on to look like normal every day network traffic. They tried to avoid detec1on by blending it with the noise of the high ac1vity 1me of day. 19
- 20. Dissec1ng the malware o Both of the modules of malware used in this awack were not caught by an1-‐virus. These tools were custom wriwen to avoid signature detec1on. o Awackers downloaded the data from the Los Angeles FTP server into their virtual private server located in Russia over the period of 2 weeks. o This awack was complex. It demonstrates how determined awackers can maneuver around security controls to gain access to what they want. 20
- 21. Key lessons from the breach -‐ 1 o It is not sufficient to monitor the egress point for threats o Need to go deep and wide in the network 21
- 22. Poll ques1on Target admiwed they ignored the alert from their network security device. What do you think the reason for that was? A) Alert overload from various security devices B) No common understanding of risk across the teams C) Negligence
- 23. Key lessons from the breach -‐ 2 o More alerts don’t necessarily contribute to enhanced security o Automate correla1on of alerts and local context to assign risk ranking o Have SLAs in place for taking ac1on on threats above risk threshold 23
- 24. Key lessons from the breach -‐ 3 o All networks, assets and users are not equal o Segment and categorize o Networks o Users o Assets o Priori1ze ac1on based on overall risk 24
- 25. Q and A 25 o Informa1on sharing and advanced threats resources o Blogs on latest threats and findings o Tools for iden1fying malware