There’s still much mystery surrounding the recent cyber heist in which tens of millions of credit card numbers were removed from a major retailer’s POS system, though we learn more almost every day. The always indispensable Krebs is a good starting point for background information and very informed speculation.  There are good reasons—based on FBI analysis no less—to believe that some of the malware and techniques go back to at least 2011.  The hackers exploited a gap in the retailer’s PCI compliant IT system—technically compliant at the time of the last audit—at a point where the credit card magnetic strip or track data was still unencrypted—on the POS machine itself. In the FBI’s view, there isn’t encouraging news here: they believe that this type of attack will only continue to increase in the near future.

However, anyone who’s ever seen a classic physical heist movie knows the criminals often trip up not so much on entering the vault, but in the getaway—taking the gold, jewels, artwork, or cash to their hideout without getting caught or leaving a clue. If file access monitoring  software were in place, then very likely that would have been the case in this particular incident.

At the end of January, Dell’s SecureWorks Counter Threat Unit released its own reportbased mostly on its experience dealing with similar POS exploits and the little public information that’s available on this incident. Those more code-centric can skip ahead in the report to view a sketch of the RAM scraper software used for hoovering up credit card numbers. Scrapers are considered at the bottom of the APT food chain—they’re simple—but experts believe this variant was more advanced.

Yesterday’s article in The New York Times discusses how they cyber thieves broke in—via a “remote access granted through the retailer’s computerized heating and cooling software.” The Times article continues, “Target would not say whether its vendors were required to use two-factor authentication.” It certainly would have been much more difficult for the attackers to get in if they had had two-factor authentication in place—maybe we’ll hear more about that in the coming days.

Once in, they embedded their RAM scraper malware on to either individual POS machines or a central server into which the credit card transactions from many POS devices were being piped.

The scraper was able to elevate its access by using a default admin-level user name and password from another piece of software that hackers knew to be installed in the retailer’s environment.

It’s a good time now to point out that you should always change these defaults when installing vendor software. As we understand it, this POS attack would have been stopped if this basic step had been taken—failure two.

A  RAM scraper of this type likely worked by simply collecting a list of processes running on the POS machine or POS server and then using  a Windows system call—CreateToolhelp32Snapshot—to peek into the heap memory of each process. The scraper then did a text search looking for raw track information—the gang had technical details on this.  When it found a matching pattern, the malware encrypted the numbers and stored it for later transfer. At its core, though, this is still basic hack-craft.

So the thieves got into the vault.  The trick is now exiting without being detected. Ultimately, millions of credit card numbers were exfiltrated. Not surprisingly, there’s still uncertainty about how this was accomplished—perhaps HTTP POSTs or, as somesuggest, outbound DNS packets. In other words, a network security monitoring app looking for the usual suspects, say FTP, would have likely missed this.

However, to laterally move the credit card numbers from the scraper to the exfiltrator, the SecureWorks group believes the RAM scraper was periodically dumping the credit card numbers into a file and then remotely mounting the file’s folder to another server that the said exfiltrator had compromised.

Here is a third missed opportunity: if the retailer had file monitoring software to spot large increases in activity or other anomalous behavior—remember, the attackers were writing millions of credit card numbers into files—then the thieves might have been noticed very quickly.

So we’re seeing a familiar pattern here: An authentication failure (or two), a privilege escalation, and inadequate detective controls—lack of file system auditing and alerting. Also, we have to wonder, did the HVAC system really need to be on the same logical network as the POS systems?

This breach (and others like it) really could have been stopped or made much more difficult if any of these issues had been addressed. But don’t get too caught up in the preventive controls failures—we’re learning that it’s best to count on the bad guys getting in, or even prepare as if they’re already in.

A simple change in perspective from focusing on monitoring the attacks at the perimeter—effectively at the known entrance and exit doors—to watching what’s going on inside the building—watching the file metadata—would make all the difference, especially when there’s a back door you didn’t know about.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s