The US-CERT organization recently updated its Alert TA14-212A, which warns that Point-of-Sale (POS) memory-scraping malware has been found in 3 separate forensic investigations. The Secret Service estimates over 1000+ businesses of all types that accept credit card transactions may be affected. Most may not know it yet.
Join us to learn key “Indicators of Compromise” (IOCs) for Backoff, and what you can do about it.
16. IoC What To Do
Windows-based POS System or Server Check for what OS is in place on these systems, including patch
versions
Use of Remote Desktop Applications (one of the most
common attack vectors to gain entry to the organization)
Check systems for Microsoft’s Remote Desktop, Apple Remote
Desktop, Chrome Remote Desktop, Splashtop, LogMeIn, and others
so an inventory is made of what remote desktop applications are in
place and whether they’re authorized per organization policy.
Keystroke Logger in some variants Continuous file integrity monitoring will find new files when created.
These may contain stored keystrokes on user systems as well as POS
systems where users use a pin to log into the POS.
Brute Force password attempts Can be detected and alerted via failed login attempts.
Altered install path (and new files added – such as
%APPDATA%AdobeFlashPlayermswinsvc.exe or writing static
file names such as nsskml, javaw.exe )
Changes of this type will be automatically alerted upon. This is
complicated in that %APPDATA% may be widely differing for systems
within the network.
A number of static strings are in use at differing stages in the
attack effort to compromise the host system and escalate
privileges to admin.
Check US-CERT and other sources to determine static strings to check
for.
Most of the changes made by attackers will alter MD5
(packed/unpacked)
Hashes can be checked/verified good against baseline.
Registry key changes made Registry key changes can be checked/verified good against baseline.
File exfiltration (all types – cardholder information stored in
local .dat temporary storage for discovered track data as well
as keylogger files)
File exfiltration will use specific ports, protocols, and/or services and
can be detected.
17.
18. • Install file integrity monitoring on all POS systems, databases, Active
Directory, critical servers, etc
• Harden your configurations based on FIM findings
• Establish a trusted baseline on all your configurations
• Then, you can successfully perform a binary or checksum comparison to
ensure unauthorized files are not installed
• Improve your security policies (password, defaults, allowed applications,
services, etc)
• Specific content for Backoff files, known hashes, registry changes, etc is
available for Tripwire users
19. • Disable unnecessary ports and services, null sessions,
default users and guests
• Improve security policies
• Enforce security policy with partners
• Continuously monitor and harden - - do not allow “drift”
20. • Frequent vulnerability assessments such that you can determine:
• OS versions in place and whether they’re the most current
• Up-to-date with security patches
• What ports, protocols, and services are running
• Change the default Remote Desktop listening port
21. • Configure the account lockout settings on excessive failed login attempts.
• Limit the number of users and workstations using Remote Desktop.
• Strengthen your passwords
• Limit administrative privileges for users and applications.
• Harden firewall configurations (hardware and software firewalls).
• Apply access control lists (ACLs) on the router configurations.
• Use hardened password policy to prevent application modification.
22. • Assure you have a logging and event management system in place
and active
• Assure there is a process to monitor logs on a daily basis
• Log and event management is more effective if it can ingest content
from other security systems in your environment: IDS/IPS,
• An intelligent log and event system will reduce noise and provide alerts
only on events of interest
23. • Log and event management systems are foundational to being able to
provide forensics investigators what they need.
• Anomalies and possible indicators of threat can also be detected by
FIM and the ability to provide who did what when and how is critical
Katherine - The Department of Homeland Security first posted the US Computer Emergency Readiness Team’s Alert TA14-212A on July 31, 2014, warning of the dangers of Backoff, and initially 600 businesses were thought to be infected with the malware. However, that number has been revised to "over 1,000" in the latest update of the advisory.
The reason it’s called backoff is that forensic investigators had seen this word inside the code and just dubbed it Backoff.
URL
Katherine - And of course, here’s the other type of alert we’re hearing about every day. Any business conducting credit card transactions is at risk – retail, hotels, restaurants, hospitals, utilities, government (think DMV and other services) etc.
In the case of many of these retailers, their public disclosures have followed a similar storyline – a public disclosure, typically after they were alerted from external sources such as law enforcement or fraud organizations. Then it was determined it was worse than first thought, and often (but not in all cases) they had been breached for months before discovery. Many of these public breaches are being linked to similar strains of POS malware originally used at Target with some variations.
I’m going to now turn it over to security researcher Ken Westin.
Before any of the sophisticated Point-of sale malware we have seen targeting retail point-of-sale systems can get on these devices, the attackers have to get into the network. This is no easy task, as most retailers have spent at least some effort to protect their networks from intrusion and have deployed some security, or at the very least ensured they they comply with the minimum security requirements of PCI DSS.
Lockheed Martin’s Cyber Kill Chain is a well known model of the attack lifecycle and applies well to the attack patterns we have seen in the mega retail breaches so far
<build 1>
The attacks against retail giants are not crimes of convenience, nor are they implemented over a short span of time. These attacks are meticulously planned and the groups responsible have done their homework in the recon phase of the cyber kill chain. They gather a great deal of intelligence on their target, they learn about their corporate structure and employees, they map out the organizations IT infrastructure from IP ranges, run scans of the network and identify open ports and running services. In addition they identify vendors, services providers and trusted business partners who may provide another less direct path into their target network.
<build 2>
A few examples of successful attack vectors include the targeting remote desktop applications, by runnning scans of the network the attacker can easily identify the presence of a remote desktop application. We have seen a number of retailers compromised simply through the brute forcing of passwords, or gaining login credentials through spearphishing campaigns. Target was compromised through a combination of a phishing attack that hit a trusted business partner, and were able to gain access to Target’s network using their credentials. Then of course we have good old exploits targeting unpatched applications and systems.
<build 3>
Once attackers gain a foothold into the network things get a little easier, as a general rule things are less locked down inside the network and the attackers will usually begin to target what are classified as the crown jewels of the network such as active directory, network applications and find a way to escalate privilges. In a number of retail breaches another key target has been patch servers, which feed out updates to point-of-sale devices. By compromising these systems they can easily deploy malware to these systems. However this is not necessary as they can also target individual POS systems through other means.
<build 4>
Once the malware is installed, credit card data is harvested through various methods which we will discuss in more detail here in a bit. The credit card data can be collected on the POS device themselves or moved aggregated on another compromised system. The next and final phase is the exfiltration of the data to a drop site, this is a rather delicate process that the attacker will take extra special care to avoid detection.
At this stage the retailer will usually only be made aware of the breach when the secret service contacts them after bank fraud analysts start detecting the stolen cards being sold in the underground and in use.
To defend against these sophisticated criminal syndicates targeting retail organizations, requires a defense in depth strategy. No single security control or tool will serve to block the highly organized and well resourced adversarial groups that we have seen targeting major retailers. The first step organizations should do as a preventative measure is to focus on system hardening, identifying vulnerabilities in the perimeter where an attacker can gain a foothold into the network. Identifying configuration and application vulnerabilities that an attacker can leverage and not just on their own network, but also their trusted business partners who may have access to the network.
We know that in today’s threat landscape it is not a matter if but when we are breached, but more importantly for how long, identifying a network compromise and quickly responding to it could mean the difference between simply having a system offline for a short period to a full blown data breach of your organization featured on the front page of the Wall Street Journal. Tripwire integrates data from with intrusion detection and prevention systems, next generation firewalls and other sources to report on and alert to security events, along with security analytics and forensics capabilities to quickly identify the scope and context of an incident.
Continuous network security monitoring is critical to protecting your internal network, as we can longer depend solely on preventative measures to mitigate today’s cyber adversaries. Identifying internal vulnerabilities, particular for critical assets is crucial. Any changes, or security events need to be logged and monitored and just as important, these events require rich context to identify true indicators of compromise from white noise on the network.
So now we are going to zoom in a bit and discuss the actual point of sale malware itself. There have been a number of different variaites of malware targeting point of sale systems over the past few years and they are increasing in their complexityTwo of the most commonly seen are BlackPOS and Backoff. BlackPOS is what was used in Target and a newer iteration of it was used in the recent Home Depot breach. The US Secret Service has indicatred that the Backoff family of malware has affected around 1,000 businesses. . I will be discussing general characteristics and features that are shared by most of these tools and later we will discuss specific indicators of Backoff.
PCI DSS provides some guidance around how credit card data should be stored. However, it only covers pieces of the data security puzzle when it comes to the collection and storage of credit card data. The primary focus of PCI DSS is data at rest and after authorization, where it is mandated that credit card data must be encrypted if stored and if not stored must be wiped from systems after authorization. Hackers are well aware of these requirements and as such have adapted their tools and tactics to get a hold of credit card data where it is not encrypted. There are several places that credit card data may exist unencrypted that can easily be harvested by increasingly sneaky malware.
The first place to look for unencrypted credit card data is on the hard drive of pos systems and servers involved in processing payments such as in log files or databases.
Another place malware can look is on the network where data may be transmitted to systems unencrypted, or even within the system itself.
Recently the most common method has been RAM scraping, where looks for and grabs credit card information out of memory before the data is encrypted.
Here is an example of a packet capture, where we can easily sniff credit card information on the network. Many retailers fail to implement point to point encryption and often credit card data is passed as plain text across the network, making it easy for any malicious app or user to grab the data.
One incredibly successful method is memory or RAM scraping, where malware installed on point-of-sale systems that looks for and grabs credit card information out of memory before the data is encrypted for transit across the network or storage. This approach to card data collection has been used in the major breaches you have heard about in the media such as Target, Neiman Marcus, PF Changs and most recently Home Depot amongst others simply because there is little a retailer can do to block it and it easily evades detection.
When credit card data is found it is usually logged to a file on the POS system and/or transmitted to another system before being exfiltrated from the organizaiton.
So one kind of cool thing we tested using Tripwire Enterprise was the ability to detect when a new file is created an to automatically check to see if there are any credit card numbers in the file. This quick test can help identify the presence of point of sale malware, regardless of its collection mechanism, when we see files being created on a point-of-sale device or anywhere on our network we will want to alert on this for immediate investigation. Detecting one credit card number could be the difference between a thwarted data breach attempt story you tell your buddies at the bar and becoming the next Target or Home Depot.
With that I am going to hand this off to Katherine and Ed who will be going into some more specific indicators regarding the Backoff variant of malware.
Thanks Ken, and here’s another couple of screen shots overlayed to show you how we’re helping our customers with content available for download to test for indicators of compromise.
Here some known indicators have been detected through failed tests and based on this, the IT team can choose to automatically update to the most recent and known good baseline for this system, auto-remediating for finding elements of Backoff.
This same set of actions can occur any any step along the attacker’s path toward the POS. It might be detecting brute force login attempts or it could be finding the suspect remote desktop applications and then adjusting security on those systems – because as Ken has described, attackers typically follow usual vectors to traverse their way to the POS systems, CDE, or databases where information is kept.
Ed – Thanks Katherine – In the case of Backoff, the US-CERT indicates some specifics to help us see how the attackers are initially infiltrating the networks where they’ve been successful. To begin with you will want to know the OS you’re using is the most current and if any patches should be applied.
You might like to know that AV is installed, although at the time of the alert, AV was not able to catch it. Nevertheless, good practice dictates you would check that AV is installed, is actively running, and has the most current signatures. In addition to this at the desktop and other systems, check for weak firewall configurations.
New files creations such as keystroke log capture files, high numbers of password login attempts, and other changes noted are all used as attackers make their way to their target – in this case, POS. This is not so different than many other types of attacks. Common techniques are being used – all stuff Tripwire can help with, to infiltrate and traverse.
So now that Ed has shown where in the infrastructure these IoCs will often show up and what tools may be useful to you, here’s a big picture (unfortunately in small print) that we won’t cover line-by-line. These IoCs are fairly basic – and here’s a list of what to do. I’d like to point out that the first three are standard and best practices. The specifics of altering an install path and adding new files is also a known technique. However, we have the specifics for Backoff and if you’re using Tripwire, we have content to offer you to catch these types of alterations. As attacks continue their path of morphing and gaining higher target specificity, it’s going to come down to code security and continuous, end-to-end monitoring of file changes. This can get incredibly noisy and you’ll need an intelligent tool that can reduce that noise to just the events of interest that you can take immediate action on. Especially with credit card transactions – this is an “always on” type of business and to be taken down costs money not to mention loss of brand trust. Have you checked Home Depot’s stock?