As we learn more about the inner workings of the malware that infected Target and most likely Neiman Marcus during the holiday season, I thought it would be helpful to draw some conclusions about not only protecting against malware such as Kaptoxa and BlackPOS, but also to provide some insights into how you can transform your security posture to prevent becoming the next data breach victim.
iSIGHT Partners in conjunction with the U.S. Secret Service performed a detailed analysis of the Kaptoxa operation that was behind the large scale point-of sale cyber-crime breaches announced this month.
According to the January 14 document published by iSIGHT Partners, which highlighted the characteristics of Trojan.POSRAM and another detailed analysis and background by IntelCrawler on BlackPOS from which Trojan.POSRAM is derived:
• Author is believed to be around 17 years old
• First builds of the malware were offered for $2000 USD
• It scans memory for card data track1/track2
• It stores card data on the POS device and staging server in plain text
While it hasn’t been fully determined how the malware spread to multiple POS systems within these retail environments, it's safe to assume that it might have been a combination of vulnerable systems as well as weak administration controls around remote management and passwords.
But wait! Did you say data stored in plain text?
That’s right. After slurping the data from memory, Trojan.POSRAM stores the data in %windir%\system32\winxml.dll. Then, between the hours of 10 am and 5 pm, it would periodically send that file over NetBIOS to a temporary dump server. If we consider the origins of Trojan.POSRAM being based on BlackPOS, we can determine that the data is being stored in this dll file and other staging files in plain text. (See insert above for IntelCrawler chat with BlackPOS author)
So this gets to the intersection of why we believe organizations are missing some of the biggest points in securing their environments against these types of threats:
- Concentrated endpoint vulnerability management
- An effort to consistently assess where sensitive data is being stored
Endpoint Vulnerability Management
In today's world of disconnected systems, remote offices and more, it is increasingly more difficult to accurately detect vulnerabilities on systems using traditional network scanning methodologies. Without having an endpoint focus, results are often impossible to gather and contain huge amounts of false positives.
Considering the retail environments, looking at Target with approximately 1921 locations to scan and manage vulnerabilities, this is an overwhelming task. Traditional network vulnerability scanning solutions require appliances, credentials and lots of network bandwidth and connectivity to accurately scan these locations.
Let's also consider not only the retail locations in these environments, but the vast amount of workers who are constantly on the road connecting to various networks. They're never properly assessed against vulnerabilities because they are remote when the centralized network vulnerability scans are scheduled. These endpoints become the launch point for infiltration into the corporate network. Let's say an end user visits a malicious link that installs a piece of malware that lays dormant until its connected to the corporate network and uses this as the infection point. In the case of retailers: Game over, BlackPOS is now on the network looking for POS systems to infiltrate.
So in most cases, the anti-malware, network defenses and other defense-in-depth technologies should detect these breaches correct? No. As attackers become more sophisticated, there is a further gap between the instant a piece of malware is released and the time which proactive protection is released by security vendors.
But what are some other things you can proactively do to prevent these data breaches?
I can’t say it any louder: CONSTANTLY ASSESS for UNENCRYPTED CARD DATA!!
We help organizations on a daily basis understand where they have sensitive data being stored. And to be honest, we find a lot of data that organizations never knew existed in their environment. Be it unintended backup storage, accidental end-user copies, or even development logging on servers.
The Power Of Combined Intelligence
MAX Risk Intelligence provides customers with combined intelligence to know what devices are at risk to compromise from existing vulnerabilities as well as the intelligence to detect if there is sensitive unencrypted data at rest on the device. Armed with these pieces of information you can then take proactive steps to reduce the risk associated with these devices by first removing or encrypting the sensitive data and then by applying remediation to remove the discovered vulnerabilities on the device.
Take a look at this sample risk report.
If you want more information or to try out MAX Risk Intelligence, visit:
MAX Risk Intelligence
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.