As a follow-up to our recently held webinar Fresh Prints of Malware - Retail Therapy: An Analysis of Retail Breaches and Card Theft, questions answered by presenters Nick Pelletier and Manny Jean-Georges are listed below. To view the archived webinar, please click here.
- In the first case study, how much time elapsed between the initial infection of the retailer and the lateral move to the payment processor?
Based on the attack timeline, the attacker compromised the retail environment approximately two days prior moving to the payment processor's environment.Additionally, we identified very little attacker activity within the retailer's environment between the initial compromise and the movement to the payment processor. This might indicate that the attacker performed some offline analysis of their network reconnaissance data, or other research, that led to the discovery of the business-to-business connection.
- In the first case study, what details lead to the belief that access was sold from a botnet to a third-party cybercriminal?
The idea that the initial access was obtained through a large scale bot-net type campaign and then sold to a third-party is an assumption based on available evidence, not a proven fact.The first piece of evidence that supports this theory is that the malware identified as the initial infection vector is not associated with financially motivated, or even targeted, attackers. In fact, this malware is often seen used with the goal of infecting as many systems across as wide a footprint as possible. In our experience, this type of malware would not be deployed in a targeted fashion. The type of malware identified coupled with the lack of any other evidence of a targeted breach, led us to believe that the sale of access was a reasonable theory in this case.
- Is the access to these systems only occurring via brute-force from the Internet, or are attackers leveraging trusted connections (for example, from corporate networks) to attack these systems?
While both of the case studies discussed involved initial access from the Internet, we have investigated numerous incidents where attackers leveraged trusted connections to obtain access to target networks. Not only will attackers leverage corporate WAN connections, they will often use trusted business-to-business connections from third-parties. As we saw in the first case study, the attacker moved laterally from a retail environment to a payment processing environment via a trusted third-party connection.These facts indicate that attackers typically perform some extent of research to understand which organizations their target works with. This allows the attacker to identify the path of least resistance and accomplish their end goal more easily.
- What advice would you provide for rebuilding a system to pre-attack status?
The best case scenario when remediating a compromised system is to restore it to an initial configuration using known-good media. In other words, using a corporate standard image and erasing all existing data on the compromised system. Additionally, we would caution against restoring data from an incremental backup as the backup may contain malware as well.At times, this approach is not feasible. In these cases, at a minimum, remove all malicious software to prevent any further access. However, be aware that by not performing a full reimage, you run the risk of potentially missing some malware. Should this happen, not only will the containment or remediation not be a success, you run the risk of letting the attacker know you are on to them.
- How does the new Apple Pay service compare? How will these types of services play into the landscape of financial breaches?
The new Apple Pay service is currently only available on iPhone 6 devices and utilizes near-field communication (NFC) to make purchases.The first avenue for obtaining information from NFC is a man-in-the-middle attack. A man-in-the-middle attack would allow a device to intercept the NFC communication between the phone and the register and capture the data in transit. If the payment device negotiated the connection with the main-in-the-middle device, any in-transit protections, such as encryption, could be undone since the man-in-the-middle device would possess the keys used.In addition, cell phones can act as NFC receivers, allowing for the skimming of NFC information using a simple cell phone app. In this scenario, the attacker would be using a cell phone as an NFC receiver and simply place the NFC antenna close enough to a transmitting device in order to capture the payment information. This specific scenario could be used to steal payment card data from tap-to-pay cards.However, the Apple Pay technology does not transmit track data when conducting purchases. It may be possible, however, to obtain track data from a device configured to use Apply Pay, if that track data is stored on the device itself.
- What sort of software do you generally see running on point-of-sale terminals?
We see a wide range of workstation operating systems on point-of-sale terminals. Windows XP and Windows 7, as well as various versions of Windows Embedded, are the most common.
- Do you usually see anti-malware software running on point-of-sale systems?
In almost all the investigations we perform, an antivirus solution is deployed. Unfortunately, in a lot of these situations, this malware is targeted, and relatively unknown. Therefore it's not being picked up by most antivirus solutions.In the first case study, we mentioned that the first system was infected with a botnet-type software. This is the type of malware that we would expect an antivirus to identify. Unfortunately, in this specific instance, the antivirus software running on the terminal was not up to date, and therefore missing a signature which may have caught the offending software.
- Why does it seem that detection of compromise on a point-of-sale terminal takes so long in many cases?
In most retail breaches, the malware being used on point-of-sale terminals, such as the memory scraping malware, will be configured to run in the background with very little footprint. The malware is specifically designed to be non-intrusive and avoid detection. This makes discovery by administrators difficult.In addition, many point-of-sale systems are configured to run in a kiosk mode. To most users, a point-of-sale system in kiosk mode will not resemble the computers they are used to interacting with. For this reason, the everyday users of these systems are less likely to identify something "unusual" occurring.
- How does insurance play into these situations?
We are involved in a lot of situations where the victim organization will have an insurance policy that, in some fashion, covers the breach. From our perspective, as investigations, the involvement of insurance does not change our approach -- we will perform the investigation in the same manner.We can't provide a lot of detail about the intricacies of insurance coverage and policies. However, we do know that insurance providers are often involved during these investigations. If a breach is something your organization is concerned about and you do not currently have insurance, we would certainly recommend looking into it.
- What should every retailer do right now?
Because we are seeing these types of breaches more and more frequently (and they are becoming news stories more frequently) one of the first things we would suggest is establishing an initiative to identify a potential breach within your own environment.Specifically, we would suggest looking for the signs of a breach, such as those we discussed during this webinar. Artifacts such as unknown processes on payment terminals, authentication between point-of-sale systems, and evidence of staged track data may be good places to start. It may also be helpful to assess your PCI environment for weaknesses that an attack may target to obtain access.Whether you already have such a program, or are looking for help in building one, it may be worthwhile to contact a third-party who can provide insight and guidance. An experienced outside opinion can provide a valuable boost to your initiatives.In taking these steps, a retailer, can provide an increased level of confidence that they have not been breached. In the event that these initiatives discover a breach, you will be able to start containment activities sooner and lessen the overall loss.