Since the news of the Target breach broke and it was revealed that there was malware on the point of sale (PoS) system, I have been increasingly interested not only in how the malware got there in the first place, but the story as it has rolled on.
According to research from McAfee, Target was compromised via undisclosed methods in November and the attackers planted point-of-sale malware and intercepted approximately tens of millions of records worth of payments, transactions, and other personally identifiable data.
“Although there is no official confirmation, we have credible evidence to indicate that the malware used in the Target stores attack is related to existing malware kits sold in underground forums. Related samples to date are somewhat similar in function to (and possibly derived from) known ‘BlackPOS’ samples,” it said.
Elsewhere, Dark Reading reported on infections that had collected payment card and personal information from 50,000 users. RSA Security’s labs did not name the victims, but it denied any ties between the “ChewBacca” malware and the attacks on Target, Neiman Marcus, and Michael’s. However with the data records collected in those attacks, I wonder if attackers are seeing the opportunity and are influenced by the actions of those who perpetrated the attack?
Security Week reported that while ChewBacca is not new and it is not exclusively used to target POS systems, the malware does have the ability to log keystrokes and scrape a system’s memory and the memory scanner feature dumps a copy of a process’s memory and searches it for payment card data. If a card number is found, it is extracted and logged by the server.
According to Richard Moulds, VP of product strategy at Thales e-Security, in-store point of sale terminals are particularly vulnerable because they handle highly sensitive card holder data, they exist in large numbers and are in notoriously insecure places – the retail store.
He called on cardholder data to be encrypted or tokenised at the point of capture, and decrypted only on a “need to know” basis and only in trusted environments. “It really requires a shift of mindset. IT people like to secure systems, the things they control, but consumers and regulators really want them to protect the data itself. If you take the traditional approach, a flaw in any single system, any weak link in the chain (like the point of sale terminal in this case) could easily result in that data being stolen. Encryption protects data wherever it goes,” he said.
So back to the PoS compromise. Several stories claim to have the detail on how the compromise of Target’s PoS was done: according to security blogger Brian Krebs, this may have been done by an SQL Injection attack or by a service called “BladeLogic,” a mimic of BMC’s product BladeLogic.
Krebs reported that BMC spokeswoman Ann Duhon said that the attackers were simply invoking BMC’s trademark to make the malicious program appear legitimate to the casual observer, but it seems likely that at least some BMC software was running inside of Target’s network and that the attackers were well aware of it.
A BMC statement said that it had received no information from Target or the investigators regarding the breach and the malware does not compromise, or integrate with, any BMC products in any way. It also said that a password used was not generated by BMC.
“At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack,” it said.
This leads me on to another story I spotted. Naked Security wrote that the attackers g
ot in via a vendor using legitimate credentials and after learning of the attack, Target shuttered remote access to two internal systems: a human resources website called eHR and a database for suppliers called Info Retriever. Also Network World reported that in order to secure its network, Target has also updated access controls.
According to an FBI notification, it has discovered approximately twenty incidents related to PoS malware within the last year, with one seen in open source. One piece of PoS malware was seen on one underground forum trading for $6,000, the FBI said.
Returning to the infection method, the FBI report claimed that the PoS malware is typically introduced into a system after the system has already been compromised. “In other words, the PoS malware serves as the payload as a result of the initial intrusion. The attack can take various forms, such as phishing emails, compromised websites, and other common infection vectors,” it said.
So was it a case of an attacker using compromised, genuine credentials managed to upload the malware? I doubt this will ever be clear as multiple retailers have already been hit and others will follow, and new tactics will be used which will continue to be more and more simple to execute.
Shane Shook, global VP of consulting at Cylance, said that retail (and associated payment card) breaches will continue to be pursued by attackers, as they are simply too lucrative to ignore, and in today’s retail systems architecture they are also too easy to accomplish.
He said that three things need to change to help retail limit risks against them: payment card industry standards and regulations need to enforce a requirement to encrypt data wherever it is stored in retail or associated systems; retail needs to be provided tools to recognise and prevent malware; and the entire US retailing/credit/banking system must consider moving to chip and PIN card system that the European and world markets have largely moved to.
Changes will help, but as writer Lisa Vaas pointed out on the Naked Security website, PoS malware is “not going away anytime soon, that’s for sure: the FBI says the profits are huge, and the PoS malware is both too cheap and too widely available on underground markets for thieves to resist.”
If it is easy to do and proven to work, then others will follow and do the same.