hp-security-research-cyber-risk-report-pdf-2-w-1408

Recommendations

Info

HP Security Research | Cyber Risk Report 2015MozartThe Mozart track 1 and track 2 data recognition routine is more sophisticated than that used bythe other POS malware. Of note, it does not buffer any data before attempting to match trackseparators. While malware such as BlackPOS buffers data and uses CPU cycles to find possiblenumber patterns, Mozart checks the validity of track 1 and 2 data heuristically after it finds thetrack separators. Mozart is also able to recognize a broader range of character types in bothdata tracks than our other two examples, making it not only more efficient computationally, butgiving it a broader application and possibly higher success rate.Mozart also uses some additional verification mechanisms of interest. It checks the cardissuer identification number after it gathers possible track records, then it utilizes the Luhnalgorithm 132 to check that the numbers it captured were potentially valid card numbers. Not onlydoes this effort decrease the number of false positives, it decreases the size of the log file.Track data managementWhile Mozart might be the best example of efficient targeting of track data, BlackPOS standsout for its track data management. Many POS malware types simply save the track recordsthey capture direct to the file system. However, BlackPOS maintains a binary tree data structureof the track record in memory so that it can quickly check if the record has been collectedpreviously. This has a few advantages. By removing duplicate records, it can reduce the size ofthe track record log file. With a smaller footprint on the network, it has a better chance to avoiddetection. Storage is usually minimal on POS systems and by saving on local hard disk storage,BlackPOS can save more track records. In contrast, POS malware like Dexter uses a simplefunction, StrStrA, to find duplicate track records: A binary tree data structure is a lot faster thanjust using a StrStrA string matching function when it comes to performance.Interestingly, while Mozart was responsible for the theft of 56 million credit and debit cardnumbers, it doesn’t contain any data management functionality; it simply saves every trackentry it encounters while RAM scraping.Data exfiltrationOnce the financial data is captured, it needs to be transported from the affected system so itcan be sold or otherwise used for fraud. Usually, this step of data exfiltration is not directlyperformed by the POS malware. As with other modern malware, POS malware is often modularand while it performs RAM scraping and saves the data to a log file on a local system or remoteUNC location, different modules are responsible for uploading those log files to the attacker.That setup is common and was used in recently reported breaches, including those at Targetand Home Depot.Both Mozart and BlackPOS use very similar schemes for uploading log files. They both usea specific time frame to initiate a network operation to copy the files when the traffic willlook least suspicious, and they both use Windows sharing to push the log files to a centrallocation inside the compromised network. The most likely reason for this is that the infectedPOS machine itself might not have an Internet connection; therefore, the data needs to betransported to a location that does. From there, another component pushes the data outsideof the network to machines under the attacker’s control. BlackPOS is known to use an FTPprogram to upload its log files.132http://www.creditcards.com/credit-cardnews/luhn-formula-credit-card-numbersystem-1273.php.44
HP Security Research | Cyber Risk Report 2015Using regular expressions is resourceintensive.It makes the scanningprocess slow and may affect the overallperformance of the POS machine itself,making detectionmore likely.Defenses against POS malwareThe following lists a number of steps that businesses using POS systems can take to reduce therisk of being compromised by POS malware:• Use multi-factor authentication; this will substantially increase the difficulty required to usecompromised credentials• Segment the network• Limit allowed protocols• Limit user privileges• Initially monitor the addition of new users, particularly privileged users• Monitor for excessive and abnormal LDAP (Lightweight Directory Access Protocol) queries• Use application whitelisting on sensitive servers (those that are used for critical functions)• Heavily secure and monitor Active Directory• Migrate to an EMV Chip-and-Pin point of sale system, which makes cloning credit cardsnearly impossibleBy looking at the POS malware responsible for some of the recent big breaches, we’vediscovered that while they share a number of similar features, they do not appear to share thesame code base. Simply put, the functionality is similar but the code is different, which suggeststhat they were developed independently by different groups. Of course, some features, such astrack record management are also different for each case. The most notable difference betweenthem, however, is the track record recognition routines. Each malware uses its own methodfor locating track records and regardless of differences, the custom code they contain is muchmore advanced than that of older POS malware families that use regular expressions for thispurpose. Using regular expressions is resource-intensive. It makes the scanning process slowand may affect the overall performance of the POS machine itself, making detection more likelyas administrators investigate the source of the slowdown. Also, as RAM scraping is all abouttiming—when a customer swipes the credit card it is passed to the POS process, but there is noguarantee on how long the data will be intact in process memory. Finally, the faster you finishone loop of scanning, the greater the chances of catching new track records.Our final takeaway though, regarding BlackPOS and Mozart in particular, is that they lookcustomized—that is, they look as though they were developed for these specific breaches.BlackPOS contains an encoded form of a targeted POS process name, which might be specificto Target’s POS environment. BlackPOS and Mozart also have hardcoded server IP addresses towhich they push the log files of captured data. This tells us that these POS malware programswere built by people who knew the targeted environments.45
Page 1 and 2: BrochureHP SecurityResearchCyber Ri
Page 3 and 4: HP Security Research | Cyber Risk R
Page 43: HP Security Research | Cyber Risk R
Page 74: HP Security Research | Cyber Risk R

hp-security-research-cyber-risk-report-pdf-2-w-1408

Create successful ePaper yourself

Delete template?

Save as template?