So we are up to 20 companies affected by the KAPTOXA/BlackPOS malware. The question is did anyone detect this easily detectable event?
"No antivirus software would have stopped the malware that attacked Neiman Marcus’ card-processing network, because it was rewritten to target the company, Kingston said. “It was very specifically designed for an attack on our systems,” he said."
First off, what is wrong with this statement? Mr. Kingston, if you are relying on Anti-Virus to catch an attack such as this APT, your Information Security Program is failing you. AV should never be expected to detect or prevent advanced attacks such as this, it is foolish to think AV would and I have news for you, AV is not designed for this type of threat... Just so you know.
Malware Management anyone?
Kingston also stated that the malware had "sophisticated features making it difficult to detect". Let's look at what we know about the KAPTOXA/BlackPOS malware.
1. We will give up the fact that an endpoint was compromised and it got onto one system. I always say "Give up the Endpoint and detect things from there". Relying on, or telling Congress the malware had a ZERO (0%) detection rate by AV is well, Duh.. All APT has a 0% detection rate. That is what makes it APT and "sophisticated".
2. The malware was a memory only resident program, or was it? K3wl, it was good malware, as expected and your Security program should be designed for such malware and threats, you know, the stuff that has a 0% detection rate by AV.
3. The malware wrote the encrypted bits to a file located at "C:\Windows\System32\Winxml.dll. OK, any NEW file that is added to \System32 on your static core systems should be reviewed as a part of a 'Malware Management' program. Might I point out this file was NOT a .DLL, rather it was a text file? Can you say look for 'MZ' in files that claim to be executables that are not, and 'MZ' in files with non-executable extensions. TripWire BTW would have detected this file over and over again as it did system checks due to the changes, so would many other security solutions. Nope, AV would not have caught this.
4. The malware ran a script that pushed ' Winxml.dll' to a remote system. Yup, lots of connections to one system from all your POS systems... Really, that is not odd? Windows logs will show this connection, but guessing your IT and InfoSec folks did not configure this, nor were they looking for this condition. Oh yeah.. Cuz you were relying on AV. Learn what Log Management is all about or SIEM as sales folk like to call it. Got Splunk?
5. The location and file name for the collection point was "C:\Windows\twain_32". Why would so many systems write to the Twain_32 directory? This is used for scanners. Do you have scanners on your PoS systems?
6. The account used to do all of this was behaving in a way that was probably not normal for this account. So you don't or can't monitor for administrative accounts being used outside their normal operation? No need, we have AV! Again, Log Management and Account Management would be prudent.
7. Might I point out that Windows logs will also capture the process being launched. Both CMD.exe, PSExec and FTP were used in this so called sophisticated attack. These events are captured in Windows logs, but guessing Process execution (EventID 4688 or 592 in XP) was not set to capture 'Success'. Carbon Black and the Windows Logging Service (WLS) agent would have caught this command line activity as well.
c:\windows\system32\cmd.exe,
c:\windows\system32\cmd.exe /c psexec /accepteula \\<EPOS_IPaddr>
-u <username> -p <password> cmd /c “taskkill /im bladelogic.exe /f”
c:\windows\system32\cmd.exe,
c:\windows\system32\cmd.exe /c psexec /accepteula \\ <EPOS_IPaddr>
-u <username> -p <password> -d bladelogic
c:\windows\system32\cmd.exe,
c:\windows\system32\cmd.exe /c move \\ <EPOS_IPaddr>\nt\twain_32a.dll
c:\program files\xxxxx\xxxxx\temp\data_2014_1_16_15_30.txt
c:\windows\system32\cmd.exe,
c:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt
8. PSExec installs as a Windows service. Logs also capture when a NEW Service is launched. So let me guess, your folks did not look for EventID 7045 either, or EventID 4697 for XP, a Security 101 item to look for in a good Log Management Program. In the quantities seen with Target and Neiman Marcus, this is really a DUH moment. Oh wait... maybe the fact that Neiman Marcus missed almost 60,000 alerts is the 'smack your forehead moment'.
"The 59,746 alerts set off by the malware indicated “suspicious behavior” and may have been interpreted as false positives associated with legitimate software. The report, prepared for the retailer by consultancy Protiviti, doesn’t specify why the alerts weren’t investigated."
9. Network traffic, often called NetFlow would have seen odd traffic in a static PoS environment and the SMB (port 445) and FTP traffic would have set off someones spider sense if in fact they were doing what a good InfoSec program does, look for nefarious behavior. Baseline what is normal and detect what is not.
It is clear to me the memory component was sophisticated, it grab credit card numbers and encrypted them on disk; but that is about all that was sophisticated about this malware, oh, and the fact they encrypted the stolen CC numbers is just ironic.
We need to quit chasing Compliance and start doing REAL Security Engineering to detect and catch these types of attacks. All the data I, or many others in our field was present and we would have caught this long before the massive breaches they are.
So Mr. Kingston (Neiman Marcus) and Mr. Mulligan (Target) your Information Security programs, though expensive, do little to stop the real threats facing all of us today. You might consider hiring InfoSec people who know how to defend and spend less time on Compliance and more on Detection and Response.
- Read more on the technical details of the malware
- Details on what the scripts executed
- Special report by McAfee
- SecureState FREE BlackPoS scanning tool
#InfoSec #HackerHurricane #KAPTOXA #BlackPOS