The world's network is facing a huge test, everyone's information is a serious security threat, although it seems that your information still has a certain security, but in the face of emerging new technologies, it is necessary to understand the entire attack process, because hackers are still there.
A new study by Aorato, a security firm, shows that the company's new PCI compliance program has dramatically reduced the scope of the damage after a massive theft of personally identifiable information (PII) and credit and debit card data in the Target data disclosure practice earlier this year. Using all available public reports, Aorato's lead researcher Tal Aorato Ery and his team documented all the tools attackers used to attack target and created a step-by-step process to tell how the attacker infiltrated the retailer, spread it within its network, And eventually grab credit card data from the POS system.
Tracking attacks are like web paleontology, and Beery admits that security company Aorato may not be right to describe some of the details, but he is convinced that the target network system is being rebuilt correctly.
"I like to call it cyber paleontology," said Ery. There are a number of reports claiming that there have been a lot of attack tools in this incident, but they have not explained how the attackers actually use these tools. It's like having dinosaur bones, but I don't know what the dinosaurs were like, but luckily we knew about the other dinosaurs. Using our knowledge, we can reconstruct this dinosaur model.
In the middle of the busiest shopping season of the year in December 2013, there was a resurgence of talk of target data leaks. Soon the trickle becomes torrent, and it is increasingly clear that attackers have acquired 70 million of consumers ' personal identity information and 40 million of credit and debit card data information. Target's CIO and chairman, president and chief executive have resigned. Analysts say the economic losses are expected to reach $1 billion trillion.
Most people who understand the above events know that it starts by stealing the target vendor's credit credentials. But how does an attacker gradually infiltrate a core business system from the boundary of the target network? Be ' ery believes that the attackers have taken 11 steps to deliberate.
Step One: Install malicious software that steals credit card credentials
The attackers first stole the voucher from Target air conditioner supplier Fazio Mechanical Services. According to Kreson security, which first broke the compliance story, the attackers first carried out an infection of the supplier's fishing activities via email and malware.
Step two: Use stolen credentials to establish a connection
Attackers use stolen credentials to access Target's home page dedicated to the service provider. In a public statement after the violation, Fazio Mechanical services, chairman and holder of Ross Fazio, said the company did not remotely monitor target's heating, cooling and refrigeration systems. The data it connects to the target network is dedicated to electronic billing, contract submission, and project management.
This Web application is very limited. While an attacker can now access target within the target Internal network Web application, the application does not allow arbitrary command execution, which will be very urgent during the attack.
Step Three: Developing Web program vulnerabilities
An attacker would need to find a loophole that could be exploited. Be ' ery points out an attack tool named "xmlrpc.php" listed in a public report. "According to Aorato's report, when all other known attack tool files are Windows executables, this is a PHP file that runs scripts within the Web application."
"This file indicates that an attacker could upload a PHP file via a vulnerability in a Web application," Aorato reports, as the reason may be that the Web application has an upload function to upload legitimate files such as invoices. However, as is often the case in Web applications, there is always no proper security check to ensure that executable files are not uploaded.
A malicious script could be a "web shell", a base web that allows attackers to upload files and execute the back door of arbitrary operating system commands. "Attackers know that they will attract attention in the end by stealing credit cards and using bank cards to get money," he explains. They sold credit card numbers on the black market, and Target was soon notified of data leaks.
Fourth step: Careful investigation
At this point, the attackers had to slow down to do some recon. They have the ability to run arbitrary operating system commands, but further actions require intelligence on the target's internal network, so they need to find servers that store customer information and credit card data. The target is the Active Directory for target, which includes all members of the data domain: Users, computers, and services. They are able to query the Active Directory using internal Windows tools and LDAP protocols. Aorato believes that an attacker simply retrieves all the services that contain the string "MSSQLSVC" and then infers the purpose of each server by looking at the name of the server. This may also be the process that the attacker later used to find the pos-related machine. Using the name of the attack target, Aorato that the attacker would then be given the IP address of the DNS server queried.
Fifth step: Steal domain administrator access token
At this point, be ' ery believes that attackers have identified their goals, but they need access rights, especially domain administrator privileges, to help them. Based on the information provided to Brian Krebs by former Target security team members, aorato that the attacker used a "pass-the-hash" attack technique to obtain an NT token to mimic the Active Directory administrator- At least until the actual administrator changes its password.
As this technique is further validated, Aorato points to the use of the tool, including a penetration test tool for logging in in-memory and NTLM credentials, and a hashing password to extract domain account NT/LM history.
Sixth step: New domain Administrator account
The previous step allows an attacker to disguise as a domain administrator, but when the victim changes the password or attempts to access a service that needs to display a password (such as Remote Desktop), he becomes invalid. Then, the next step is to create a new domain administrator account.
Attackers can use their stolen privileges to create a new account and add it to the domain Administration Group, providing account privileges to the attacker, as well as giving the attacker the opportunity to control the password.
Being ' ery says this is another example of an attacker hiding in a common scenario. The new username is the same "Best1_user" as the BMC bladelogic Server user name.
"This is a highly unusual pattern," said Ery, who is always aware of the simple steps of monitoring the user list and the new and other sensitive administrator accounts that can effectively block attackers (+ micro-mail attention to the Web world), so you must monitor access patterns.
Step seventh: Propagate to the computer using the new administration voucher
With the new access credentials, the attacker can now continue to pursue its target. But Aorato points to two hurdles in its path: bypassing firewalls and other network security solutions that restrict direct access to related targets, and running remote programs on a variety of machines for their attack targets. Aorato says attackers use "angry IP scanners" to detect Internet computers and bypass security tools through a range of servers.
As for remote execution of programs on the target server, an attacker uses their credentials to connect to the Microsoft PsExec application (the telnet-replacement that executes processes on other systems) and Windows Remote Desktop clients.
Aorato points out that both tools use Active Directory Users for authentication and authorization, which means that Active Directory will know the first time once someone is searching.
Once an attacker accesses the target system, they will use Microsoft's coordinator management solution to gain continuous access, which will allow them to execute arbitrary code remotely on the compromised server.
Step eighth: Stealing PII 70 million
In this step, Aorato says, the attackers use SQL query tools to evaluate the value of the price database server and the SQL bulk Copy tool that retrieves the contents of the database. This process, in fact, is the PCI compliance of the hackers caused by the serious data leakage accident-40 million credit cards.
When an attacker has successfully visited target targets for 70 million, it did not get access to the credit card. The attackers will have to restructure a new plan.
Since target complies with PCI compliance, the database does not store any credit card specific data, so they have to switch to plan B to steal credit cards directly from the sales point of view.
Nineth Step: Install malware steal 40 million credit card
The POS system is probably not an attacker's initial target. Only when they are unable to access credit card data on the server will they focus on the POS as an emergency. In step fourth, using the network and step seventh remote execution function, the attacker installed a kaptoxa on a POS machine. Malware is used to scan the memory of infected machines and to save all credit card data found on local files. In this step, the attacker would use specialized malware rather than a common tool.
"Having antivirus tools doesn't work in this case," he says. "When the stakes are too high and profits are tens of millions of dollars, they don't mind the cost of creating a special tool." ”
Tenth step: Pass the stolen data through the network share
Once the malware acquires the credit card data, it uses Windows commands and domain management credentials to create a remote file share on the remote FTP machine and periodically copies the local files to the remote share. Being ' ery here emphasizes that these activities will be authorized for activity directory.
11th Step: Steal Data via FTP
Finally, once the data arrives on the FTP device, you can use an internal FTP client in Windows to send a script to an FTP account that has been controlled by the attacker.
The initial penetration point is not the end of the story, because ultimately you have to assume that you will eventually be attacked. You must be prepared and you must have an incident response plan when you are attacked. The real problem arises when malware allows attackers to explore the network in greater depth. If you have the right judgment, the problem will really show up.
How to protect your business or organization
Enhance access control. Monitor the file access mode system to identify exceptions and rogue access patterns. Where possible, use multifactor authentication to access sensitive systems to reduce the risk associated with credit card vouchers. Isolate the network and limit the use of the Protocol and the excessive privileges of the user.
Monitor the list of users, always focusing on new additions, especially privileged users. Monitors reconnaissance and information gathering signs, paying special attention to excessive queries and abnormal LDAP queries. Consider allowing the white list of items. Do not rely on anti-malware solutions as the primary mitigation because attackers use legitimate tools primarily. Installs security and monitoring control devices on Active Directory because of their involvement in almost all stages of attack. Participates in the information Sharing and Analysis Center (ISAC) and the Network Intelligence Sharing Center (CISC) to obtain valuable tactics, techniques and procedures (TTPS) for intelligence attackers.