How does an attacker gradually infiltrate the core business system from the boundary of the target network?

"Editor's note" at the end of last year, US big retailer Target was exposed to hackers, causing up to 40 million credit cards and 70 million of consumers ' personal information stolen by hackers, Aorato's researchers and their team recorded all the tools attackers used to attack target. It also describes how an attacker penetrates a retailer, spreads within its network, and eventually grabs credit card data from a POS system.

The following is the original text:

A new study by Aorato, a security firm, shows that the company's new PCI compliance program has dramatically reduced the scope of the damage after a massive theft of personally identifiable information (PII) and credit and debit card data in the Target data disclosure practice earlier this year.

Using all available public reports, Aorato's lead researcher Tal Aorato ' ery and his team documented all the tools attackers used to attack target and created a step-by-step process to tell how the attacker infiltrated the retailer, spread it within its network, And eventually grab credit card data from the POS system. Details about the accident remain vague, but being ' ery believes it is necessary to understand the entire attack, as hackers still exist.

Tracking attacks like web paleontology

while being ' ery admits that security company Aorato may not be correct in describing some of the details, he is convinced that the comments on target network system reconstruction are correct.

"I like to call it cyber paleontology," said Ery. There are a number of reports claiming that there have been a lot of attack tools in this incident, but they have not explained how the attackers used the tools. It's like having dinosaur bones, but I don't know what the dinosaurs were like, but luckily we knew about the other dinosaurs. Using our knowledge, we can reconstruct this dinosaur model.

December 2013, amid the middle of the busiest shopping season of the year, talk of target data leaks has returned. Soon the trickle becomes torrent, and it is increasingly clear that attackers have acquired 70 million of consumers ' personal identity information and 40 million of credit and debit card data information. Target's CIO and chairman, President and CEO have resigned. Analysts say the economic losses are expected to reach $1 billion trillion.

Most people who understand the above events know that it starts by stealing the target vendor's credit credentials. But how does an attacker gradually infiltrate a core business system from the boundary of the target network? Be ' ery believes that the attackers have taken 11 steps to deliberate.

First step: Install malicious software that steals credit card credentials

The attacker first stole the certificate from Target air conditioner provider Fazio Mechanical services. According to Kreson security, which first broke the compliance story, the attackers first carried out an infection of the supplier's fishing activities via email and malware.

Step Two: Use stolen credentials to establish a connection

An attacker uses stolen credentials to access the home page of target dedicated to the service provider. In a public statement after the violation, Fazio Mechanical Services chairman and Holder Ross Fazio said the company did not remotely monitor target's heating, cooling and refrigeration systems. Its data connected to the target network is dedicated to electronic billing, contract submission and project management。

This Web application is very limited. While an attacker can now access target within the target Internal network Web application, the application does not allow arbitrary command execution, which is very urgent during the attack.

Step Three: Developing a Web Program vulnerability

An attacker would need to find an exploitable vulnerability. Be ' ery points out an attack tool named "xmlrpc.php" listed in a public report. "According to Aorato's report, when all other known attack tool files are Windows executables, this is a PHP file that runs scripts within the Web application."

"This file indicates that an attacker could upload a PHP file via a vulnerability in a Web application," The Aorato report shows, possibly because the Web application has an upload function for uploading legitimate files such as invoices. However, as is often the case in Web applications, there is always no proper security check to ensure that executable files are not uploaded.

A malicious script might be a "web shell", a base web that allows attackers to upload files and execute the back door of arbitrary operating system commands. "Attackers know that they will attract attention in the end by stealing credit cards and using bank cards to get money," he explains. They sold credit card numbers on the black market, and Target was soon notified of data leaks.

Step Fourth: Careful detection

at this point, the attackers had to slow down to do some careful reconnaissance. They have the ability to run arbitrary operating system commands, but further actions require intelligence on the target's internal network, so they need to find servers that store customer information and credit card data. The

Target is the Active Directory for target, which includes all members of the data domain: Users, computers, and services. They are able to query the Active Directory using internal Windows tools and LDAP protocols. Aorato believes that an attacker simply retrieves all the services that contain the string "MSSQLSVC" and then infers the purpose of each server by looking at the name of the server. This may also be the process that the attacker later used to find the pos-related machine. Using the name of the attack target, Aorato that the attacker would then be given the IP address of the DNS server queried.

Fifth step: Steal domain administrator access token





at this point, be ' ery believes that attackers have identified their goals, but they need access rights, especially domain administrator privileges, to help them.





based on the information provided to Brian Krebs by former Target security team members, Aorato that an attacker uses an attack technique called "Pass-the-hash" to get an NT token to mimic the Active Directory administrator- At least until the actual administrator changes its password.





as this technique is further validated, Aorato points to the use of the tool, including the penetration test tool for login sessions and NTLM credentials from memory, and the hashing password that extracts the domain account NT/LM history.





Step Sixth: New domain Administrator account





The previous step allows an attacker to disguise as a domain administrator, but when the victim changes the password or attempts to access a service that needs to display a password, such as Remote Desktop, he becomes invalid. Then, the next step is to create a new domain administrator account.





attackers can use their stolen privileges to create a new account and add it to the domain Administration Group, providing account privileges to the attacker, as well as giving the attacker the opportunity to control the password.





be ' ery says this is another example of an attacker hiding in a common scenario. The new username is the same "Best1_user" as the BMC bladelogic Server user name.





"This is a highly unusual pattern", be ' Ery said, the time to watch the user list of simple steps and new sensitive administrator accounts can effectively block attackers (+ micro-trust network World), so must monitor access mode.





Step Seventh: Use new administrative credentials to propagate to the computer





with the new access credentials, the attacker can now continue to pursue its target. But Aorato points to two hurdles in its path: bypassing firewalls and other network security solutions that restrict direct access to related targets, and running remote programs on a variety of machines for their attack targets.





Aorato says attackers use "angry IP scanners" to detect Internet computers and bypass security tools through a range of servers.





for remote execution of programs on the target server, attackers use their credentials to connect to Microsoft PsExec applications (telnet-replacement that perform processes on other systems) and Windows Remote Desktop clients.





Aorato points out that both tools use Active Directory Users for authentication and authorization, which means that Active Directory will know the first time once someone is searching.





Once an attacker accesses the target system, they will use Microsoft's coordinator management solution for continued access, which will allow them to execute arbitrary code remotely on the compromised server.





step eighth: Stealing PII 70 million




In this step,
Aorato says, the attackers use SQL query tools to evaluate the value of the price database server and the SQL bulk Copy tool that retrieves the contents of the database. This process, in fact, is the PCI compliance of the hackers caused by the serious data leakage accident-40 million credit cards.





when an attacker has successfully visited Target targeted customers in 70 million, it did not get access to credit cards. The attackers will have to restructure a new plan.





since target complies with PCI compliance, the database does not store any credit card specific data, so they have to switch to plan B to steal credit cards directly from the sales point of view.





nineth Step: Install malware theft 40 million credit card





POS systems are probably not an attacker's initial target. Only when they cannot access credit card data on the server will they focus on the POS as an emergency. In step fourth, using the network and step seventh remote execution function, the attacker installed a kaptoxa on a POS machine. Malware is used to scan the memory of infected machines and to save all credit card data found on local files.





in this step, the attackers use specialized malware rather than common tools.





"Having antivirus tools doesn't work in this situation," he says. "When the stakes are too high and profits are tens of millions of dollars, they don't mind the cost of creating a special tool." ”





Tenth step: Pass the data stealing through the network share





once the malware acquires credit card data, it uses Windows commands and domain management credentials to create a remote file share on a remote FTP machine and periodically copies local files to a remote share. Being ' ery here emphasizes that these activities will be authorized for activity directory.





11th Step: Steal Data via FTP





Finally, once the data arrives on the FTP device, you can use an internal FTP client in Windows to send a script to an FTP account that has been controlled by an attacker.





The initial infiltration point is not the end of the story, because eventually you have to assume that you will eventually be attacked. You must be prepared and you must have an incident response plan when you are attacked. The real problem arises when malware allows attackers to explore the network in greater depth. If you have the right judgment, the problem will really show up.





How to protect your business or organization





Enhanced access control. Monitor the file access mode system to identify exceptions and rogue access patterns. Where possible, use multifactor authentication to access sensitive systems to reduce the risk associated with credit card vouchers. Isolate the network and limit the use of the Protocol and the excessive privileges of the user.


 

Monitor the list of users, always focusing on new additions, especially privileged users. Monitors reconnaissance and information gathering signs, paying special attention to excessive queries and abnormal LDAP queries. Consider allowing the white list of items. Do not rely on anti-malware solutions as the primary mitigation because attackers use legitimate tools primarily. Installs security and monitoring control devices on Active Directory because of their involvement in almost all stages of attack. Participates in the information Sharing and Analysis Center (ISAC) and the Network Intelligence Sharing Center (CISC) to obtain valuable tactics, techniques and procedures (TTPS) for intelligence attackers.

SOURCE Link: Hackers attack target 11 steps (Zebian/Wei)

2014 China Internet Security Conference (ISC 2014), will be held September 24, 2014 25th in Beijing, the domestic Internet security officials, Internet security technology experts at home and abroad, as well as the various industries of information security supervisors and technicians will be the ISC 2014, the National Network space Strategic Security, Mobile Security, enterprise security, cloud and data security, web security, software security, electronic forensics, industrial security and apt and emerging threats such as Internet Information security hot topics, technology in-depth discussion and exchange. As an important partner of the General Assembly, CSDN in particular hosted two forum: Cloud and data Security forum and Software Security Forum, and for csdn users free of charge for some tickets (with this ticket can also enter other forums, and can receive a security technology book), the number of limited, click "Here" Registration!

Free Subscription "CSDN cloud Computing (left) and csdn large data (right)" micro-letter public number, real-time grasp of first-hand cloud news, to understand the latest big data progress!

CSDN publishes related cloud computing information, such as virtualization, Docker, OpenStack, Cloudstack, and data centers, sharing Hadoop, Spark, Nosql/newsql, HBase, Impala, memory calculations, stream computing, Machine learning and intelligent algorithms and other related large data views, providing cloud computing and large data technology, platform, practice and industry information services.