Many business networks that include many US retailers have sleeper servers in contact with remote command and control servers.
Two reports announce that a significant number of business networks, including retailers, have sleepers, also known as compromised servers, that are in contact with remote command and control servers.
“Based on our analysis of 139 U.S. retailers from November 1, 2013 through January 12, 2014 we found 1,035 distinct infections communicating out from corporate networks, 7.5 on average per company," according to BitSight’s 2014 Risk Management Blog.
That announcement is a bit unnerving having witnessed the Target breach up close and personal. The BitSight chart (above) graphs the types of malware versus the number of infections emanating from the 139 retailers.
Ready for some more? Page 48 of Cisco’s 2014 Annual Security Report states:
“In a recent project reviewing Domain Name Service (DNS) lookups originating from inside corporate networks, Cisco threat intelligence experts found that in every case, organizations showed evidence that their networks had been misused or compromised.”
The chart (above) included in the Cisco report punctuates the point made in the quote by proclaiming 100 percent of the corporate networks Cisco checked had traffic going to websites that host malware. It seems the title I chose for this article was more than a ploy to grab your attention.
How is it possible?
When I first started working on this article, the big unknown to me was how attackers first gain access to corporate networks. In the case of Target, the way in was recently revealed. Attackers stole login information from a Target-approved HVAC contractor that was authorized to access certain non-retail Target websites. Brian Krebs provided an in-depth report of what investigators determined:
“Multiple sources close to the investigation now tell this reporter that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.”
It is hard to comprehend that Target most likely will be facing years of litigation costing the company hundreds of millions of dollars all because of a phishing email.
What happened next?
Readers have asked me to explain what happens when attackers gain access to these giant corporate networks. More to the point, how do they get control of PoS systems, and steal shoppers’ financial information? To answer their questions, I talked to Gary Warner, director of research in computer forensics at the University of Alabama, Birmingham, and founder/CTO of Malcovery Security.
Gary prepared a detailed investigative report of what he and other experts feel were the steps taken by the attackers once they gained a foothold in Target’s corporate network.
During my call with Gary, he walked me through the intricate details that culminated in the attackers stealing the financial and personal information of more than 100 million Target shoppers. Gary first wanted me to mention that the Target breach is still an ongoing investigation, meaning much information is still sequestered. The attack scenario proposed by Gary is based his extensive experience in computer forensics and the initial data from iSight, a company involved in the U.S. Secret Service investigation into the Target data breach. (For unknown reasons, the files were no longer available soon after Gary downloaded them.)
Target “hacker tools” provide breach insight
The first thing Gary and his team at Malcovery did was find all of the hashes in the data from iSight. Hashes are fingerprints of files and executables, and in this case, good indicators of what attackers installed on the Target servers. Once Gary gathered all the likely candidates, he submitted them to VirusTotal, a service that analyzes suspicious files to determine if they are indeed related to malware. All of the hashes were deemed safe by VirusTotal, meaning that antimalware applications would not flag them or alert system administrators of their presence.
It seems most of the 14 identifiable tools Gary found are commonly used by system and network administrators in their daily tasks. One of the tools is PsExec.exe. Gary said, “PsExec.exe is a tool, originally by SysInternals, now owned and marketed by Microsoft, which allows a system administrator to export a list of password hashes from a Windows computer.”
The next step was to determine how the attackers used the executable files. Malcovery created tables (example below) that display the hash, and the executable’s likely purpose.
In the report, Gary explained each of the tools, and why it was important to the attack. Put simply, the attackers quietly installed network tools on a Target internal server, allowing them to explore the corporate network, and after sufficient reconnaissance setup systems inside Target’s network to exfiltrate shoppers’ financial information to remote servers.
I asked Gary why he went through this detailed exercise. He replied he was concerned that parties in the know were not releasing information that might help other organizations—potentially in the same situation as Target—check their infrastructure. Remember the bleak conclusions reached by the BitSight and Cisco reports.
Since Gary had access to the iSight report before it was pulled, he felt obligated to share his conclusions, hence the Malcovery report, and the following suggestions:
- Have a process for identifying “Administrative Tools” that are stored in the wrong places.
- Restrict servers from accessing the Internet.
- Inventory “authorized services” for company servers.
- Check system folders for new or changed files.
- Check for unusual protocols and ports being used for internal LAN communications.
- Use internal network honeypots to look for port-scanning and other signs of an intruder.