Monday, January 20, 2014

POS attack - a bit more now known

Just about the same time our replacement bank-cards are rolling in, better details on the Target consumer data breach also are trickling out.

I’m mostly posting this for friends and family, who like us, have been fairly regular customers of this merchant and were hit hard by the breach.

Naturally we are invested in understanding just what happened and what (if anything) we as consumers (and IT sysadmins) can learn from it.

Tech and security journalist Brian Krebs has the most details, and there is little doubt more will be coming as the investigation and forensic response continues to mature.

Super-basically summarizing the reported information to-date, the attackers appear to have breached Target’s perimeter defenses and compromise a company web-server. From there they installed (pushed?) malware onto store POS terminals (all? some?) the cashiers use (as opposed to skimmers on the card-swipe hardware). It captured the raw card data read off the magnetic stripe swiped on the terminal while it was in the POS terminal’s memory, and then used a control server inside Target’s network to accumulate all the scraped card data. From there, about 6-days later the stolen data was transmitted out to an external FTP server using another infected system inside Target’s network. The data was then grabbed and removed off the FTP server over a two-week period.

So this is quite a bit more complex and sophisticated than hacking into a company network and finding a big pile of customer account information just sitting around for the taking in a company-created database file-set, grabbing it, and running for the hills.

It appears from Mr. Krebs’ articles that the Target POS systems were using custom software on top of Windows XP Embedded and Windows Embedded for POS. How the malware interacted with the OS and how the OS was protected by security software (AV/AM/heuristic) protection is also not known.

What is reported is that the malware used wasn’t flagged (at the time and at least though January 16th) by any of the 40+ AV tools listed on And someone uploaded a copy of the POS malware used in the attack to on Dec. 18th.

Side-note…I’ve not seen it reported but wonder if any of the other online automated malware analysis sandbox services (short GSD list from 2012 Malware Analysis Resources) also got a copy uploaded for the record to them?

Attacks like this may be much more common moving forward.

You can hardly go shopping or eat out in a restaurant, or pull cash from an ATM, or visit the doctor who is carrying a specialized tablet and not see a POS terminal doing the job. And just because the GUI doesn’t look like Windows doesn’t mean that there isn’t the possibility that Windows (or another OS) is actually running underneath.

Microsoft will continue to support Windows Embedded XP for a number more years, even though their primary consumer/enterprise XP OS platform support will be ending in Spring of 2014. That means merchants get some more time to decide to keep on running as is, look to upgrade their POS systems to a newer “modern” version of Windows Embedded, or look to a different POS OS solution entirely.

Either choice may be costly…and to be fair to the POS OS…we don’t yet know how the POS’s themselves were compromised. It might have been nothing to do with any vulnerabilities in the Windows Embedded OS itself. Clearly if the internal network structure is compromised and actors are able to push a software installation or “update” to the POS systems, then that might not be an OS issue at all but rather an operational security one.

It seems more likely that a good portion of the defense in depth layer was breached. The more important questions would be how was it possible, how could the breakdown/breach of each of those separate events been detected sooner, and how could the activity generated been identified and flagged; on the server(s), on the POS systems, and finally, on the network traffic inbound/outbound/internally.

I’m sure there will be lots of great (hard) lessons to be learned across the board on this one.

More linkage:

Stay tuned for updates.

Claus V.

No comments: