Jonathan Spruill
Editor’s note: Jonathan Spruill is a managing consultant at Trustwave and part of the company’s Incident Response & Digital Forensic Practice for the Americas.
Like most cases, this one started with a frantic call from a restaurant owner. The panic and uncertainty bled through the phone. He had just been notified his business suffered a payment card data breach and his acquiring bank mandated he hire an investigator to determine what happened.
The on-site setup was typical for a small, medium-sized restaurant – a few point of sale (POS) terminals in the main dining room and a single computer in the manager’s office which was used as the back-of-house server for the POS network.
During our investigation, we not only found payment card stealing malware on the POS systems and the back-of-house server but also troubling security weaknesses throughout the restaurant’s infrastructure. For example, the back-of-house server was also used for timekeeping and accounting and as the order system, which the beleaguered owner acknowledged was not ideal, but their budget for computing equipment and security was already stretched thin.
We discovered two remote access services that ran on the back-of-house computer: one for the vendor for the POS systems to perform remote technical support and the other for the accountant to check the books and retrieve receipts. We also noticed the restaurant did not have a hardware firewall installed on the network to segment its critical information (like the payment card data on the POS system) from its non-critical information. The owner pointed to a box on the shelf that did, in fact, contain a firewall appliance, but was still in its plastic wrapping. He said he never learned how to set up the device.
We checked the running processes on the back-of-house server and saw an unusual item — an executable called “ncsvr32.exe” running from “C:\Windows\Temp.” The filename and non-standard path for executables immediately captured our attention. The unusual path, known malicious filename and the multiple remote access utilities began to tell a familiar story but we still needed to confirm a few details back at the lab.
While reviewing the logs from the remote access program, we noticed a succession of failed log-in attempts from an IP address that did not match those provided by the owner for either the accountant or the POS vendor. After the failed attempts, there was a successful log-in entry. The logs showed a transfer of three files. As we continued to dig through the data, we could see the attackers’ actions clearly.
They used the first file in the malware bundle to install the second file. The first file was installed as a Windows service and acted as the method by which the malware would persist on the system, re-launching the remaining pieces as needed. The second piece did the heavy lifting, reading through memory and searching for payment card track data. When it found the data, it was passed to the final piece, which performed a simplistic encoding. The data was then stored on the computer waiting for the attacker to retrieve it.
We saw additional entries in the remote access logs, where the attacking IP address revisited and transferred data from the back-of-house computer. At the end of the investigation, we determined that hundreds of payment card numbers were compromised. We shared these findings with the owner, and the cleanup and remediation efforts began.
Most data breach forensic investigators today would find this kind of case to be par for the course. In fact, we’ve seen these criminal tactics used in some of the data breaches during the past year. However, this investigation took place in 2010. In other words, five years later, things have not changed.
Let’s compare our 2010 case to a more recent one. The victim business was not a single location but a franchise from a national chain. During the investigation, we found a remote access service used by the POS vendor to provide support to that location and dozens more across the country.
The access logs from the service showed a successful login from an unauthorized IP address and files transferred shortly afterward. The malware was found in another non-typical path, “C:\Users\Admin\AppData\Roaming\OracleJava.” The file, “javaw.exe,” was a known name for the Backoff malware family that infected thousands of businesses during the past year.
Reverse-engineering work on this sample showed memory-scraping abilities, as well as auto exfiltration to a remote server controlled by the attacker. Like the three-piece memory dumper found in our 2010 case, Backoff was installed as a Windows service to maintain persistence in case of an unexpected re-start. Further investigation revealed the POS support provider had experienced a phishing attack and the unknowing technician’s repository of passwords, conveniently called passwords.txt and saved on his desktop, was compromised.
The file contained the hostnames and passwords for all the locations managed by the POS vendor, including those owned by the franchisor, and therefore were also infected by the same Backoff malware. In total, the criminals compromised dozens of locations and stole thousands of payment card numbers.
The two cases demonstrate that many criminals use the same basic methods of attack that they have used for years. Yet, many businesses continue to lack the essential security controls and best practices that help prevent these kinds of attacks. In some cases, they simply do not have the resources to fully dedicate to security; in others, they still have that “it won’t happen to me” mentality.
This past year has demonstrated that no one is immune to an attack; however, the more difficult a business makes it for a criminal to succeed, the greater the likelihood he will move on to an easier target.
Comment