Embed Size (px)
Citation preview
HUMAN-LED. TECHNOLOGY-ACCELERATED.2 3
impact to company
A loss of profits, brand reputation, and consumer and
investor confidence
CHALLENGEIn early 2017, a major U.S. retailer contacted R9B for advice about frequent crashes in its custom-built POS system. The system was crashing regularly during payment card transactions at locations across the country, and the retailer first suspected the cause was a software compatibility problem between the POS software and its PC operating system.
However, during an initial consultation, R9B found evidence that the retailer’s POS system was compromised. The team discovered a rogue process collecting customer payment card information. The retailer was initially hesitant to proceed with incident response and forensic investigation. After determining the POS crashes were not due to software compatibility issues, the retailer returned for assistance.
The team quickly determined that a standard system process that should not collect payment card information had been compromised through a memory injection; a way to hide and execute malware within legitimate processes. While this was a case of incident response, R9B regularly uses the ORION platform to pro-actively HUNT for similar memory-resident malware before it can do harm.
APPROACHR9B ran a detailed DFIR process, including a comprehensive analysis of a number of infected systems and the method of the infection. The first phase of the response was memory analysis of a crashing POS system, with a full DFIR investigation after finding the memory injection and extracted the malware.
The DFIR team then analyzed network traffic and found four servers on the corporate network with which the infected POS systems were communicating. Through this analysis, the team determined that the adversary had a foothold spanning both the corporate and POS networks rather than isolated interaction with the POS systems. The hacker had set up a persistent command-and-control (C2) structure inside the retailer’s IT systems that allowed for collection of payment card information from several POS systems into a single fi le with on-demand exfiltration.
R9B also discovered that a laptop at one of the retailer’s facilities normally only used for corporate email was communicating with the same servers. The company alerted the retailer’s legal team, which seized the laptop and provided it for analysis.
A thorough forensics process found that the malware was collecting a wealth of payment card data, including full names, card numbers, and expiration dates. The team discovered through forensic analysis and threat intelligence research that the initial infection occurred through a well-crafted targeted phishing email. The email had been sent to a store manager supposedly coming from a customer complaining about a product or service at the store. Clicking the link resulted in execution of malicious code from a remote location. This which gave the attacker a starting point inside the corporate network to steal logon credentials and move to the POS network.
The detailed analysis by the DFIR team took approximately 10 days. R9B performed all the analysis remotely – the company did not need to be on-site at the retailer’s offices to run incident response processes.
CHALLENGES
▪ Identify and mitigate an active threat to the retailer’s nationwide point-of-sale (POS) network.
▪ Eradicate the attacker’s access and malware while ensuring normal business continuity.
APPROACH
▪ Use comprehensive Digital Forensics and Incident Response (DFIR) process to track down malware inside theretailer’s network.
▪ Provide recommendations to the retailer to better protect its IT and POS system.
RESULTS
▪ DFIR process identified and removed the payment card skimming malware from the retailer’s POS system.▪ With the attacker and malware removed from its systems, the retailer resumed normal sales transactions and ensured ongoing security of its customer payment card information.
▪ Implementing security recommendations, the retailer made several major improvements to its IT systems to create a more secure and robust IT infrastructure.
▪ R9B demonstrated ongoing value via proactive defense using ORION HUNT platform to prevent similar attacks.▪
RETAIL CLIENT SUCCESS STORY
MAJOR RETAILER DEFEATS MALWARE FOUND SCRAPING PAYMENT CARD INFORMATION
R9B’s Digital Forensics and Incident Response (DFIR) teams identify new malware attack collecting payment card data from the retailer’s customers.
Using a team of experienced malware analysts, R9B not only discovered the malware, but also determined the attack was based on a new breed of malware. The attack was fileless, meaning it happened through a memory injection with malware that was hosted outside of the organization. The attack used advanced techniques to hide its persistence on the infected servers using encrypted shell code embedded into the operating system’s registry. Because of the advanced design of the shell code and malware, it was able to be re-injected remotely every time the POS crashed or was rebooted.
These fileless malware attacks grew as a threat during 2017 and 2018. They bypass most anti-virus software and intrusion-detection systems because there is never any recognizable file dropped into the victims’ systems. These remote memory injections are now a common attack vector R9B watches for and detects using the ORION HUNT platform.
RESULTSAfter a full-scope DFIR investigation, R9B identifi ed the initial attack vector and “Patient Zero.” The team identifi ed the attacker’s external attack infrastructure, where the internal C2 node was located, and what endpoints were infected. R9B then provided guidance and assisted the retailer to contain the malware on its network and to eradicate it.
Throughout the investigation, R9B worked closely with the retailer’s legal team providing critical information and guidance related to data breach considerations. Finally, working with another partner, the retailer implemented all of the team’s recommendations. The retailer modifi ed the architecture of its network, hardened its defenses and matured its cybersecurity program to prevent a similar attack from occurring in the future.
Additionally, because the tactics and tools used in the fileless attack were previously unseen, the team disclosed its analysis to the retail industry, to U.S. authorities, and to the public. The company disclosed the hacker’s C2 structure so that other companies could identify and prevent similar attacks with their intrusion detection systems.
In 2017 and 2018, several other organizations were hit with similar attacks. R9B and other security vendors have seen a steep increase in the number of fileless attacks in the last two years.
FOR MORE INFORMATION
To find out more about R9B products and services, visit root9B.com.
To learn more about digital forensics and incident response (DFIR), visit
root9B.com/services/dfir/
“R9B WAS ABLE TO MANAGE THE MALWARE INCIDENT AND HELPED US UNDERSTAND THE ACTION PLAN TO FOLLOW THAT WOULD HELP US TO EFFECTIVELY RESOLVE THE CYBERSECURITY THREAT, INSTEAD OF HAVING A FIRE DRILL AS OTHER VENDORS DO. R9B DESERVES EVERY BIT OF RECOGNITION IT COULD GET OUT OF THIS PROJECT. THE LEVEL OF WORK DONE WAS BEYOND OUR EXPECTATIONS.”– CHIEF INFORMATION SECURITYOFFICER, MAJOR RETAILER
location employees motive of attackerssector
Retail U.S. 7,000+
computers affected
2,300+Data theft for financial gain
