2. 2
• In Africa, it doesn't matter whether you are
a Lion or a Zebra; when the sun comes up
you had better be running!
2
3. In the Beginning……….
• Target Attack in the News!
Data Breach!
Stolen of data
Accessing the web services
Exploiting the web Vulnerability
Propagation of targets
Infiltration and Privilege Escalation
Early Warning
Bypass Security Measures
The Blackpos Malware
Information Stored In The Magnetic Strip
Impacts on this Attack
• Mitigation
3
7. Stolen of data
Phishing emails to HVAC vendors
Citadel malware(Zeus Trojan): password stealing
malware.
Web browser cookies and stole credential
7
Accessing the web services
Stolen token was used
According to Fazio Mechanical:
Online billing system, online contracting system and online project
management.
Stolen Credentials were used to access the hosted
services.
8. 8 Exploiting the web Vulnerability
Unknown vulnerability to the public
Hint, xmlrpc.php file found on the attackers tool list.
Use for user enumeration and Ddos attacks
Through a legitimate file upload e.g. an invoice:- to
malicious
Leverty from CSIRT gives an advisory on web shell:
Known as Backdoor Trojan or Remote access tool
Mostly written in php and .net
Permissions as an administrator
Connections to database server
Search for password, configurations files or directories
Self-deletes on detection
Displays all security measures and file permissions
Access to Phpinfo(): creates web pages and php configurations
9. 9 Propagation of targets
Reconnaissance detection to found intelligent
information, e.g. credit card
Active Directory: allows to connect, search and modify,
e.g., using LDAP.Target uses Active Directory to store all their credentials, As said
by former security member.
Shared internet files and directories e.g. print services and
shared hard drives.
Using Service principle name (SPN) to locate the
SQL server.
SQL related tools found on the attackers tool list:
Osql.exe, bcp.exe and isql.exe.
Perhaps these tools used to access the SQL server of the POS machine.
10. 2 Scenarios To Infiltration – ARIBA (The United States
Senate committee on commerce, science, and transportation, 2014)
OR CENTRAL REFREGERATION CONTROL Application Vulnerability
Exploitation (O'Reilly, 2015)
Admin Access
Malware Delivered As Patch Updates
10 Infiltration and Privilege Escalation
Early Warning
(Howlett, 2014)
11. 11Bypass Security Measures
2 Sce
0- Day Attack So Unlikely That Signatures Were Present
To Fool The Ids
Data Transfer Only Between 10 Am To 5 Pm
Used The Name Best1_logic Which Is The Default Test User
Name In The Bmc Software
Only Way For Detection Was Anomaly Detection
NARIOS To Infiltration – Ariba (The United States)
The Blackpos Malware
First Of All The Name Sounds Scary “Blackpos”-horror Flick
It Is A Ram Scraper
Why Is It A Success??
Answer- POOR Pci-dss(payment Card Ind. Data Security Stndard)
POLICY
12. Parties Involved In E-currency Transaction
Issuer – Bank Who Gives Card Belonging To A Brand-
visa
Brand – Offers Infrastructure For Connectivity Security
Acquirer- Merchant Bank
Psp – Payment Service Provider
Pci-dss Requires Its Members To Send Only Encrypted
But What About When It Is Swiped???
Attaches Itself To The Registry To Run On Startup
Checks For Pos.Exe – Bye Bye Pan
12Ram Scrapers
14. 33 Data Tracks
Track 1 Stores Pan Among Other Data
Track Stores Ed – Expiry Date
Dd- Discretionary Data Like Cvv1
May Pass Card Number Through Luhn
14Information Stored In The Magnetic Strip
Some Estimates Go Upto A Billion Dollars
Customer Credit Cards Floating In The Dark Web For Sale
40 Million Credit Cards Stolen
Replacing Costs X 40 Million Credit Cards
Impact Of The Hack
15. What Can We Do To Face A Zero Day Attack In This
Scenario
Anomaly Detection
Network Segmentation
Changes In Pci Policy
Pin Data Encrypted Only During Transit
No Encryption When Data Transferred In Internal
Network
15Mitigation