Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking the Hospitality and Gaming Industries...

bromiley
October 06, 2016

Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years

As early as 2009, one particular financial attack group has been successfully stealing payment card data from the entertainment industry, to include casinos, that make the Oceans 11 movie franchise look like child’s play. This talk will walk through the earliest FIN5 compromises identified by Mandiant, showcasing the developmental evolutions of this attack group. We will cover attack techniques dating from 2009 to present day, and review the methodologies used to defeat security controls implemented to protect the enterprise and payment card data.

Combining years of Mandiant investigations, we’ve collected timelines of compromise, FIN5 attack lifecycles, and public notifications of breaches affected by this group. Comparing that data against temporal data points, we will reveal an elaborate criminal infrastructure and a thorough understanding of the payment card ecosystem. While this attack group focuses on payment card data, the techniques leveraged by the attack group are applicable and relevant across all industries.

bromiley

October 06, 2016
Tweet

More Decks by bromiley

Other Decks in Technology

Transcript

  1. 1 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years Matt Bromiley Preston Lewis
  2. 2 © Mandiant, a FireEye Company AGENDA § Introductions §

    Attacker Background § Attacker Lifecycle § Timeline of Known Attacks § Hunting § Recommendations
  3. 3 © Mandiant, a FireEye Company INTRODUCTIONS Matt Bromiley •

    Dallas, TX • DFIR • BBQ • Whatever else the hell my wife tells me to do Preston Lewis • Houston, TX • IR bro looking for evilz • Spare time: • Running/Cycling • Coffee • Netflix
  4. 6 © Mandiant, a FireEye Company FIN5: WHAT § FINancially-motivated

    threat group § Primary targets: - Payment card track data - Identity Information (Driver’s Licenses, SSNs, etc.) § Highly successful ($$$ PROFIT $$$)
  5. 7 © Mandiant, a FireEye Company FIN5: WHO & WHERE

    § Most likely Russian-speaking attackers § Relentlessly target-oriented (regardless of noise) § Thorough understanding of payment card brands fraud detection processes
  6. 8 © Mandiant, a FireEye Company FIN5: WHO & WHERE

    § Operational sophistication - Monitor for detection and notification - “Burn before you sell” § Targeted Industries - Restaurants - Hotels - Gaming (Gambling)
  7. 12 © Mandiant, a FireEye Company FIN5: HOW § Honed

    attack methodology - RawPOS - Noisy but effective - Predictable attack patterns § Slow software maturity cycle - “If it ain’t broke…” - Malware cash cow
  8. 14 © Mandiant, a FireEye Company Attacker Lifecycle Initial Compromise

    Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access
  9. 15 © Mandiant, a FireEye Company Initial Compromise § Legitimate

    Access - Virtual Private Networking - Remote Desktop Protocol - Citrix - Etc. § Remote access maintained by many vendors - Compromise vendor environment
  10. 16 © Mandiant, a FireEye Company Reconnaissance § Essential NetTools

    - Publically available freeware network scanning tool available from www.tamosoft.com - Map the network to build a target list - NMAP-like capability
  11. 17 © Mandiant, a FireEye Company Reconnaissance (cont.) HKEY_USERS\C__Users_<compromised_account>_ntuser.dat\Software\ ENT2\NBS\Start

    | 10.0.0.1 HKEY_USERS\C__Users_<compromised_account>_ntuser.dat\Software\ ENT2\NBS\End | 10.255.255.255 Red Teamers: What are you leaving behind? Essential NetTools Artifacts
  12. 18 © Mandiant, a FireEye Company Reconnaissance (cont.) § Remote

    Administration/Deployment - PsExec • Popular Microsoft SysInternals utility for remotely executing commands • Customized version that will automatically accept EULA • “Vxxhjq Service” modified service name (changed from “Service Name: PSEXESVC”) • Named after legitimate McAfee binary • Continuous use of the same modified version. Compile time: 2006/07/11 > psexec \\computer[,computer[,..] [options] command [arguments] Anti-forensics!
  13. 20 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY

    (Stage 1) - Based on ‘MemPDumper’ by DiabloHorn - https://github.com/DiabloHorn/mempdump - Early versions named ramdump.exe - Parses memory for Track1 / Track2 credit card data and PII data using regular expressions ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7- 9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}([A-Z]|=)(0[7-9]|1[0- 5])((0[1-9])|(1[0-2]))[0-9]{8,30})|(<Field name="CardNumber">[0- 9]{15,19}</Field>)|(~CCM[0-9]{15,19}D[0-9]{4}~))
  14. 21 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY

    (Stage 1) - Triage variant used to violently identify hosts with payment card data • Spray entire environment using PsExec-variant to remotely execute FIENDCRY • Scans all processes for track / target data • Output files of identified card payment data in process memory stored on disk in clear-text • Attackers pull back successful regex hits Automated scripts
  15. 23 © Mandiant, a FireEye Company Conduct Mission FIENDCRY memory

    scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data
  16. 24 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data
  17. 25 © Mandiant, a FireEye Company Conduct Mission (cont.) §

    DUEBREW - Track data triage identified POS systems of interest - Service-based persistence (typically a similar named service as a legitimate service and binary) - External launcher of stage two FIENDCRY and DRIFTWOOD collection script - Placed in system folders (system32/syswow64)
  18. 26 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data
  19. 27 © Mandiant, a FireEye Company Conduct Mission (cont.) §

    FIENDCRY (Stage 2) - Customized for targeted applications that process Payment Card Data - Often vendor-specific - Same regex - Outputs dumped track data in clear text - Placed in system folders (system32/syswow64)
  20. 28 © Mandiant, a FireEye Company Conduct Mission (cont.): FIENDCRY

    (Stage 2) § Targeted Processes - MICROS - utg2svc.exe - UTG2.exe - SSLgw.exe - visatcp.exe - Interface.exe - IFCTCS.exe - pos32.exe - easipos.exe § Targeted Files - progra~1\cherry\cdi - InfoGenesis\POS_EXE - system32\ArcVCapRender - progra~1\golfpro - progra~1\VisualOne - Progra~1\Infonox\QCPW - PROGRA~1\ATMMS\MCC - Shift4\4Go - Shift4\UTG2 - InfoGenesis\Programs - InfoGenesis\Programs - ResPAKW\Infoge~1 - Progra~1\ResPAK-Services - Progra~1\PCCharge - Progra~1\accesso\Passpo~1 - Progra~1\PCCW - Progra~1\Active-Charge - ICS\Automoney Software\Automoney
  21. 29 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data
  22. 30 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD

    § After payment card data recon § Perl2Exe compiled Perl script - C:\Windows\Temp\p2xtmp - Trivial to reverse engineer § Parses designated locations for dumps produced by FIENDCRY (Stage 2) § Encodes data with trivial XOR string for later collection - Fake DLL file created in System32 or SysWOW64 - Depending on timing of activities, can be very large in size § Commented code containing release notes (including documented bug fixes!)
  23. 32 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD

    § Fast, easy development in scripting Perl § Open-source binaries to convert to PE § Noisy - ~50 file artifacts created at each execution C:\Windows\Temp\p2xtmp-27644 C:\Windows\Temp\p2xtmp-27644\auto\B\B.dll C:\Windows\Temp\p2xtmp-27644\auto\Cwd C:\Windows\Temp\p2xtmp-27644\auto\Data\Dumper C:\Windows\Temp\p2xtmp-27644\auto\Digest C:\Windows\Temp\p2xtmp-27644\auto\re\re.dll C:\Windows\Temp\p2xtmp- 27644\auto\Digest\MD5\MD5.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32\Console\Console.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\Registry\Registry.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\File\File.dll
  24. 33 © Mandiant, a FireEye Company Maintain Access § FLIPSIDE

    - Simple proxy tool (similar to plink functionality) - Tunnel RDP outbound • DUEBREW persistent configuration - Backdoor > se.exe [source_ip_address] [source_port] [dest_ip_address] [dest_port]
  25. 34 © Mandiant, a FireEye Company Complete Mission § Observe

    detection - Compromised accounts == email access - Evidence suggests attacker is acutely aware of detection of compromise • 3rd party notifications often align with the beginning of the final phase - “Burn before you sell” § Consolidate & collect encoded data dumps
  26. 35 © Mandiant, a FireEye Company Complete Mission (cont.) 1.

    Dump passwords 2. Configure FLIPSIDE backdoor 3. SDELETE malware 4. Clear event logs
  27. 36 © Mandiant, a FireEye Company FIN5: Putting It All

    Together Initial Compromise Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access • FLIPSIDE • Legitimate access • PsExec • WCE • Batch files • Legitimate access • NetTools • FIENDCRY • PsExec • PwDump • WCE • DUEBREW • FIENDCRY • DRIFTWOOD • Consolidate dumps • Data exfil • FLIPSIDE • WCE • Clear logs • SDELETE • Legitimate access • OWA / O365 • Exchange • Other? Observe evidence of detection
  28. 39 © Mandiant, a FireEye Company Timeline of Known Attacks

    2008 Visa Issues an Advisory on Memory-Scraping POS Malware November 2008 – April 2009
  29. 40 © Mandiant, a FireEye Company Timeline of Known Attacks

    2009 First Data releases alert on RawPOS malware November 2009 – August 2010 November 2008 – April 2009
  30. 41 © Mandiant, a FireEye Company Timeline of Known Attacks

    2010 July 2010 – November 2010 November 2009 – August 2010
  31. 42 © Mandiant, a FireEye Company Timeline of Known Attacks

    2013 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015
  32. 43 © Mandiant, a FireEye Company Timeline of Known Attacks

    2014 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015 April 2014 - October 2014 February 2014 – August 2014 March 2014 - December 2015 November – December 2014 July 2014 – February 2015 October 2014 – October 2015 Investigation
  33. 44 © Mandiant, a FireEye Company Timeline of Known Attacks

    2015 December 2013 - October 2015 March 2014 - December 2015 July 2014 – February 2015 October 2014 – October 2015 March 2015 December 2015 – June 2016 December 2015 – June 2016 Visa & Trend Micro Alert on RawPOS and Attackers Targeting Hospitality
  34. 45 © Mandiant, a FireEye Company Timeline of Known Attacks

    July 2014 – February 2015 2015-01-19: Exfil 2015-01-27: 3rd Party Notification
  35. 46 © Mandiant, a FireEye Company Timeline of Known Attacks

    2016 December 2015 – June 2016 December 2015 – June 2016 October 2016 - ?? SAME ORG February – August 2016
  36. 47 © Mandiant, a FireEye Company Timeline of Known Attacks

    (cont.) Timeline observations - Crossover points -> Simultaneous footholds - Overlapping timelines -> Operational maturity - Identical C2 Communications -> Reused infrastructure - Media notifications -> Tactics shift
  37. 49 © Mandiant, a FireEye Company Hunting § Application Compatibility

    Cache (“Shim Cache”) - Supports application compatibility issues - Tracks metadata for PE files and scripts - PsExec & DUEBREW • Due to the inherent execution, Shim Cache analysis yields incredible rewards • Quickly and easily correlate activity to identify scope of compromise - Powershell script • Query domain hosts to acquire Shim Cache, parse offline and analyze
  38. 50 © Mandiant, a FireEye Company Hunting (cont.) § System

    event logs - PsExec service binary - Modified service name - Cleared events (EID: 517, 1102) § VPN Logs - Non-standard GeoIP sources - Vendor accounts - Domain Administrators § Firewall Logs - RDP connectivity
  39. 51 © Mandiant, a FireEye Company Hunting (cont.) § Malware

    built using Borland Compiler - Exports: • __GetExceptDLLinfo • ___CPPdebugHook - PowerShellArsenal (https://github.com/mattifestation/PowerShellArsenal) • Sweep environment for export IOCs Parse PE file à Export table
  40. 53 © Mandiant, a FireEye Company Recommendations § Implement a

    two-factor authentication (2FA) solution for remote access including VPN, Citrix, and Outlook Web Access (OWA). § Application whitelisting on critical servers (DCs, POS terminals and servers). § Harden the CDE by deploying a dedicated “jump server” that can only be accessed from known CDE administrator workstations, requires additional 2FA, and implements application whitelisting.
  41. 54 © Mandiant, a FireEye Company Recommendations (cont.) § Remove

    local administrator privileges for users. § Restrict workstation-to-workstation communication. § Consider P2PE solution. - Not fail-proof, but increases complexity. - Ensure encryption keys are stored securely.
  42. 55 © Mandiant, a FireEye Company Recommendations (cont.) § Centralize

    anti-virus alerts § Actively review anti-virus alerts and whitelisted exceptions. § Create periodic backups of critical infrastructure § Enable VPN logging § Review firewall ACLs § Hunt for anomalies and IOCs
  43. 56 © Mandiant, a FireEye Company BONUS § Find your

    own FIN5!! § Powershell script to acquire Shim Cache for offline parsing § Pro Tip: Wrap script in a for-loop and iterate over a list of domain hosts § Parse with ShimCacheParser tool PS> Invoke-Command –Computername remotehost {(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache").AppCompatCache} | Set-Content C:\out.bin -enc byte C:\tools\mandiant\ShimCacheParser> ./ShimCachePaser.py –b C:\out.bin –o output.csv