Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years

Transcript

1. 1 © Mandiant, a FireEye Company © Mandiant, a FireEye

   Company Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years Matt Bromiley Preston Lewis

2. 2 © Mandiant, a FireEye Company AGENDA § Introductions §

   Attacker Background § Attacker Lifecycle § Timeline of Known Attacks § Hunting § Recommendations

3. 3 © Mandiant, a FireEye Company INTRODUCTIONS Matt Bromiley •

   Dallas, TX • DFIR • BBQ • Whatever else the hell my wife tells me to do Preston Lewis • Houston, TX • IR bro looking for evilz • Spare time: • Running/Cycling • Coffee • Netflix

4. 4 © Mandiant, a FireEye Company © Mandiant, a FireEye

   Company. ATTACKER BACKGROUND

5. 5 © Mandiant, a FireEye Company FIN5: WHAT § FIN

6. 6 © Mandiant, a FireEye Company FIN5: WHAT § FINancially-motivated

   threat group § Primary targets: - Payment card track data - Identity Information (Driver’s Licenses, SSNs, etc.) § Highly successful ($$$ PROFIT $$$)

7. 7 © Mandiant, a FireEye Company FIN5: WHO & WHERE

   § Most likely Russian-speaking attackers § Relentlessly target-oriented (regardless of noise) § Thorough understanding of payment card brands fraud detection processes

8. 8 © Mandiant, a FireEye Company FIN5: WHO & WHERE

   § Operational sophistication - Monitor for detection and notification - “Burn before you sell” § Targeted Industries - Restaurants - Hotels - Gaming (Gambling)

9. 9 © Mandiant, a FireEye Company FIN5: WHY

10. 10 © Mandiant, a FireEye Company FIN5: WHEN § 2008

    – Now 2016-09-20 03:24:19 UTC

11. 11 © Mandiant, a FireEye Company FIN5: WHEN (cont.) [RIGHT

    F$(*ING NOW]

12. 12 © Mandiant, a FireEye Company FIN5: HOW § Honed

    attack methodology - RawPOS - Noisy but effective - Predictable attack patterns § Slow software maturity cycle - “If it ain’t broke…” - Malware cash cow

13. 13 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company. ATTACKER LIFECYCLE

14. 14 © Mandiant, a FireEye Company Attacker Lifecycle Initial Compromise

    Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access

15. 15 © Mandiant, a FireEye Company Initial Compromise § Legitimate

    Access - Virtual Private Networking - Remote Desktop Protocol - Citrix - Etc. § Remote access maintained by many vendors - Compromise vendor environment

16. 16 © Mandiant, a FireEye Company Reconnaissance § Essential NetTools

    - Publically available freeware network scanning tool available from www.tamosoft.com - Map the network to build a target list - NMAP-like capability

17. 17 © Mandiant, a FireEye Company Reconnaissance (cont.) HKEY_USERS\C__Users_<compromised_account>_ntuser.dat\Software\ ENT2\NBS\Start

    | 10.0.0.1 HKEY_USERS\C__Users_<compromised_account>_ntuser.dat\Software\ ENT2\NBS\End | 10.255.255.255 Red Teamers: What are you leaving behind? Essential NetTools Artifacts

18. 18 © Mandiant, a FireEye Company Reconnaissance (cont.) § Remote

    Administration/Deployment - PsExec • Popular Microsoft SysInternals utility for remotely executing commands • Customized version that will automatically accept EULA • “Vxxhjq Service” modified service name (changed from “Service Name: PSEXESVC”) • Named after legitimate McAfee binary • Continuous use of the same modified version. Compile time: 2006/07/11 > psexec \\computer[,computer[,..] [options] command [arguments] Anti-forensics!

19. 19 © Mandiant, a FireEye Company Reconnaissance (cont.)

20. 20 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY

    (Stage 1) - Based on ‘MemPDumper’ by DiabloHorn - https://github.com/DiabloHorn/mempdump - Early versions named ramdump.exe - Parses memory for Track1 / Track2 credit card data and PII data using regular expressions ((B(([0-9]{13,16})|([0-9]|\s){13,25})\^[A-Z\s0-9]{0,30}\/[A-Z\s0-9]{0,30}\^(0[7- 9]|1[0-5])((0[1-9])|(1[0-2]))([0-9]|\s){3,50})|([0-9]{15,16}([A-Z]|=)(0[7-9]|1[0- 5])((0[1-9])|(1[0-2]))[0-9]{8,30})|(<Field name="CardNumber">[0- 9]{15,19}</Field>)|(~CCM[0-9]{15,19}D[0-9]{4}~))

21. 21 © Mandiant, a FireEye Company Reconnaissance (cont.) § FIENDCRY

    (Stage 1) - Triage variant used to violently identify hosts with payment card data • Spray entire environment using PsExec-variant to remotely execute FIENDCRY • Scans all processes for track / target data • Output files of identified card payment data in process memory stored on disk in clear-text • Attackers pull back successful regex hits Automated scripts

22. 22 © Mandiant, a FireEye Company Reconnaissance (cont.) – FIENDCRY

    (Stage 1)

23. 23 © Mandiant, a FireEye Company Conduct Mission FIENDCRY memory

    scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data

24. 24 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data

25. 25 © Mandiant, a FireEye Company Conduct Mission (cont.) §

    DUEBREW - Track data triage identified POS systems of interest - Service-based persistence (typically a similar named service as a legitimate service and binary) - External launcher of stage two FIENDCRY and DRIFTWOOD collection script - Placed in system folders (system32/syswow64)

26. 26 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data

27. 27 © Mandiant, a FireEye Company Conduct Mission (cont.) §

    FIENDCRY (Stage 2) - Customized for targeted applications that process Payment Card Data - Often vendor-specific - Same regex - Outputs dumped track data in clear text - Placed in system folders (system32/syswow64)

28. 28 © Mandiant, a FireEye Company Conduct Mission (cont.): FIENDCRY

    (Stage 2) § Targeted Processes - MICROS - utg2svc.exe - UTG2.exe - SSLgw.exe - visatcp.exe - Interface.exe - IFCTCS.exe - pos32.exe - easipos.exe § Targeted Files - progra~1\cherry\cdi - InfoGenesis\POS_EXE - system32\ArcVCapRender - progra~1\golfpro - progra~1\VisualOne - Progra~1\Infonox\QCPW - PROGRA~1\ATMMS\MCC - Shift4\4Go - Shift4\UTG2 - InfoGenesis\Programs - InfoGenesis\Programs - ResPAKW\Infoge~1 - Progra~1\ResPAK-Services - Progra~1\PCCharge - Progra~1\accesso\Passpo~1 - Progra~1\PCCW - Progra~1\Active-Charge - ICS\Automoney Software\Automoney

29. 29 © Mandiant, a FireEye Company Conduct Mission (cont.) FIENDCRY

    memory scraper DRIFTWOOD obfuscates data Obfuscated Data DUEBREW launcher Track / PII Data

30. 30 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD

    § After payment card data recon § Perl2Exe compiled Perl script - C:\Windows\Temp\p2xtmp - Trivial to reverse engineer § Parses designated locations for dumps produced by FIENDCRY (Stage 2) § Encodes data with trivial XOR string for later collection - Fake DLL file created in System32 or SysWOW64 - Depending on timing of activities, can be very large in size § Commented code containing release notes (including documented bug fixes!)

31. 31 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD

32. 32 © Mandiant, a FireEye Company Conduct Mission (cont.): DRIFTWOOD

    § Fast, easy development in scripting Perl § Open-source binaries to convert to PE § Noisy - ~50 file artifacts created at each execution C:\Windows\Temp\p2xtmp-27644 C:\Windows\Temp\p2xtmp-27644\auto\B\B.dll C:\Windows\Temp\p2xtmp-27644\auto\Cwd C:\Windows\Temp\p2xtmp-27644\auto\Data\Dumper C:\Windows\Temp\p2xtmp-27644\auto\Digest C:\Windows\Temp\p2xtmp-27644\auto\re\re.dll C:\Windows\Temp\p2xtmp- 27644\auto\Digest\MD5\MD5.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32\Console\Console.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\Registry\Registry.dll C:\Windows\Temp\p2xtmp- 27644\auto\Win32API\File\File.dll

33. 33 © Mandiant, a FireEye Company Maintain Access § FLIPSIDE

    - Simple proxy tool (similar to plink functionality) - Tunnel RDP outbound • DUEBREW persistent configuration - Backdoor > se.exe [source_ip_address] [source_port] [dest_ip_address] [dest_port]

34. 34 © Mandiant, a FireEye Company Complete Mission § Observe

    detection - Compromised accounts == email access - Evidence suggests attacker is acutely aware of detection of compromise • 3rd party notifications often align with the beginning of the final phase - “Burn before you sell” § Consolidate & collect encoded data dumps

35. 35 © Mandiant, a FireEye Company Complete Mission (cont.) 1.

    Dump passwords 2. Configure FLIPSIDE backdoor 3. SDELETE malware 4. Clear event logs

36. 36 © Mandiant, a FireEye Company FIN5: Putting It All

    Together Initial Compromise Reconnaissance Escalate Privileges Conduct Mission Complete Mission Move Laterally Maintain Access • FLIPSIDE • Legitimate access • PsExec • WCE • Batch files • Legitimate access • NetTools • FIENDCRY • PsExec • PwDump • WCE • DUEBREW • FIENDCRY • DRIFTWOOD • Consolidate dumps • Data exfil • FLIPSIDE • WCE • Clear logs • SDELETE • Legitimate access • OWA / O365 • Exchange • Other? Observe evidence of detection

37. 37 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company. TIMELINE OF KNOWN ATTACKS

38. 38 © Mandiant, a FireEye Company Timeline of Known Attacks

    2008 Now

39. 39 © Mandiant, a FireEye Company Timeline of Known Attacks

    2008 Visa Issues an Advisory on Memory-Scraping POS Malware November 2008 – April 2009

40. 40 © Mandiant, a FireEye Company Timeline of Known Attacks

    2009 First Data releases alert on RawPOS malware November 2009 – August 2010 November 2008 – April 2009

41. 41 © Mandiant, a FireEye Company Timeline of Known Attacks

    2010 July 2010 – November 2010 November 2009 – August 2010

42. 42 © Mandiant, a FireEye Company Timeline of Known Attacks

    2013 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015

43. 43 © Mandiant, a FireEye Company Timeline of Known Attacks

    2014 March 2013 - April 2014 February 2013 – August 2014 December 2013 - October 2015 April 2014 - October 2014 February 2014 – August 2014 March 2014 - December 2015 November – December 2014 July 2014 – February 2015 October 2014 – October 2015 Investigation

44. 44 © Mandiant, a FireEye Company Timeline of Known Attacks

    2015 December 2013 - October 2015 March 2014 - December 2015 July 2014 – February 2015 October 2014 – October 2015 March 2015 December 2015 – June 2016 December 2015 – June 2016 Visa & Trend Micro Alert on RawPOS and Attackers Targeting Hospitality

45. 45 © Mandiant, a FireEye Company Timeline of Known Attacks

    July 2014 – February 2015 2015-01-19: Exfil 2015-01-27: 3rd Party Notification

46. 46 © Mandiant, a FireEye Company Timeline of Known Attacks

    2016 December 2015 – June 2016 December 2015 – June 2016 October 2016 - ?? SAME ORG February – August 2016

47. 47 © Mandiant, a FireEye Company Timeline of Known Attacks

    (cont.) Timeline observations - Crossover points -> Simultaneous footholds - Overlapping timelines -> Operational maturity - Identical C2 Communications -> Reused infrastructure - Media notifications -> Tactics shift

48. 48 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company. HUNTING

49. 49 © Mandiant, a FireEye Company Hunting § Application Compatibility

    Cache (“Shim Cache”) - Supports application compatibility issues - Tracks metadata for PE files and scripts - PsExec & DUEBREW • Due to the inherent execution, Shim Cache analysis yields incredible rewards • Quickly and easily correlate activity to identify scope of compromise - Powershell script • Query domain hosts to acquire Shim Cache, parse offline and analyze

50. 50 © Mandiant, a FireEye Company Hunting (cont.) § System

    event logs - PsExec service binary - Modified service name - Cleared events (EID: 517, 1102) § VPN Logs - Non-standard GeoIP sources - Vendor accounts - Domain Administrators § Firewall Logs - RDP connectivity

51. 51 © Mandiant, a FireEye Company Hunting (cont.) § Malware

    built using Borland Compiler - Exports: • __GetExceptDLLinfo • ___CPPdebugHook - PowerShellArsenal (https://github.com/mattifestation/PowerShellArsenal) • Sweep environment for export IOCs Parse PE file à Export table

52. 52 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company. RECOMMENDATIONS

53. 53 © Mandiant, a FireEye Company Recommendations § Implement a

    two-factor authentication (2FA) solution for remote access including VPN, Citrix, and Outlook Web Access (OWA). § Application whitelisting on critical servers (DCs, POS terminals and servers). § Harden the CDE by deploying a dedicated “jump server” that can only be accessed from known CDE administrator workstations, requires additional 2FA, and implements application whitelisting.

54. 54 © Mandiant, a FireEye Company Recommendations (cont.) § Remove

    local administrator privileges for users. § Restrict workstation-to-workstation communication. § Consider P2PE solution. - Not fail-proof, but increases complexity. - Ensure encryption keys are stored securely.

55. 55 © Mandiant, a FireEye Company Recommendations (cont.) § Centralize

    anti-virus alerts § Actively review anti-virus alerts and whitelisted exceptions. § Create periodic backups of critical infrastructure § Enable VPN logging § Review firewall ACLs § Hunt for anomalies and IOCs

56. 56 © Mandiant, a FireEye Company BONUS § Find your

    own FIN5!! § Powershell script to acquire Shim Cache for offline parsing § Pro Tip: Wrap script in a for-loop and iterate over a list of domain hosts § Parse with ShimCacheParser tool PS> Invoke-Command –Computername remotehost {(Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache").AppCompatCache} | Set-Content C:\out.bin -enc byte C:\tools\mandiant\ShimCacheParser> ./ShimCachePaser.py –b C:\out.bin –o output.csv

57. 57 © Mandiant, a FireEye Company © Mandiant, a FireEye

    Company. QUESTIONS?