Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Target Malware Origin Details Emerge

Kaptoxa POS malware cited as culprit behind sophisticated, two-stage operation that moved 11 GB of stolen Target data via FTP to a hijacked server in Russia.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(Click image for larger view and slideshow.)

Digital forensic investigators and information security researchers have positively identified the malware used in the recent attack against Target. The malicious code infected point-of-sale (POS) terminals at the retailer and then helped transfer the stolen data to an FTP server in Russia.

The attack against Target, which began in late November and continued until mid-December, resulted in the theft of 40 million credit and debit cards as well as personal information for as many as 70 million customers.

A joint federal-private report providing more details about the apparent hacking and malware campaign against Target has been distributed to firms in the retail and financial-services sectors. The report was jointly issued by the Department of Homeland Security (DHS), the Secret Service, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and Dallas-based private cybersecurity firm iSight Partners.

The malware used in the attack, dubbed Kaptoxa ("Kar-toe-sha"), "has potentially infected a large number of retail information systems," according to a blog post from iSight Partners. "If you have a POS system in operation, you may be at risk."

[Shoplifters vs. hackers: which is the greater security risk to retailers? See Top 10 Retail CIO Priorities For 2014.]

A company spokeswoman declined to share a copy of the report that the firm helped prepare, saying it was available via DHS, although only on a need-to-know basis. Reached via email, the duty officer for the National Cybersecurity and Communications Integration Center, which is distributing the report, confirmed that it hasn't been publicly released, while noting that the effort was part of DHS's mission "to share actionable information gleaned from ongoing network defense efforts, cybercrime investigations, and national security efforts" with the private sector.

But according to some press accounts, the report says that "the [Target] intrusion operators displayed innovation and a high degree of skill," in part by taking relatively unsophisticated malware and using it to compromise so much data in such a short period of time. "What's really unique about this one is it's the first time we've seen the attack method at this scale," Tiffany Jones, a senior VP at iSight, told The Wall Street Journal. "It conceals all the data transfers. It makes it really hard to detect in the first place."

Suggestions that the Target data breach stemmed from a POS malware attack first surfaced on Jan. 2, 2014, when the US Computer Emergency Readiness Team (US-CERT) released an alert about memory-scraping malware infecting retailers. As examples of what to beware, it named the Dexter POS device memory-scraping malware, as well as a Dexter variant called Stardust that can eavesdrop on POS production system networks.

But the Dexter malware reportedly wasn't used in this attack against Target. Rather, the Kaptoxa malware is a variant of the BlackPOS malware, security blogger Brian Krebs first reported Wednesday. BlackPOS is purpose-built to retrieve data coded in the magnetic stripe of a swiped card while it still resides in the POS device memory, since data typically gets encrypted once it's saved.

Kaptoxa malware infected Target POS machines, security researchers say.
Kaptoxa malware infected Target POS machines, security researchers say.

The malware reportedly includes some Russian-language tags, and was also used in a smaller series of apparent trial attacks last year, after which stolen data appeared on Eastern European cybercrime forums. Those facts have led some investigators to surmise that whoever attacked Target might be operating from either Russia or a former Soviet satellite.

After somehow hacking into Target and infecting POS terminals with Kaptoxa, Target's attackers then employed a two-stage attack. "First, the malware that infected Target's checkout counters (POS) extracted credit numbers and sensitive personal details," Aviv Raff, CTO of Israel-based cyber security technology company Seculert, said in a blog post. "Then, after staying undetected for six days, the malware started transmitting the stolen data to an external FTP server, using another infected machine within the Target network."

The malware transmitted batched information up to three times per day -- but only after checking the compromised system to see if the time was between 10:00 a.m. and 5:00 p.m. If so, the malware would create a temporary NetBIOS share and connect to another internal, compromised system, from which the FTP transfer then occurred, Wired reported.

On Dec. 2, and continuing for two weeks, the FTP server began receiving several transmissions per day of batched, stolen information. Also beginning on Dec. 2, the attackers "used a virtual private server (VPS) located in Russia to download the stolen data from the FTP," Raff said, with attackers ultimately amassing 11 GB of stolen data.

Unfortunately, those attack techniques don't appear to point to any specific cybercrime gang. "We haven't seen this specific VPS before," Raff said via email. "However, VPS are usually used by attacker as a proxy to hide their real IP address, so the attackers may have been using different VPS hosting over time."

While the stolen Target information no longer resided on the Russian server that Seculert found, a review of publicly accessible logs for the server show that only IP addresses from Target had connected to the FTP server. "So far there is no indication of any relationship to the Neiman Marcus attack," Raff said.

On a related note, Neiman Marcus CEO Karen Katz published a letter Thursday apologizing for that retailer's breach, and -- like Target -- offered affected customers one year of free credit monitoring. Unlike Target, however, Neiman Marcus has yet to disclose how many customers were affected by the data breach.

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Next-gen intrusion-prevention systems have fuller visibility into applications and data. But do newer firewalls make IPS redundant? Also in the The IPS Makeover issue of Dark Reading Tech Digest: Find out what our 2013 Strategic Security Survey respondents have to say about IPS and firewalls. (Free registration required.)<

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
missmuffin
50%
50%
missmuffin,
User Rank: Apprentice
2/12/2014 | 12:27:16 PM
Re: Via FTP to Russia
Preach it, brother!  You are right on (...err...) target!
WillyWonka
100%
0%
WillyWonka,
User Rank: Apprentice
1/20/2014 | 12:50:35 PM
How was Target breached?
"After somehow hacking into Target and infecting POS terminals with Kaptoxa..." - this is a very important piece of the puzzle. Does anyone know details on how the hackers breached the perimeter to get the malware onto the POS systems?

 

Thx
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
1/19/2014 | 8:35:43 AM
Via FTP to Russia
At what point did Target IT think that allowing any data to go outside its own network is ever needed except for very few gateways to payment processors? And at what point did Target IT think that transferring anything via FTP from secured networks is ever a good idea or needed? Was there ever a review of what data came from where and went to where on a regular (means daily) basis?

At the point the ports were opened (if they were closed to begin with) and at latest when the transfer started all alarms should have rung at the top brass IT offices. It is easy to blame the handful of criminals who surely are culprits, but the grossly negligent indifference of Target IT is as bad. Does anyone investigate those fools?

It is sad when the local store security is better than the network security at corporate. Stealing millions of CC numbers is apparently easier than shoplifting a pack of gum.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...