tatget attack
TRANSCRIPT
1
TARGET ATTACKA presentation by:
Monday 1 May 2023
Imrana Abdullahi Yari&
Aneesh Kumar
01/05/2023
by imranayari & aneesh
201/05/2023 by im
ranayari & aneesh• Every morning in Africa, a Zebra wakes up it knows that it has to run faster than the fastest Lion or it will be killed.
• Every morning a Lion wakes up it knows that it has to run faster than the slowest Zebra or it will starve to death.
• In Africa, it doesn't matter whether you are a Lion or a Zebra; when the sun comes up you had better be running!
01/05/2023 by imranayari 2
3In the Beginning……….
• Target Attack in the News! Data Breach!
Stolen of data Accessing the web services Exploiting the web Vulnerability Propagation of targets Infiltration and Privilege Escalation Early Warning Bypass Security Measures The Blackpos Malware Information Stored In The Magnetic Strip
Impacts on this Attack• Mitigation
01/05/2023 by im
ranayariby im
ranayari & aneesh
01/05/2023
4by im
ranayari
Time line before the actual event
01/05/2023
5
Dec 18 Dec 19 Dec 20 January 10 January 13 January 16 January 17
The 30 days of the Attack, 2013-2014
6Target letter to unlucky shoppers01/05/2023 by im
ranayari & aneesh
7 Stolen of data
Phishing emails to HVAC vendorsCitadel malware(Zeus Trojan): password
stealing malware. Web browser cookies and stole credential
Accessing the web services Stolen token was used
According to Fazio Mechanical: Online billing system, online contracting system and online project
management. Stolen Credentials were used to access the
hosted services.
01/05/2023 by im
ranayari & aneesh
8 Exploiting the web Vulnerability Unknown vulnerability to the public Hint, xmlrpc.php file found on the attackers tool
list. Use for user enumeration and Ddos attacks
Through a legitimate file upload e.g. an invoice:- to malicious
Leverty from CSIRT gives an advisory on web shell:
Known as Backdoor Trojan or Remote access tool Mostly written in php and .net Permissions as an administrator Connections to database server Search for password, configurations files or directories Self-deletes on detection Displays all security measures and file permissions Access to Phpinfo(): creates web pages and php configurations
01/05/2023 by im
ranayari & aneesh
9 Propagation of targets Reconnaissance detection to found
intelligent information, e.g. credit card Active Directory: allows to connect, search
and modify, e.g., using LDAP. Target uses Active Directory to store all their credentials, As said by former security member.Shared internet files and directories e.g. print
services and shared hard drives.Using Service principle name (SPN) to
locate the SQL server.SQL related tools found on the attackers
tool list: Osql.exe, bcp.exe and isql.exe. Perhaps these tools used to access the SQL server of the POS machine.
01/05/2023 by im
ranayari & aneesh
01/05/2023
10
2 Scenarios To Infiltration – ARIBA (The United States Senate committee on commerce, science, and transportation, 2014) OR CENTRAL REFREGERATION CONTROL Application Vulnerability Exploitation (O'Reilly, 2015) Admin Access Malware Delivered As Patch Updates
by imranayari
Infiltration and Privilege Escalation
Early Warning
(Howlett, 2014)
1101/05/2023 by im
ranayari & aneesh
Bypass Security Measures 2 Sce 0- Day Attack So Unlikely That Signatures Were Present
To Fool The Ids Data Transfer Only Between 10 Am To 5 Pm Used The Name Best1_logic Which Is The Default Test User
Name In The Bmc Software Only Way For Detection Was Anomaly Detection NARIOS To Infiltration – Ariba (The United States)
The Blackpos Malware First Of All The Name Sounds Scary “Blackpos”-horror Flick It Is A Ram Scraper Why Is It A Success?? Answer- POOR Pci-dss(payment Card Ind. Data Security
Stndard) POLICY
01/05/2023 by im
ranayari
12 Parties Involved In E-currency Transaction Issuer – Bank Who Gives Card Belonging To A Brand-
visa Brand – Offers Infrastructure For Connectivity Security Acquirer- Merchant Bank Psp – Payment Service Provider Pci-dss Requires Its Members To Send Only Encrypted But What About When It Is Swiped??? Attaches Itself To The Registry To Run On Startup Checks For Pos.Exe – Bye Bye Pan
Ram Scrapers
01/05/2023 by im
ranayari
13
(Trend Micro, 2014)
01/05/2023 by im
ranayari
14 33 Data Tracks Track 1 Stores Pan Among Other Data Track Stores Ed – Expiry Date Dd- Discretionary Data Like Cvv1 May Pass Card Number Through Luhn
Information Stored In The Magnetic Strip
Some Estimates Go Upto A Billion Dollars Customer Credit Cards Floating In The Dark Web For Sale 40 Million Credit Cards Stolen Replacing Costs X 40 Million Credit Cards
Impact Of The Hack
01/05/2023 by im
ranayari
15 What Can We Do To Face A Zero Day Attack In This
Scenario Anomaly Detection Network Segmentation Changes In Pci Policy Pin Data Encrypted Only During Transit No Encryption When Data Transferred In Internal
Network
Mitigation
01/05/2023 by im
ranayari
16Questions & Answer
01/05/2023 by im
ranayari
17
THANK YOULet’s meet at the topImrana Abdullahi Yari
25046111Aneesh kumar