You know how sometimes you read something and then forget about it until it smacks you in the face again?

That’s how I feel right now after @BreachSecurity reminded me of this advisory from February.

To pull an excerpt, it looks like we now know exactly how all these recent major breaches occurred:

Attacker Methodology: In general, the attackers perform the following activities on the networks they compromise:

  1. They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.
  2. They use “xp_cmdshell”, an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.
  3. They obtain valid Windows credentials by using fgdump or a similar tool.
  4. They install network “sniffers” to identify card data and systems involved in processing credit card transactions.
  5. They install backdoors that “beacon” periodically to their command and control servers, allowing surreptitious access to the compromised networks.
  6. They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.
  7. They use WinRAR to compress the information they pilfer from the compromised networks.

No surprises. All preventable, although clearly these guys know their way around transaction networks if they target HSMs and proprietary financial systems.

Seems like almost exactly what happend with CardSystems back in 2004. No snarky comment needed.

Share: