Login  |  Register  |  Contact

Recent Breaches: We May Have All the Answers

You know how sometimes you read something and then forget about it until it smacks you in the face again?

That’s how I feel right now after @BreachSecurity reminded me of this advisory from February.

To pull an excerpt, it looks like we now know exactly how all these recent major breaches occurred:

Attacker Methodology: In general, the attackers perform the following activities on the networks they compromise:

  1. They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.

  2. They use “xp_cmdshell”, an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.

  3. They obtain valid Windows credentials by using fgdump or a similar tool.

  4. They install network “sniffers” to identify card data and systems involved in processing credit card transactions.

  5. They install backdoors that “beacon” periodically to their command and control servers, allowing surreptitious access to the compromised networks.

  6. They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.

  7. They use WinRAR to compress the information they pilfer from the compromised networks.

No surprises. All preventable, although clearly these guys know their way around transaction networks if they target HSMs and proprietary financial systems.

Seems like almost exactly what happend with CardSystems back in 2004. No snarky comment needed.

—Rich

No Related Posts
Previous entry: Heartland Hackers Caught; Answers and Questions | | Next entry: Understanding and Choosing a Database Assessment Solution, Part 2: Buying Decisions

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Ryan Barnett  on  08/17  at  03:51 PM

Hey Rich, I was tweeting through BreachSecurity today as we just released the WASC Web Hacking Incidents Database (WHID) report for the first half of 2009.  This is serendipitous timing with the announcement of these indictments (for TJX/Hannaford/Heartland) as SQL Injection is the top attack vector used in web-based attacks according to our report.  Here is an initial blog post I did for the top vertical markets targeted - http://tacticalwebappsec.blogspot.com/

By anon  on  08/18  at  02:14 PM

- xp_cmdshell is disabled by default form sql server 2005 ...
- sql server 2008 uses a low privilege account by default with reduces attack surface ...

By anonymouser  on  08/18  at  04:55 PM

“- xp_cmdshell is disabled by default form sql server 2005 ...”

So we’ll assume these were SQL 2000 machines, or machines where cmdshell was enabled.  What’s your point?

“- sql server 2008 uses a low privilege account by default with reduces attack surface ... “

Clearly you don’t know the definition of attack surface.

http://en.wikipedia.org/wiki/Attack_surface

By anonymouser  on  08/18  at  04:57 PM

“They obtain valid Windows credentials by using fgdump or a similar tool.”

My understanding is that this required windows administrative rights.  Does this mean they were running the SQL service using a local administrator account?

By Noah Body  on  08/19  at  12:54 PM

Anonymouser:  Why?  Would an Admin account have a greater attack surface?

OK, kidding aside, I haven’t met a Windows box yet that didn’t have an explotable component within, even if the network side was clean.

Name:

Email:

Remember my personal information

Notify me of follow-up comments?