Background
As reported on extensively recently, over five million customers who made purchases at Saks Fifth Avenue and Lord & Taylor stores in North America had credit and debit card information stolen. Some of the stolen payment card information (PCI) was posted on the Dark Web by JokerStash, a.k.a. FIN7 and was reported by Gemini Advisory. According to FireEye, FIN7 is a financially motivated threat group associated with malicious operations dating back to 2015.
What happened to Saks and Lord & Taylor can happen to any organization, so here are some tips to help prevent, detect, and respond to a PCI breach or general data theft.
Prevention
In many financially motivated attacks, an attacker’s initial foothold is achieved through spear phishing. With spear phishing, an attacker targets a few individuals with a customized email designed to compromise the target’s system and/or account. To help prevent a compromise from occurring via email, monitor for suspicious links or attachments, verify sender domains and block uncategorized sites using a web proxy.
To help prevent malware from running, implement application whitelisting and disable macros (this stops some ransomware too). While whitelisting may not be practical for all systems, it can be a good prevention method for point-of-sale (PoS) terminals and other systems that should not perform other unanticipated functions.
That said, attack groups such as FIN7 operate like a business, so they will do as much as needed for a return on investment. To avoid the aforementioned prevention mechanisms, a motivated attacker may compromise a legitimate categorized website to deliver malware or use application whitelisting bypass techniques. An attacker may use PowerShell or embed macros in a document to evade whitelisting and execute malware.
In any case, to gather payment card information, malware must be executed on the PoS terminal itself to steal unencrypted information from the system’s memory. PCI data released from Saks and Lord & Taylor were “track dumps” stolen from older magnetic stripe terminals. The Hudson’s Bay companies could have avoided the PCI compromises by using the newer Europay, MasterCard, and Visa (EMV) PoS terminals. These terminals allow for the use of chip and PIN, which is more secure because card data is not put into memory, and some processing is done on the card itself.
External and Internal Detection
If payment card information is compromised, the Dark Web is the first place that information goes up for sale. Monitor the Dark Web for payment card information, compromised credentials, and general Business Threat Intelligence to proactively respond to threats.
Internally, detection can occur at the host and network levels. At the host level, some malware can be detected by reviewing persistence mechanisms in the registry, system services, scheduled tasks, and more. However, signature-based detection may not be enough due to the resourcefulness of attack groups like FIN7. Threat Intel is always changing, and attackers follow and read articles such as this one. It is important to keep abreast of the latest attacker techniques to inform prevention, detection, and adapt defenses.
At the network level, monitor all communication for suspicious connections or data transfers to/from PoS systems, locking down any unnecessary network connections. PoS malware typically has backdoor and command and control capabilities for data retrieval. PCI data must be transferred to the attackers somehow, and standard data loss protection may not be enough since the communication is typically over indirect, encrypted, or unexpected channels such as DNS records.
Comprehensive Incident Response
If your organization suspects a breach has occurred, logging levels may need to be increased to
ensure any attacker activity is recorded, but be sure there is enough disk space for log retention. Many organizations do not have the appropriate level of PowerShell logging enabled (if at all), and attack groups such as FIN7 use PowerShell to execute commands.
In the case of active PCI theft, it is obviously important to “stop the bleeding” to reduce fines but
attempt to determine the scope of the breach first. When an organization responds too soon, the attackers often steal much more data before a complete remediation of compromised systems and accounts is able to occur.
Many times, there is so much focus on the “crown jewels”, that the rest of the organization’s security is not considered or prioritized. When a compromise occurs, always assume the attack involved some type of lateral movement. Incident Response should cover the entire organization, and not just the affected payment processing systems. This holistic approach will help make incident response more effective and assist in validating remediation activities.
Preventing, detecting, and responding to a PCI or data breach is not easy. We hope you can apply this advice to help the security of your organization.