Inside a Retail Hack: Lateral Movement & Credential-Harvesting
In 2014, 1,000 retail businesses were hit by remote attacks. Ultimately, most retail attacks started with stolen credentials, which enabled attackers to move laterally, harvesting credentials along the way until they reached their final destination.
Mandiant’s M-Trends 2015: A View From The Front Lines report detailed these threats from 2014, including breach and attack trends, as well as security recommendations. Among the breaches they analyzed, they found that business and professional services accounted for the biggest chunk, at 17 percent. Mandiant also identified government and international organizations and healthcare as targeted industries.
Single-Factor Authentication on Application Virtualization Servers
How did attackers break into retail networks? They connected remotely to desktops and programs via application virtualization servers. Misconfigured environments allowed them access to other parts of the system.
Among the cases investigated by Mandiant, they found that remote access only required single-factor authentication to gain entry (username and password).
Another trend in the retail attacks was the use of valid credentials to remotely access retail systems, then moving laterally throughout their network in order to deploy POS malware.
In one particular case, the attacker used legit credentials to connect to the retailer’s virtualized application server. No failed login attempts indicated that the attacker had the credentials before the attack.
Elevating Privileges and Password Reuse
After leveraging a minor misconfiguration in the virtualized desktop to elevate privileges in order to get command-line access, the attacker used a password-dumping tool to get a local admin account password, which happened to be reused across their environment.
In each initial attack scenario, a two-factor authentication and access security tool could have prevented attack success, by requiring another device to log in remotely. Mandiant recommended that all remote access methods should require two-factor authentication.
Detailed authentication logs and geolocation maps can also give you insight into who is attempting to log into all of your applications, accessible from one simple interface.
PCI DSS Security Recommendations
Mandiant also recommends some Payment Card Industry Data Security Standard (PCI DSS) basics, including segregating your cardholder data environment from the rest of your network. Access to PCI systems should also be tunneled through a secured jump server that manages devices within high security zones, protected by two-factor authentication.
They also recommend keeping retail domains separate, and limit outbound network traffic to only an approved list of connections, such as for a trusted third-party vendor.
Limiting authentication traffic can be another way to secure your retail environment - look for trusted networks and devices as a feature of your two-factor authentication solution.
Gaining Access to Store Registers Via Central Domain Controller
How could attackers do this remotely? By using domain administrator credentials, which they cracked by stealing password hashes from the NTDS database (the heart of Active Directory; includes user accounts). That gave them access to systems in the retail domain.
As a child domain to the corporate domain, the retail domain contained critical open ports linking corporate and retail domain controllers. These open ports were exploited to access the domain controller.
And, since store registers authenticated to the central domain controller, a user with access to the domain controller could directly access the registers - which attackers used to install POS malware on the devices.
Again, two-factor authentication could have stopped the initial stage of this attack by blocking attackers attempting to use stolen password hashes to access retail domain systems.
###A Modern Guide to Retail Data Risks
Our guide can help retailers and other companies that need to protect sensitive data learn about modern threats, real breach cases and effective security solutions.
In this guide, you’ll learn:
- New risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)
- Business and compliance drivers for strengthening authentication security
- How outdated security solutions can no longer effectively protect retailers and consumers alike
- How implementing a modern two-factor authentication solution can work to protect the new IT model
Ideal for CISOs, security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for IT decision-makers that need to implement strong authentication security, as well as those evaluating two-factor authentication solutions for organizations in the retail industry.