Malware used in Target breach sold on underground forums

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/malware_news.php?id=2677


Target continues to be rather tight-lipped about the circumstances of the
massive user data theft and the breach of their networks that made it
possible, but the few details that have been shared with the public point
to the use of memory-scraping POS malware.

Nothing has yet officially been confirmed, but unnamed sources familiar
with the investigation have revealed to Brian Krebs that the malware in
question was one that Symantec calls "Reedum" and that it is sold on
underground cybercrime forums under the name of "BlackPOS."

"On Dec. 18, three days after Target became aware of the breach and the
same day this blog broke the story, someone uploaded a copy of the
point-of-sale malware used in the Target breach to ThreatExpert.com, a
malware scanning service owned by security firm Symantec," Krebs revealed.

"Interestingly, a search in Virustotal.com — a Google-owned malware
scanning service — for the term “reedum” suggests that this malware has
been used in previous intrusions dating back to at least June 2013."

Reedum or BlackPOS, which is designed to be installed on POS devices and to
scrape the card data contained in their memory as soon as the cards are
swiped, is being sold by its author for $1,800 (basic version) or $2,300
(full version), and is apparently capable of bypassing firewalls.

Russian security firm Group-IB has been following the activities of this
individual and the group of cyber crooks he associates, and believe them to
be of Russian and Ukrainian origin, and involved in many cyber criminal
activities. They also believe that BlackPOS malware has been previously
used in attacks against customers of several big US banks.

What's interesting to note is that at the time the malware was installed on
Target's POS systems in late November, none of the commercial AV solutions
used by VirusTotal were detecting it as such.

Another question that the unnamed sources answered regards how the
criminals went about installing the malware on the POS systems.

"The attackers broke in to Target after compromising a company Web server.
Somehow, the attackers were able to upload the malicious POS software to
store point-of-sale machines, and then set up a control server within
Target’s internal network that served as a central repository for data
hoovered by all of the infected point-of-sale devices," writes Krebs.

“The bad guys were logging in remotely to that [control server], and
apparently had persistent access to it,” the source shared. “They basically
had to keep going in and manually collecting the dumps.”

What little information was released by Target since the breach seems to
corroborate these (unofficial) revelations, as the the criminals had to had
access to the company's network in order to run off with the customers'
personal information.

It also means that Triptwire's Ken Westin made some good educated guesses
about how the malware was deployed on the POS systems.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.