WEBVTT

00:00:00.000 --> 00:00:09.330
TOM: I was having trouble sleeping one evening. I had gone to bed and then I woke up,

00:00:09.330 --> 00:00:18.780
so I went downstairs to just futz around for a little bit. I turned on my computer and

00:00:18.780 --> 00:00:25.260
I was looking at my e-mail and here was a message from my bank, B of A,

00:00:25.260 --> 00:00:34.290
saying that my account had dropped below $25. [MUSIC] At the time,

00:00:34.290 --> 00:00:41.610
it didn’t trigger anything in me because I only – I knew I had about thirty-something dollars in it

00:00:41.610 --> 00:00:51.690
and it was a account that I used to keep money for equipment materials, that type of thing,

00:00:51.690 --> 00:00:59.310
for my business. But anyway, so I thought of that and just eh, okay, fine. Then I went back to sleep

00:00:59.310 --> 00:01:05.670
and when I finally got up in the morning, all of a sudden I’m sitting there making my coffee and I’m

00:01:05.670 --> 00:01:16.710
going well, why did my account go down below $25? I haven’t used that account in a couple of weeks.

00:01:16.710 --> 00:01:19.800
JACK: This is Tom. He’s just found out that

00:01:19.800 --> 00:01:21.900
somebody’s used his credit card without his approval.

00:01:21.900 --> 00:01:28.050
TOM: Obviously things are shot so I immediately called the bank and I said I don’t know what’s

00:01:28.050 --> 00:01:38.160
going on but I got a notice from B of A that I was overdrawn. Their fraud department said okay,

00:01:38.160 --> 00:01:43.200
fine, and they started a deal and immediately notified me that my accounts were frozen and

00:01:43.200 --> 00:01:49.470
that I couldn’t do anything. This was kind of a frustrating thing.

00:01:49.470 --> 00:01:52.719
I’m sitting there saying to myself now, now how in the hell could that happen?

00:01:52.719 --> 00:01:59.760
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the

00:01:59.760 --> 00:02:08.874
internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:02:08.874 --> 00:02:26.790
JACK: This is the story about a time when a major retail outlet got hacked. I’m not

00:02:26.790 --> 00:02:30.810
going to give the name of the store or even when this occurred because those details aren’t

00:02:30.810 --> 00:02:36.540
important. This story is fascinating enough without it. This company is huge so they have

00:02:36.540 --> 00:02:41.250
thousands of stores in the US and many more all across Europe and Asia. They do business

00:02:41.250 --> 00:02:46.620
both online and with physical stores all over the world. Of course, each of their physical

00:02:46.620 --> 00:02:52.470
stores have computers that are connected to the network. This story starts out with an e-mail.

00:02:52.470 --> 00:02:57.150
One of their credit card brands had found some cards on the black market being sold

00:02:57.150 --> 00:03:01.260
and they were linked to this store. The card brand e-mailed the store,

00:03:01.260 --> 00:03:06.360
letting them know some cards that are on the black market have a common purchase point of these

00:03:06.360 --> 00:03:12.240
retail stores. Specifically they found ten credit cards on the black market whose last purchase was

00:03:12.240 --> 00:03:16.650
this store. Now, ten credit cards found on the black market is not really that big of a deal,

00:03:16.650 --> 00:03:21.420
especially when credit card dumps have tens of thousands of cards in them. But

00:03:21.420 --> 00:03:26.128
this store wanted to investigate anyways so they called a consulting firm called Kroll.

00:03:26.128 --> 00:03:26.141
KROLL: Hello?

00:03:26.141 --> 00:03:26.154
COMPANY: Hey.

00:03:26.154 --> 00:03:31.470
JACK: And they asked Kroll to investigate their network and try to find if there was any traces

00:03:31.470 --> 00:03:36.351
of malware on it. They got a team to help them out. Let’s meet two of the members of that team.

00:03:36.351 --> 00:03:39.804
COURTNEY: My name’s Courtney Dayter. I’m a Senior Managing Consultant.

00:03:39.804 --> 00:03:41.160
MATT: My name is Matt Bromiley.

00:03:41.160 --> 00:03:44.550
JACK: Both Courtney and Matt are incident responders. Their job is

00:03:44.550 --> 00:03:48.660
to go into a network that is breached or may have been breached and find, isolate,

00:03:48.660 --> 00:03:53.490
and fix the problems. Both of them are used to working on larger cases and specifically

00:03:53.490 --> 00:03:59.640
cases involving finance and retail. Doing an incident response for a global retail company is

00:03:59.640 --> 00:04:04.620
what they’re good at. These two got right to work looking for any signs of hackers in the network.

00:04:04.620 --> 00:04:10.020
MATT: We usually start with [00:05:00] two different approaches. Number one,

00:04:10.020 --> 00:04:14.940
we’ll start to understand what’s already been out there. What type of data has been leaked and

00:04:14.940 --> 00:04:19.470
is it something that could actually be resulting from a breach? That’s kind of number one. Number

00:04:19.470 --> 00:04:25.770
two is we’ll also come in and drop in whatever tech we use. The tool that we use primarily is

00:04:25.770 --> 00:04:30.750
Carbon Black which is an end-point monitoring tool, end-point monitoring and analysis tool.

00:04:30.750 --> 00:04:33.870
We use Carbon Black when we deployed that throughout the environment. It’s

00:04:33.870 --> 00:04:37.890
usually that two-step approach; is to quantify the data that’s been exposed,

00:04:37.890 --> 00:04:43.620
drop in our tech and we start to get deployment throughout the entire environment. This particular

00:04:43.620 --> 00:04:50.940
customer has over ten thousand systems globally. They’re acting in every major

00:04:50.940 --> 00:04:57.090
country that’s out there. They’ve got outlets in every single one, if you will. We were deployed

00:04:57.090 --> 00:05:02.490
on a global scale to almost every system that they owned that was running Windows

00:05:02.490 --> 00:05:06.570
and that could handle the agent’s software. Basically everything Windows XP and above.

00:05:06.570 --> 00:05:10.920
JACK: The computers at each of these stores had antivirus running but it

00:05:10.920 --> 00:05:15.300
wasn’t picking anything up. The end-point monitoring software wasn’t finding a lot,

00:05:15.300 --> 00:05:20.880
either. But the store’s IT team had noticed one system was acting funny.

00:05:20.880 --> 00:05:25.050
So they took it offline and asked Matt and Courtney to look into it.

00:05:25.050 --> 00:05:31.470
COURTNEY: Originally the company had identified that first system for us. It was actually already

00:05:31.470 --> 00:05:34.800
identified; they had pulled it offline so that was somewhere where we were able to look.

00:05:34.800 --> 00:05:41.220
MATT: This particular system, it looked like a bloody murder scene. When you just

00:05:41.220 --> 00:05:47.530
take a look at this system, it’s just stuff everywhere. There’s malware all over the place.

00:05:47.530 --> 00:05:57.760
We also found several directories full of nonsensical binary data files that just

00:05:57.760 --> 00:06:04.300
didn’t have much of anything inside of them but there was size to them. On Windows environments,

00:06:04.300 --> 00:06:11.290
very rarely do you come across just blobs of data that don’t have any structure or purpose or are in

00:06:11.290 --> 00:06:16.690
the wrong place like these files were. We came across thousands of them. Every single file,

00:06:16.690 --> 00:06:25.540
believe it or not, also had the same naming convention. It was a six-digit date, so month,

00:06:25.540 --> 00:06:31.360
day, year, followed by a host name, followed by a seemingly random string of digits.

00:06:31.360 --> 00:06:33.880
JACK: These weird and unusual files were encrypted

00:06:33.880 --> 00:06:37.690
so neither the company or the team could see what was in them.

00:06:37.690 --> 00:06:43.390
COURTNEY: Based off of some of the information that we found in different logs, we were able to

00:06:43.390 --> 00:06:53.590
basically track the different IP addresses where that account that was owned was also reaching out

00:06:53.590 --> 00:06:58.660
to. From doing that we were able to see where it was reaching out and where they were pushing

00:06:58.660 --> 00:07:05.170
malware to from that machine, as well. Then in doing so, we also found additional malware as we

00:07:05.170 --> 00:07:13.630
kept going out. It was just more and more specific variations of the same malware. From there,

00:07:13.630 --> 00:07:18.610
we were able to get most of it and then we got to a second major host machine and we

00:07:18.610 --> 00:07:23.320
were able to then spawn out from that one as well. Then we’re back to the third one.

00:07:23.320 --> 00:07:31.080
MATT: We identified upwards of about twelve hundred compromised systems.

00:07:31.080 --> 00:07:36.690
[MUSIC] The malware sits on these systems, scrapes all this data out of memory,

00:07:36.690 --> 00:07:41.100
and then it pushes that data over the wire to the central repository system.

00:07:41.100 --> 00:07:46.230
COURTNEY: This particular malware was writing to an output file so we knew that this malware

00:07:46.230 --> 00:07:51.300
was writing to a particular output file with a particular file extension. We were going,

00:07:51.300 --> 00:07:55.320
looking across the network for all of the files with the same similar naming

00:07:55.320 --> 00:08:02.100
patterns and similar file extensions. We also looked at the different malwares ‘cause some

00:08:02.100 --> 00:08:06.600
of them have a different naming convention in each of the different output files. We

00:08:06.600 --> 00:08:11.010
made sure we were able to determine all the output files. We pulled them all together.

00:08:11.010 --> 00:08:16.590
JACK: At this point the team had found over one thousand computers all in the network with the

00:08:16.590 --> 00:08:21.300
same malware. But here’s the worst part; want to guess what these computers were used for?

00:08:21.300 --> 00:08:26.190
MATT: They’re the cash registers where you go buy something and you swipe your card,

00:08:26.190 --> 00:08:30.420
or you insert your card. These days you insert pin and chip, sometimes you still

00:08:30.420 --> 00:08:35.730
swipe depending, but the systems that are compromised are those particular systems.

00:08:35.730 --> 00:08:40.470
JACK: Malware that exists on twelve hundred computers that are cash registers

00:08:40.470 --> 00:08:45.330
is terrifying. The team began studying this malware to try to understand what

00:08:45.330 --> 00:08:50.850
it’s doing. The output files were encrypted using XOR and the company couldn’t decipher

00:08:50.850 --> 00:08:56.680
it. But Matt and Courtney spent some time and eventually cracked the encryption.

00:08:56.680 --> 00:09:03.220
They were able to see what was in those files. What they saw confirmed their fears; the malware

00:09:03.220 --> 00:09:07.990
was grabbing every credit card that was swiped on that register and putting it in this file.

00:09:07.990 --> 00:09:11.320
COURTNEY: [00:10:00] The way that they were scraping cards were – they

00:09:11.320 --> 00:09:17.170
were scraping from memory. But they did it using fifteen and sixteen-digit characters,

00:09:17.170 --> 00:09:22.180
so they were pulling anything that was fifteen to sixteen digits and usually it’s followed by

00:09:22.180 --> 00:09:26.440
something along the lines of an equal sign or some sort of delimiter and then it gives you

00:09:26.440 --> 00:09:31.360
the four digit expiration number. Based off of that, that’s where they were able to pull

00:09:31.360 --> 00:09:37.660
card data down from memory, and using that basic algorithm they were able to get mostly

00:09:37.660 --> 00:09:43.900
positives but occasionally you do get a few false positives and some of the things that are scraped.

00:09:43.900 --> 00:09:51.400
JACK: This company is now in a nightmare scenario. So many of their cash registers

00:09:51.400 --> 00:09:56.350
have malware on it that’s scraping every credit card that’s being processed and then sending that

00:09:56.350 --> 00:10:02.350
data out of the network. As the credit card data leaks out of the company and into the wrong hands,

00:10:02.350 --> 00:10:06.760
the criminals who get these cards can use them for themselves. They do things like

00:10:06.760 --> 00:10:10.600
write the card data to a blank credit card and then withdraw cash from ATMs

00:10:10.600 --> 00:10:17.320
or use these cards to buy gift cards and sort of launder the money. The thieves found a spring of

00:10:17.320 --> 00:10:22.635
seemingly endless money and they were making some serious cash off this retail company.

00:10:22.635 --> 00:10:29.350
MATT: Our mutual feeling was there’s gonna be a lot of data here. I don’t know,

00:10:29.350 --> 00:10:35.590
the initial thing that you think about – and it’s like an investigator’s curse. You never want this

00:10:35.590 --> 00:10:41.020
number to be high but one of the first things you think about his how much data has been stolen? How

00:10:41.020 --> 00:10:44.530
much data has actually been accessed? ‘Cause when you’ve got that much malware in an environment

00:10:44.530 --> 00:10:49.390
that big, the first thing you have to think is I’ve just found thousands of output files;

00:10:49.390 --> 00:10:54.910
what are the chances that I’m also looking at millions of credit card numbers? You never want

00:10:54.910 --> 00:10:59.740
to be in that target world. Right, those tens of millions of numbers and that kind of stuff.

00:10:59.740 --> 00:11:02.890
You never want to be there but unfortunately when you uncover a breach this big, one of the

00:11:02.890 --> 00:11:12.010
things that creeps into your mind is please, please, please, don’t be that large. But wait,

00:11:12.010 --> 00:11:16.780
that was North America. We found the exact same type of infrastructure in Europe as

00:11:16.780 --> 00:11:22.660
well as in Asia Pacific. We had these central pivot points that the attackers were using

00:11:22.660 --> 00:11:27.910
basically as clearing houses. Malware was directly writing over the wire right

00:11:27.910 --> 00:11:32.620
to these systems as they were going thousands of systems at a time, simultaneously as well.

00:11:32.620 --> 00:11:36.773
JACK: Like I said before, the registers all had antivirus installed on it.

00:11:36.773 --> 00:11:42.004
COURTNEY: But it wasn’t picking up this malware in particular.

00:11:42.004 --> 00:11:47.440
MATT: This is actually a new variant that we’ve uncovered. It was not previously known.

00:11:47.440 --> 00:11:53.080
There’s a couple of little surprises about this malware. First off, it was an unknown variant

00:11:53.080 --> 00:12:01.060
but it’s a derivative of Tiny POS. There’s a legitimate Tiny POS point-of-sales software,

00:12:01.060 --> 00:12:09.940
then there’s a Tiny POS piece of malware. Tiny POS is piece of malware that is pretty – I don’t want

00:12:09.940 --> 00:12:16.900
to say sophisticated but for what it’s able to do, it’s pretty well-developed. I say that knowing I

00:12:16.900 --> 00:12:22.510
just complimented a malware family but it’s real good put together but the kicker here is every

00:12:22.510 --> 00:12:27.490
single piece of card-scraping malware that we came across in this case was less than 6 KB in size.

00:12:27.490 --> 00:12:35.520
COURTNEY: As we kept adding more and more stores it was definitely a point

00:12:35.520 --> 00:12:38.250
where we’re like uh, are we going to have millions of cards here? I

00:12:38.250 --> 00:12:43.890
think especially as we saw the output files go higher and higher in number

00:12:43.890 --> 00:12:55.090
I was like oh, well let’s hope some of these overlap. Yeah, definitely an oh, shit moment.

00:12:55.090 --> 00:12:59.650
MATT: But wait, but wait, hold on, it gets worse than that. About eighty percent of the

00:12:59.650 --> 00:13:05.920
systems was the point of sales, the point of sale registers. The other twenty percent was

00:13:05.920 --> 00:13:12.610
the back of house systems as well, the back of house systems that sit in the back of the

00:13:12.610 --> 00:13:19.390
store that no one has access to aside from the store themselves. But those systems had malware

00:13:19.390 --> 00:13:25.270
on them as well. Those systems were also – also had data that was being scraped in them, too.

00:13:25.270 --> 00:13:31.060
JACK: Delivering this kind of news to the client is never easy. The team had

00:13:31.060 --> 00:13:33.130
to call the client to tell them what they found.

00:13:33.130 --> 00:13:43.120
MATT: Yeah, I would say it was us, them, and lawyers. That was a fun chat. I guess to give

00:13:43.120 --> 00:13:47.620
you a very brief perspective, there’s always that moment of like, when you receive that

00:13:47.620 --> 00:13:52.570
external alert or when your client receives that external alert, there’s always that moment of is

00:13:52.570 --> 00:14:01.450
this bullshit? Or how real is this? When we had that call we said hey, FYI, we have uncovered

00:14:01.450 --> 00:14:06.310
this malware. We found what it’s able to do. We’ve uncovered all these output files. The very first

00:14:06.310 --> 00:14:13.480
reaction because the output files [00:15:00] were encoded, they actually had a custom encoding that

00:14:13.480 --> 00:14:17.890
the malware was using. Because they were encoded there was a little bit of well, that data is just

00:14:17.890 --> 00:14:22.000
garbage, right? There’s nothing in there. Or like eh, well, we actually decoded it.

00:14:22.000 --> 00:14:29.170
There was definitely a little bit of oh shit on their part as well because it

00:14:29.170 --> 00:14:34.690
becomes real once you find out that your greatest fear has come true,

00:14:34.690 --> 00:14:41.920
which is someone’s been hanging out in your house for a while. [MUSIC] The lawyers, they do a very

00:14:41.920 --> 00:14:47.080
good job of letting us get everything out and then they process it and then they come back

00:14:47.080 --> 00:14:52.390
and ask questions. But there’s always a little bit of hesitancy. They want to make sure you’re

00:14:52.390 --> 00:14:59.560
correct. If you come out of the gate and you say yeah, we have evidence of a credit card breach,

00:14:59.560 --> 00:15:05.110
there’s a lot of wheels that start to turn. You’re on a clock, depending on the state.

00:15:05.110 --> 00:15:08.020
Some states you’re on the clock then, about disclosure and that kind of stuff.

00:15:08.020 --> 00:15:14.050
You’ve got to file for protection with the credit card brands and everything like that. They ask as

00:15:14.050 --> 00:15:18.550
many questions as possible to make sure you’re one hundred percent positive. What you’ve seen

00:15:18.550 --> 00:15:23.350
backs up – technically you can back up what it is you’re saying because they know that

00:15:23.350 --> 00:15:32.560
there’s a lot of money about to be spent based on that finding, based on that opinion. So next,

00:15:32.560 --> 00:15:37.330
this is where Courtney and I then fall into the quantification mode where now,

00:15:37.330 --> 00:15:42.430
okay, we’ve got a breach. Now we need to understand how wide, how big, and how much

00:15:42.430 --> 00:15:47.350
data is at risk here. That’s kind of the next step that you want to answer, is how much data

00:15:47.350 --> 00:15:51.910
is actually at risk when you have one of these breaches here, and just how far back does it go?

00:15:51.910 --> 00:15:53.500
JACK: Doing some digital forensics,

00:15:53.500 --> 00:15:57.700
the team was able to see when the malware was originally installed and where it came

00:15:57.700 --> 00:16:02.230
from. From this investigation they found the hackers were in the network for…

00:16:02.230 --> 00:16:05.825
MATT: About seven to eight months they were in there.

00:16:05.825 --> 00:16:13.510
COURTNEY: They were in the network probably at least a solid month of just reconnaissance

00:16:13.510 --> 00:16:18.250
before they built their perfect piece of malware. Then even throughout time

00:16:18.250 --> 00:16:22.210
we saw them make slight modifications to it as they kept going forward.

00:16:22.210 --> 00:16:30.650
They knew exactly where to go get the credit cards on every system.

00:16:30.650 --> 00:16:38.660
MATT: Unfortunately the system that they first compromised, that they first came into

00:16:38.660 --> 00:16:46.100
was no longer available. I think personally, they came in with a phish only because there

00:16:46.100 --> 00:16:50.720
was very little exploitation of systems even though there was a very vulnerable

00:16:50.720 --> 00:16:55.040
environment. There was very little exploitation of those vulnerabilities and that may be again,

00:16:55.040 --> 00:17:00.200
because they didn’t need to do that. I don’t want to rule that out immediately but I don’t know,

00:17:00.200 --> 00:17:05.030
most of these cases I always see start with some sort of a phish. Especially to set up the

00:17:05.030 --> 00:17:09.470
infrastructure that these guys had – that these attackers had set up. Here, it makes me want to

00:17:09.470 --> 00:17:14.570
think it was likely a targeted approach but you never know. You never know until you find it.

00:17:14.570 --> 00:17:18.080
JACK: Phishing is when a hacker targets an employee to try to get them to click

00:17:18.080 --> 00:17:21.860
something they shouldn’t click on. It could be an e-mail with a malicious link,

00:17:21.860 --> 00:17:26.780
it could be a Word document with macros enabled. Once the person clicks the malicious link,

00:17:26.780 --> 00:17:34.610
that computer can become infected and then under control of the hacker. When the hacker is in

00:17:34.610 --> 00:17:38.900
the network, they can move over to another machine to start setting up their malware.

00:17:38.900 --> 00:17:44.000
MATT: With simple [inaudible] math you’re scraping six hundred stores,

00:17:44.000 --> 00:17:50.780
five to six hundred stores for a period of eight months. That period of time includes the summer,

00:17:50.780 --> 00:17:57.170
includes multiple sale weekends, it includes the build-up to Christmas and that kind of

00:17:57.170 --> 00:18:03.620
stuff. Including all those various time periods. You could very easily get into the hundreds of

00:18:03.620 --> 00:18:12.170
thousands or millions of cards easily with those considerations and those factors.

00:18:12.170 --> 00:18:18.890
[MUSIC] The next step is let’s get these output files parsed, let’s start to incabinate this

00:18:18.890 --> 00:18:24.110
data together and let’s start to de-dupe it and see just how much data we’ve got exposed here.

00:18:24.110 --> 00:18:28.520
COURTNEY: Yeah, I want to say it took us at least two weeks to get through all of

00:18:28.520 --> 00:18:33.950
the credit cards and really de-dupe them and make sure that everything we had were actual

00:18:33.950 --> 00:18:41.330
card numbers. Something particular in this case that we ran into was credit cards that look like

00:18:41.330 --> 00:18:47.150
credit card numbers but weren’t actually valid card numbers. That was something that we had to

00:18:47.150 --> 00:18:53.420
do a lot of de-duplication and verification with, both on our end and with a little bit

00:18:53.420 --> 00:18:58.550
of help of the card brands, determine if what we were seeing were all actually card numbers.

00:18:58.550 --> 00:19:09.830
MATT: We started uncovering card data that was expired. [MUSIC] [00:20:00] We’re like,

00:19:09.830 --> 00:19:15.020
how are we finding so much credit card data that’s expired? It’s one thing if you find –

00:19:15.020 --> 00:19:19.010
let’s say you have twenty numbers from the day and you find one is expired. You’re like oh,

00:19:19.010 --> 00:19:24.290
okay, someone accidentally swiped an old card or something, right? But then you start to wonder,

00:19:24.290 --> 00:19:26.060
you’re like why am I seeing this significant percentage

00:19:26.060 --> 00:19:29.780
of cards that have already expired? What was happening in this case is,

00:19:29.780 --> 00:19:33.620
if you remember earlier, I mentioned that the malware was on the back of house systems.

00:19:33.620 --> 00:19:40.340
The back of house systems were running SQL servers. The SQL servers had historical

00:19:40.340 --> 00:19:45.620
unencrypted tracked data that was being loaded into memory and the

00:19:45.620 --> 00:19:54.820
malware was picking that up. They were picking up transactions from as long as four years ago.

00:19:54.820 --> 00:19:59.170
The attackers were effectively peeking back in time. They were looking at transactions

00:19:59.170 --> 00:20:06.460
from three to four years ago that they had no visibility to, which is another unique angle

00:20:06.460 --> 00:20:11.110
because most of this malware exists at the swipe, or it exists to steal at the swipe.

00:20:11.110 --> 00:20:16.120
JACK: Now the team is ready to begin removing the

00:20:16.120 --> 00:20:19.990
malware from the network. They needed to understand every hole that was in the

00:20:19.990 --> 00:20:24.010
network and patch every one so that the hackers could not get back in.

00:20:24.010 --> 00:20:29.230
COURTNEY: We didn’t actually have to take any of the servers offline. Once we were

00:20:29.230 --> 00:20:34.660
able to really find those pivot points, taking those offline or at least making sure that we

00:20:34.660 --> 00:20:39.250
had process blocking in place, was able to stop it for the most part across the network.

00:20:39.250 --> 00:20:44.860
MATT: Yeah, we ended up shutting down the clearing houses, the central points that

00:20:44.860 --> 00:20:49.960
they were using. We ended up taking those off first and then waiting to see what would happen

00:20:49.960 --> 00:20:57.970
next. The first time we kicked them out, we actually saw them re-enter through Asia and

00:20:57.970 --> 00:21:09.440
within about three seconds of re-entering they had re-compromised forty different systems.

00:21:09.440 --> 00:21:15.620
[MUSIC] I never want a company to actually be breached but part of my job is to find that stuff

00:21:15.620 --> 00:21:22.130
and part of Courtney’s job is to find that stuff. Our initial reaction was first off like, ah shit,

00:21:22.130 --> 00:21:27.020
we knew this was gonna happen. We didn’t know it was gonna happen this fast. That’s reaction one.

00:21:27.020 --> 00:21:32.330
Reaction two; usually what happens if you successfully kick an actor

00:21:32.330 --> 00:21:37.490
out one hundred percent, usually you’ll see a phishing campaign or something. They’re trying

00:21:37.490 --> 00:21:42.590
to get back in. To see them come through the network with that speed, the next thing is ah,

00:21:42.590 --> 00:21:47.000
shit, there’s another back door out there which we got to go track down. There ended up being a

00:21:47.000 --> 00:21:51.770
system we didn’t have visibility to. Number three, there’s that moment where you see how

00:21:51.770 --> 00:21:55.730
quickly the attacker’s doing what they’re doing. That speaks volumes to how long they’ve been in

00:21:55.730 --> 00:21:59.780
the network. If you’re watching an attacker, if you’re seeing artifacts from an attacker

00:21:59.780 --> 00:22:03.710
very recently and it looks like they’re fumbling around in the dark looking for a light switch,

00:22:03.710 --> 00:22:08.120
then you’re like, there’s a very slim, good chance this person hasn’t been here that long.

00:22:08.120 --> 00:22:14.570
To watch someone re-compromise four dozen machines in ten seconds, okay,

00:22:14.570 --> 00:22:19.040
this person has come back home, they’ve put their feet up on the couch, they know exactly

00:22:19.040 --> 00:22:24.770
where the remote is and it’s a very easy thing for them to slide right back into.

00:22:24.770 --> 00:22:32.180
COURTNEY: I think it was interesting to see them come back in so quick but it was also interesting

00:22:32.180 --> 00:22:38.960
to see which tools they were immediately using. Because at that point we had the live response

00:22:38.960 --> 00:22:44.000
there. We were able, essentially, to sit there and track what they were doing and see exactly

00:22:44.000 --> 00:22:49.880
how they were moving. We had some of these records before but it was just nice to actually sit there

00:22:49.880 --> 00:22:55.010
and be able to confirm oh, they came in through here, okay, well they ran an IP scanner and

00:22:55.010 --> 00:23:03.660
then they hard-coded and were able to log into all these IPs in the matter of three minutes.

00:23:03.660 --> 00:23:09.180
JACK: The team had discovered that besides the malware, there were also

00:23:09.180 --> 00:23:13.789
back doors installed on many systems which is how the hackers kept getting back in.

00:23:13.789 --> 00:23:18.780
COURTNEY: They had added 350 back doors. However, they weren’t pushing the malware to each,

00:23:18.780 --> 00:23:24.120
like all 350 systems didn’t have all the malware on it. It was almost as if

00:23:24.120 --> 00:23:28.430
they were just allowing themselves access back in incase they ever got closed off.

00:23:28.430 --> 00:23:31.740
JACK: But the team was able to find [00:25:00] each and every back door

00:23:31.740 --> 00:23:36.300
and take every pivot point offline and stop any more credit cards from leaving

00:23:36.300 --> 00:23:40.734
the network. It was a good feeling to finally get this malware under control.

00:23:40.734 --> 00:23:45.420
MATT: There was about a month where every call got worse and worse. There

00:23:45.420 --> 00:23:50.550
was definitely a moment of really, is this ever going to end? You can definitely get bad news

00:23:50.550 --> 00:23:55.650
[inaudible] after a while but eventually once we started taking things offline,

00:23:55.650 --> 00:24:02.010
it then turned into positivity and we were able to actually deliver good news calls. Which is hey,

00:24:02.010 --> 00:24:06.390
we’ve actually remediated things. The attitude started to shift when – once

00:24:06.390 --> 00:24:10.800
we had figured out the way the global – the attacker’s global infrastructure was set up.

00:24:10.800 --> 00:24:17.010
But it’s only when you get to that point where you’ve mapped out the whole world that you can

00:24:17.010 --> 00:24:22.860
start to actually breathe a little bit. Luckily this malware was not ingrained to the point where

00:24:22.860 --> 00:24:29.670
it became symbiotic with the environment like some malware families do. But this one was pretty easy

00:24:29.670 --> 00:24:36.630
to delete. I don’t say that as a challenge; I say it as – it was definitely a pain in the rear but

00:24:36.630 --> 00:24:40.620
it was simple enough to delete and then disable the services to prevent it from running again.

00:24:40.620 --> 00:24:42.930
JACK: As the team was cleaning the malware off the

00:24:42.930 --> 00:24:46.530
network they gave some suggestions to the company to improve their security.

00:24:46.530 --> 00:24:52.890
COURTNEY: Yeah, some password changes were necessary, maybe something down the line of

00:24:52.890 --> 00:24:57.900
changing their network infrastructure so it’s not so flat. That was definitely one

00:24:57.900 --> 00:25:02.370
of the things that enabled this malware to get as far as it did because every

00:25:02.370 --> 00:25:08.460
system could essentially reach every other system. There were similar passwords shared,

00:25:08.460 --> 00:25:14.430
administrator accounts, privileged accounts that were accessible on many,

00:25:14.430 --> 00:25:19.350
many machines across the network. I think this was a big learning point of how to properly secure

00:25:19.350 --> 00:25:24.510
your network and make sure your encryption’s in place to prevent this from happening again.

00:25:24.510 --> 00:25:31.530
JACK: To try to trace this hack down to the person who was responsible is sometimes impossible. You

00:25:31.530 --> 00:25:35.220
can look for clues in the malware like the language that was used in writing it,

00:25:35.220 --> 00:25:39.660
or the time zone that it’s set to, but these things are just small clues that

00:25:39.660 --> 00:25:43.710
aren’t very strong. Trying to figure out who did a hack is called attribution.

00:25:43.710 --> 00:25:49.410
MATT: I’m a firm believer that attribution doesn’t really get you anywhere unless you’re sitting in

00:25:49.410 --> 00:25:55.560
a political or an executive role and you’ve got to make decisions off of who may be behind this

00:25:55.560 --> 00:26:00.270
keyboard, and that kind of stuff. However it’s always interesting to know. The only

00:26:00.270 --> 00:26:06.030
thing I can say about this one is one thing we haven’t mentioned yet; North America, there was

00:26:06.030 --> 00:26:12.210
one server that was treated as a clearing house. Then there was two additional systems that had

00:26:12.210 --> 00:26:18.360
back doors on them. In Europe it was very much the same thing. Europe and [inaudible] and whatnot was

00:26:18.360 --> 00:26:21.900
very much the same way. There was one or two systems that served as central pivot points.

00:26:21.900 --> 00:26:30.600
Asia on the other hand, Asia had somewhere in between 350 and 400 unique back doors

00:26:30.600 --> 00:26:39.780
installed on it. Almost every system got a back door. A lot of the compromise itself actually

00:26:39.780 --> 00:26:46.830
started in Asia. It actually started in mostly Southeast Asia and that kind of stuff. That

00:26:46.830 --> 00:26:52.110
doesn’t lend to any attribution whatsoever. It’s just when you’re going after credit card data,

00:26:52.110 --> 00:26:58.350
it’s a very interesting place to start, if you catch my drift. Even if you pinpoint it,

00:26:58.350 --> 00:27:04.320
that specifically, what are you going to do? You’re a company that’s headquartered in the

00:27:04.320 --> 00:27:14.100
United States. What recourse do you have? You’ve got to get your network back up. You’ve got to get

00:27:14.100 --> 00:27:18.360
to a point where you’re not having to fight fires every day. You don’t really have time to. What,

00:27:18.360 --> 00:27:23.640
are you gonna hire a team to gonna go after these guys or something like that? Good luck.

00:27:23.640 --> 00:27:27.120
JACK: What was the final number of credit cards that were stolen?

00:27:27.120 --> 00:27:32.670
MATT: That number, to the best of my knowledge, is still being sussed out

00:27:32.670 --> 00:27:40.560
but I think after everything we can had come across, we landed a little shy of 100,000.

00:27:40.560 --> 00:27:46.350
That was all. Which was a very surprising number and a very relieving number as well.

00:27:46.350 --> 00:27:51.540
JACK: I don’t know a lot about the current carding black market conditions but it’s safe to say these

00:27:51.540 --> 00:27:56.460
are probably too many cards for these hackers to try to scrape money out of themselves. They’re

00:27:56.460 --> 00:28:01.920
probably selling these cards in bulk somewhere. The cards go anywhere from ten dollars to

00:28:01.920 --> 00:28:07.320
a hundred dollars each, so even if they got ten dollars per card, that means these hackers made a

00:28:07.320 --> 00:28:12.540
million dollars off this company. Now the company has to do it again to try to clean up the problem.

00:28:12.540 --> 00:28:17.460
MATT: Primarily, then it falls onto the company to work with

00:28:17.460 --> 00:28:21.630
the banks and work with the credit card companies and get new cards out there.

00:28:21.630 --> 00:28:24.750
JACK: This breach was publically announced and it hit the news,

00:28:24.750 --> 00:28:28.035
but the public’s reaction to it wasn’t a huge deal.

00:28:28.035 --> 00:28:37.770
MATT: In short it was [00:30:00] not as crazy as you’d think. It was not that big of a deal.

00:28:37.770 --> 00:28:44.430
I say that because you’ve got predecessors like Home Depot and Target and some of those

00:28:44.430 --> 00:28:48.840
huge major breaches, you’ve got predecessors like that which received weeks if not months

00:28:48.840 --> 00:28:56.087
of news. This one was not as prolific as that. From that, and the world view.

00:28:56.087 --> 00:29:00.630
COURTNEY: That and then on top of it, with the whole network infrastructure right now

00:29:00.630 --> 00:29:06.180
and how often we’re almost seeing these reported in the news. Some of the larger

00:29:06.180 --> 00:29:09.720
breaches that we’ve recently seen, including social security numbers,

00:29:09.720 --> 00:29:15.690
I guess credit cards kind of a little bit fall to the back. You’re always worried it gets stolen but

00:29:15.690 --> 00:29:19.290
in the back of a lot of people’s minds they’re like oh, I’ll just replace it, get a new one.

00:29:19.290 --> 00:29:23.610
JACK: Besides this being a major headache for this company and even a bigger headache

00:29:23.610 --> 00:29:28.290
for the credit card companies and banks, this also can severely impact the people

00:29:28.290 --> 00:29:32.430
whose cards got stolen. At the beginning of this episode you started to hear from

00:29:32.430 --> 00:29:37.710
Tom. It’s possible that Tom’s card data was stolen and sold on the black market

00:29:37.710 --> 00:29:42.790
just like in the story you just heard. Someone used his card fraudulently and

00:29:42.790 --> 00:29:47.440
his bank was investigating to see what went wrong. Let’s hear how his story pans out.

00:29:47.440 --> 00:29:54.370
TOM: Well, the morning that they did it was the 12th or 13th of December so this effectively

00:29:54.370 --> 00:30:03.520
wiped out Christmas. [MUSIC] I’m a licensed contractor and I receive some of my business

00:30:03.520 --> 00:30:12.460
through an outfit and with my accounts frozen and nothing able to go in or come out, the

00:30:12.460 --> 00:30:17.350
first thing I found was that they stopped working for me and they said well, your bill is overdue

00:30:17.350 --> 00:30:24.010
and your bill is overdrawn and we can’t get any money so you’re stopped until something happens.

00:30:24.010 --> 00:30:37.150
But luckily I had a financial backup on this and so I was able to survive but I could not

00:30:37.150 --> 00:30:44.920
work until this was finally taken care of. It made a couple of months where things were very,

00:30:44.920 --> 00:30:57.850
very difficult. My main bank had gone through and they said okay,

00:30:57.850 --> 00:31:04.330
we have found the problem and they had now put everything back the way it was supposed

00:31:04.330 --> 00:31:12.760
to be. I was now able to do business with the account but even having done that, it still

00:31:12.760 --> 00:31:18.730
took a couple of months to get things squared away. It was a major interruption in my life.

00:31:18.730 --> 00:31:29.830
JACK: Courtney and Matt gave a presentation at the Kaspersky SAS Summit earlier this year. In

00:31:29.830 --> 00:31:34.120
their talk they went into detail about this new strain of malware. They also

00:31:34.120 --> 00:31:38.710
reported this new strain of malware to the antivirus companies so it can be detected in

00:31:38.710 --> 00:31:44.080
the future. Matt has since moved from Kroll and is now working at Cylance and has most recently

00:31:44.080 --> 00:31:48.430
been accepted as a SANS instructor teaching digital forensics and incident response.

00:31:48.430 --> 00:32:04.390
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes and links,

00:32:04.390 --> 00:32:10.120
check out darknetdiaries.com. If you want more InfoSec podcasts, there’s one that does an episode

00:32:10.120 --> 00:32:15.130
almost every day. They do a daily wrap-up of the news and interview some really smart people. It’s

00:32:15.130 --> 00:32:20.500
called the Cyber Wire and I recommend it for your daily commute. A lot of you are asking how you can

00:32:20.500 --> 00:32:25.180
help with this show. Right now I’m just trying to grow the audience. It’s hard to get the word out,

00:32:25.180 --> 00:32:30.190
so you’d be a big help to me if you would tell others about this podcast. Think whose phone

00:32:30.190 --> 00:32:35.080
number you have of someone who might like this show and text them right now to tell them about

00:32:35.080 --> 00:32:40.000
it, or post about it on social media, or tell your co-workers. These kinds of things make

00:32:40.000 --> 00:32:44.830
me super excited to make more episodes. This show is made entirely by me, Jack Rhysider.

00:32:44.830 --> 00:32:52.970
Theme music for this show including this song is made by Breakmaster Cylinder. [OUTRO MUSIC ENDS]

00:32:52.970 --> 00:32:59.420
Hey, one last thing. [MUSIC] I made something you might like. I made a random password generator.

00:32:59.420 --> 00:33:03.800
Yeah, it’s a website that creates some fresh, new, random passwords for you. Just in case you

00:33:03.800 --> 00:33:08.090
ever need to create a random password, I’ve got you covered. Oh, and there’s an extra feature,

00:33:08.090 --> 00:33:13.190
too. It has an API which allows you to use it in your own programs. Anyways, if you want to check

00:33:13.190 --> 00:33:18.950
out the site it’s called passwordwolf.com. That’s passwordwolf.com. See you there.