cloud network hunting note: review 2014 computer field events, most notably network security incidents. Especially at the end of an alarming SONY hacking scandal more. When we talk about a new generation of network security technology, the irony is that Internet crime means hardly changed over the years. Rather than discuss strengthening network security, intensify efforts to improve network security awareness of the common people.
it is very common, just like usual case, this is a restaurant owner in a panic to call we call for help. Through the phone and we can feel his anxious. Restaurant he said that he just received notification that he leaked the payment card information, the bank asked him to find the relevant investigators to investigate.
the layout of the restaurant belongs to a typical small and medium-sized restaurant layout model, several point of sale (POS) terminal distribution in the main dining area, a computer as a backend server for POS network separately on the manager’s office.
in the process of investigation, we found not only in the POS system and the background server steal payment card information of malicious software, also found the restaurant there are serious security hidden danger of infrastructure network. A simple example, also used as a backend server computer is used for timing, accounting and procurement. To this, the restaurant boss admits that doing so is wrong, but he also confessed is currently the equipment, also has faster than he buy the computer and the budget for the security services.
we found two on the backend server computer remote access services: one for the POS system to provide remote technical support services, the other is accounting used to inspect the books and the receipt of service. We also noticed that the whole restaurant the did not install any hardware firewall in the network that some important data (payment card information stored in the POS system, for example) and not important data. When we asked about the matter, the restaurant boss hasn’t opened the firewall equipment, said he would not set this thing.
we check all the running process of the backend server, and then found a file called “ncsvr32. Exe” unknown executable is from “C: \ Windows \ Temp” run path. The suspicious file name and non-standard operation path for executable files immediately caught our attention. Abnormal path, the known malicious file name, and how the implication in the remote access server is this is a very common event, but we still need to play it safe the data back to the laboratory analysis further confirmed.
based on the analysis of the remote access log, there is a continuous logon failure has attracted the attention of our IP address, the address is neither accounting access is not POS suppliers to provide technical support to access the address, but after login failed several times in a row, the address entered the background service system at last. Display from the log, there are three files from this address on the local computer. With the deep data mining, “means” gradually surfaced.
thieves by malicious software package of the first file to install the second file. After the first file is written to system, disguised as a Windows service, maintain the operation of the malicious software on your computer, will also be able to restart the rest of the file if needed. While most of the key operations performed by the second file – read memory, data acquisition card tracking. Find the data, the program jump straight to the last step, perform simple encoding. And so the payment card information is stored in the computer, at any time.
we also found in the remote access log record of additional display against the computer and then through the IP address to access the backend server and go get payment card information data. At the end of the survey, we speculated that hundreds of payment card card number may have been leaked. We told the results to the boss, and finally cleared of malicious software in the system and repair the system vulnerabilities. Hope the restaurant owner can act as a deterrent, completes the network security protection work.
today, most of the data reveal that investigators is accustomed to this kind of spill. In the past year, we have met a lot of similar data theft. However, the investigation took place in 2010. That is to say, five years later, “means” nothing changes, not only people’s data security awareness is still so weak.
let’s take a recent case. The victim is no longer a single address, but a national chain of franchisees. In the whole course of the investigation, we found that the POS to the supplier chain enterprises to provide technical support for remote access service, also used in other dozens of companies across the country.
from the remote access server logs we quickly found an unauthorized access the server IP address successfully, and then transferred to the part of the file. In another a typical application running under the path – “C: \ Users \ Admin \ AppData \ Roaming \ OracleJava” – we found this malicious software. The malicious software called “javaw. Exe”, is one of the famous series of Backoff malicious software. This series of malware infection successfully in the past year thousands of companies.
this case in the reverse engineering analysis shows that not only can the malware to steal memory data, at the same time can also automatically to the attacker’s transmit data to a remote server. And 2010 cases similar to the Backoff after installation also disguised as a Windows service, so that accident can continue to run after restart. In-depth survey POS technology providers have previously encountered a phishing attack, had no idea of this technical staff for the convenience of the important documents containing password was named after “passwords. TXT” save directly on the desktop, lead to file easily be stolen.
the tragedy is the POS supplier management all the address of a host name and password are stored in the desktop text documents, including natural host name and password for the chain enterprises. So, too, was the chain enterprise nature of Backoff malware attacks. Not only that, cyber criminals attacked dozens of total service address, to steal from the thousands of payment card number.
two cases of highly similarity of different time prove to us that the most cyber criminals over the years to take “means” little changed. But there are still many enterprises lack the necessary safety management and effective measures to prevent the occurrence of these attacks. In some cases, the parties just don’t have enough resources to perfect the security system, while others still hold the idea that “I won’t have this kind of situation, by luck.
but have the past 2014 years, is the Internet’s messy, also the network attack almost no one can escape the wake-up call. When more and more enterprises begin to raise their level of network security, the chances of firms are more likely to become a target for cyber criminals.