You might not know KAPTOXA (KAR-TOE-SHA) According to an article in Business Insider there is belief that the recent breaches that have occurred for Target, Neimen Marcus and a host of other retail service stores is based on the work of a teenager from Russia. Intel Crawler an intelligence aggregator and cyber security firm. Pulled data from multiple underground and networked security contacts to create the picture. According to their findings the toolkit is more than 40 builds deep. What this effectively means to the community at large is that there are 40 variations of the tool in existence today. Unlike normal software development where software is revised according to quality of service improvements. Malicious code creators make their revision as they tailor the toolset to a specific target. No pun intended.
Additionally there are some key indicators that are coming about as part of this discovery. As always, the low hanging fruit for mitigation can be blocking of domains associated as part of the callbacks for the malware. Callbacks can be explained as the command and control location where either data is wrapped and sent back for external use, and also the C2 is the sites that may be created to established communications for future efforts of data manipulation.
Initial reverse engineering analysis of the malware indicates that at least one of the variants being used has the capability to run on standalone systems. Although, nobody is pointing any fingers out loud at this time tools that are run on standalone systems are often injected in 1 of two ways 1. Malicious Insider Threat, Or 2. Stupid Users. However, the complexity of the file and its intent would leave me not believing this is accidental.
My additional cyber insight is the belief that the compliance measures that have been made over the last 8 years may have also been a very crucial piece as to why these breaches were so successful. Having been a Policy writer for some time now I know there are key missing links between Information Assurance and ICT security. Further, it has to be understood that written policy sometimes becomes the reversal recipe that an actor will use to employ their circumventing mechanisms. In addition, the actors will often only employ the “one up method” as is the case specifically with the payment card industry’s security guidance PCI-DSS . A few examples that were revealed rather quickly. 1. The requirement not to use vendor supplied password such as the password POS, or vendor system name.. and the organizations used POS1, and vendor name1. Another requirement was to encrypt transmission of cardholder data across open, public networks…. But that doesn’t mean the network inside my WAN.. or does it? and one final one that continues to be the the demise of proactive security and defense is the requirement to maintain a policy that addresses information security for employees and contractors. This is not CND this is CYA, and it will fail you. It is time the retail industry starts participating in FS-ISAC exercises and not only installing sensors, but monitor those sensors.
Link Details: http://intelcrawler.com/about/press08