Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Jan26
    10:21 pm (UTC-7)   |    by

    We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

    For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

    Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South Korea was used to plant malware onto affected systems.

    The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

    The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

    One thing that is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that do not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance that other companies in similar situations will now have to deal with copycat attacks.

    We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in the Simply Security blog.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://www.sonatype.com/ Jessica Dodson

      It will be very interesting to see what comes out of this. How did so much data become compromised with no one noticing? How did the hackers bypass Target’s security measures? It’s a hard lesson to learn but companies need to learn from this debacle to protect themselves.

      • TrendLabs

        You’re right, Jessica. It would be helpful of such information is released so other companies can learn from it and be able to defend themselves properly. It is unknown whether these information will be made public though.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice