The anatomy of the attack as described in the blog provides some illuminating insight into just how carefully planned and managed such campaigns are. The hackers, for example, exfiltrated stolen data from the PoS machines by transmitting it as DNS traffic – which few companies keep detailed log records of so it could easily fly under the radar of security systems.
But without analysing[sic] the entire post, there are two areas in particular I’d like to highlight.
The first illustrates perfectly the potential dangers of shoulder surfing. According to interviewee Blake Curlovic, the attackers managed to gain a vital first foothold in the Sally Beauty network via Citrix remote access portal for remote workers. How did they do this? By compromising the log-in credentials of a district manager who had his username and password “taped to the front” of his laptop.
This isn’t to say that if this middle manager had been more careful with his access credentials the hackers wouldn’t eventually have gotten in – there are just too many ways for a determined attacker to do so. But it would at least have made matters more difficult, and sometimes making yourself a harder target is enough to put the bad guys off, so they focus on an easier-to-breach organisation.
Secondly, once inside they looked for network manager usernames and passwords in order to take over privileged accounts. After one had been located, in Visual Basic script, they used it to download the malware files onto all of the retail chain’s 6,000 nationwide PoS devices.
This is just an unbelievable comedy of errors. In 2015, why people are still taping username and passwords to their laptops remains a complete and utter mystery. Storing username and passwords in source code, rather than using certificate-based authentication, is terrifying in its incompetence.
There is so much more work to do to educate people on security best practices that it will be never-ending.