This week, nationwide beauty products chain Sally Beauty disclosed that, for the second time in a year, it was investigating reports that hackers had broken into its networks and stolen customer credit card data. That investigation is ongoing, but I recently had an opportunity to interview a former Sally Beauty IT technician who provided a first-hand look at how the first breach in 2014 breach went down.
On March 14, 2014, KrebsOnSecurity broke the news that some 260,000 credit cards stolen from Sally Beauty stores had gone up for sale on Rescator[dot]cc, the same shop that first debuted cards stolen in the Home Depot and Target breaches. The company said thieves made off with just 25,000 customer cards. But the shop selling the cards listed each by the ZIP code of the Sally Beauty store from which the card data had been stolen, exactly like this same shop did with Home Depot and Target. An exhaustive analysis of the ZIP codes represented in the cards for sale on the fraud shop indicated that the hackers had hit virtually all 2,600 Sally Beauty locations nationwide.
The company never disclosed additional details about the breach itself or how it happened. But earlier this week I spoke with Blake Curlovic, until recently an application support analyst at Sally Beauty who was among the first to respond when virtual alarm bells starting going off last year about a possible intrusion. Curlovic said that at the time, Sally Beauty was running exactly one enterprise solution for security — Tripwire (full disclosure: Tripwire is an advertiser on this blog). Tripwire’s core product monitors key operating system and application files for any changes, which then trigger alerts.
Tripwire fired a warning when the intruders planted a new file on point-of-sale systems within Sally Beauty’s vast network of cash registers. The file was a program designed to steal card numbers as they were being swiped through the registers, and the attackers had named their malware after a legitimate program running on all Sally Beauty registers. They also used a utility called Timestomp to change the date and time stamp on their malware to match the legitimate file, but that apparently didn’t fool Tripwire.
According to Curlovic, the intruders gained access through a Citrix remote access portal set up for use by employees who needed access to company systems while on the road.
“The attackers somehow had login credentials of a district manager,” Curlovic said. “This guy was not exactly security savvy. When we got his laptop back in, we saw that it had his username and password taped to the front of it.”
Once inside the Sally Beauty corporate network, the attackers scanned and mapped out the entire thing, located all shared drives and scouring those for Visual Basic (VB) scripts. Network administrators in charge of managing thousands or tens of thousands of systems often will write VB scripts to automate certain tasks across all of those systems, and very often those scripts will contain usernames and passwords that can be quite useful to attackers.
Curlovic said the intruders located a VB script on Sally Beauty’s network that contained the username and password of a network administrator at the company.
“That allowed them to basically copy files to the cash registers,” he said. “They used a simple batch file loop, put in all the register Internet addresses they found while scanning the network, looped through there and copied [the malware] to all of the point-of-sale devices — roughly 6,000 of them. They were in the network for like a week prior to that planning the attack.”
HIDING IN PLAIN SIGHT
Curlovic said the malware planted on Sally Beauty’s network was identified (by some security vendors) as a variant of FrameworkPOS, a card-stealing program that exfiltrates data from the target’s network by transmitting it as domain name system (DNS) traffic.
DNS is the fundamental Internet technology that translates human-friendly domain names like example.com to numeric Internet addresses that are easier for computers to understand. All networks rely on DNS to help direct users as they surf online, but few organizations actually keep detailed logs or records of the DNS traffic traversing their networks — making it an ideal way to siphon data from a hacked network.
According to a writeup of FrameworkPOS by G Data, a security firm based in Germany, the card-stealing malware allows the attackers to dynamically configure the domain name to which the DNS traffic carrying the stolen card data will reach out. On top of that, the malware obfuscates the card data with a simple cipher so that it won’t be immediately obvious as card data to anyone who happens to be examining the DNS traffic.
But Curlovic said despite its clever data-stealing methods, other parts of the malware were clumsily written. In fact, he said, one component of the malware actually broke the Net Logon service on infected point-of-sale systems, limiting the ability of the Sally Beauty cash registers to communicate with the rest of the company’s internal network. Net Logon is a Microsoft Windows component that verifies network log on requests.
“I don’t know technically what went wrong with their software, but Net Logon wouldn’t start anymore after it was installed,” Curlovic said. “We couldn’t log in remotely with domain credentials and registers couldn’t communicate out through DNS effectively after that. It was pretty huge indicator that something was seriously wrong at that point.”
As for Sally Beauty’s standing claim that only 25,000 customer cards were taken, Curlovic said he’d be surprised if it was limited to the 260,000 originally reported by this blog.
“From what I saw in the information that the Secret Service had, 260,000 was probably on the low end,” he said. “For the period of time the software was out on the registers and running, it should have been closer to around a million, based on the number of credit transactions Sally Beauty had daily. But since the malware really wasn’t working very well, it was only capturing a portion of the cards that went through because of the formatting issue that broke the Net Logon service.
Curlovic said the malware used in the 2014 Sally Beauty breach communicated the stolen card data to several domains that were hosted in Ukraine, and that those domains mostly carried names that seemed to be crafted as verbal jabs at the United States.
Curlovic said he can’t recall exactly what the domains were, since he no longer has access to his notes at work, but that one of the domains was something close to “vx.anti-usa-proxy-war[dot]com.” Curlovic said he no longer has access to his notes because he was terminated from Sally Beauty about three weeks ago for reasons his former employer declined to share. He said he found out through a person at the local Denton, Texas unemployment office that someone in the company had accused him of accessing another employee’s computer without authorization. “That’s a pretty strange accusation to make, since the network administrator guys there all have access to everyone’s system on the network.”
In any case, the anti-US domains referenced by the card-stealing malware reinforce a suspicion long held by this author and other researchers: That the Sally Beauty breach was carried out by the same Russian and Ukrainian organized crime gang that stole more than 100 million credit and debit cards from both Home Depot and Target.
As I noted in a Sept. 7, 2014 story, the malware used in the Home Depot breach included several interesting text strings that chastised the United States for its role in foreign conflicts, particularly in Libya and Ukraine.
“Three of the links point to news, editorial articles and cartoons that accuse the United States of fomenting war and unrest in the name of Democracy in Ukraine, Syria, Egypt and Libya. One of the images shows four Molotov cocktails with the flags of those four nations on the bottles, next to a box of matches festooned with the American flag and match ready to strike. Another link leads to an image of the current armed conflict in Ukraine between Ukrainian forces and pro-Russian separatists.”
“This is interesting given what we know about Rescator, the individual principally responsible for running the store that is selling all of these stolen credit and debit cards. In the wake of the Target breach, I traced a long list of clues from Rescator’s various online identities back to a young programmer in Odessa, Ukraine. In his many personas, Rescator identified himself as a member of the Lampeduza cybercrime forum, and indeed this site is where he alerts customers about new batches of stolen cards.”
“As I discovered in my profile of Rescator, he and his crew seemed somewhat taken with the late despotic Libyan leader Muammar Gaddafi, although they prefer the phonetic spelling of his name. The Web site kaddafi[dot]hk was among four main carding shops run by Rescator’s crew (it has since been retired and merged with Rescator[dot]cc). The domain kaddafi[dot]me was set up to serve as an instant message Jabber server for cybercrooks, advertising its lack of logging and record keeping as a reason crooks should trust kaddafi[dot]me to handle their private online communications.”
“When I reached out to Rescator last December to obtain comment about my findings on his apparent role in the Target break-in, I received an instant message reply from the Jabber address “[email protected][dot]me” (in that conversation, the person chatting with me from that address offered to pay me $10,000 if I did not run that story; I declined). But I also discovered that the kaddafi[dot]me domain was a blog of sorts that hosted some harsh and frankly chilling anti-American propaganda.”
Curlovic said the incident response team cleaning up the 2014 breach at Sally Beauty found another curious clue in the malware that attackers planted on the point-of-sale devices. They discovered that the intruders had created two versions of the card-stealing malware — one designed for use on 32-bit Windows systems and another created for use on 64-bit versions of Windows. The authors of the malware had taken the time to add an icon to the 32-bit version of the program that could be seen if anyone opened the directory where the malware was placed: The icon was little more than a black background with “Res” written in white lettering.
This kind of signing also was seen in the malware used in the Target intrusion, which contained the following text string: ““z:ProjectsRescatoruploaderDebugscheck.pdb”.