Data breach? Blame your third party's remote access systems

An in-depth study of data-breach problems last year where hackers infiltrated 312 businesses to grab gobs of mainly customer payment-card information found the primary way they got in was through third-party vendor remote-access applications or VPN for systems maintenance.

"The majority of our analysis of data-breach investigations -- 76% -- revealed that the third-party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers," the Trustwave report published today states. The vast majority of the 312 companies suffering the payment-card breach were retailers, restaurants or hotels and they came to Trustwave for incident response help because Visa, MasterCard or another payment-card organization had traced a batch of stolen card cards to their businesses, demanding a forensics investigation within a matter of days.

MORE SECURITY: Hot authentication tools

In fact, only 16% of the 312 companies managed to detect the payment-card data breach on their own, says Nicholas Percoco, senior vice president at Trustwave and head of its SpiderLabs division. Most of the time, sophisticated analysis by the payment-card organizations of a large volume of fraud reports from customers about unauthorized credit-card use was the trigger for the call from Visa or MasterCard to investigate a suspected breach.

Percoco said forensics investigations did show there had been a data breach in all 312 cases, with about 29% of the attacks against these businesses traced to originating in the Russian Federation. However, a full 32.5% of the attacks had wholly unknown sources since they originated through Internet anonymity services.

Although the businesses hit by payment-card hackers claimed to be compliant with Payment Card Industry (PCI) security standards, in reality there were often gaps. The third-party vendor remote-access applications and VPNs used for systems maintenance were often the way attackers got in by stealing the simple, reusable passwords in use.

The Trustwave reports notes, "System logins require a username and password, and often these combinations are pitifully simple: administrator:password, guest:guest, and admin:admin were commonly found in our investigations. Many third-party IT service providers use standard passwords across their client base. In one 2011 case, more than 90 locations were compromised due to shared authentication credentials."

Percoco says the PCI standard for remote-access administration requires two-factor authentication, which wasn't being used. Percoco notes that these IT systems vendors at fault did have a price to pay. They were not only required to fix the issues identified, but also faced fines for noncompliance with the PCI standards and Percoco adds, ordered to "pay to recover the costs of the fraud."

The Trustwave report reveals some shocking statistics. Where it was an outside organization, rather than the business itself, that pushed for a forensics investigation, "analysis found that attackers had an average of 173.5 days within the victim's environment before detection occurred." Businesses that did so-called "self-detection" to detect attackers on their own did a little better -- the hackers only spent an average of 43 days inside their networks after the initial compromise.

And in a case from Europe last year in which a payment service provider was hacked and multiple servers and a wide-area network of more than 1,000 hosts were attacked, Trustwave says it identified the "single point of weakness as a legacy X.25 node."

The X.25 protocol, which was widely used in the 1980s to build wide-area networks, still finds use today with financial institutions for inter-bank data exchange, the report states. The attacker in this case "identified an internal development system and proceeded to re-write a well-known rootkit on the HP-UX operating system. The rootkit was then installed across a number of cardholder data processing servers to mask the presence of other malicious programs introduced by the attacker."

Trustwave says the "malicious scripts harvested cardholder data by terminating the legitimate instances of payment-processing software and then restarting the software with a Trojanized-debugger attached. The debugger captured all inter-process communications including unencrypted payment card data from within the system memory, which was otherwise encrypted when at rest on the disk and in transit on the network."

This attack went on from almost 18 months and the "attacker was only identified when a subtle flaw within their own customized malware alerted the payment service provider's operational staff to suspicious activity."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

More about Hewlett-Packard AustraliaHPIDGLANTrustwaveVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts