![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
![Endpoint Protection and Threat Intelligence: The Way Forward [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/GK-Blog_Images-1)
A lot of press stories and blogs have been written about the Target breach in the last month after Brian Krebs broke the story on December 20th. However, very little detail has been released up until now about how the attack was conducted and actionable intelligence that potential other victims can use to detect signs of similar breaches on their network.
CrowdStrike has been collecting and analyzing intelligence about this attack for the past month for our customers and we have decided to make public indicators and signatures that organizations can use to detect these threats. These signatures were designed to not just detect the specific hashes that were uncovered during the Target investigation, which is not terribly useful since most of the malware samples were repackaged or built custom for that environment, but also more generic variants of the malware that the criminals behind target may have used in other intrusions over the last few months. I highly recommend check out two great posts that Brian Krebs published
For more information on this intelligence, contact the CrowdStrike Global Intelligence Team at intelligence@crowdstrike.com. CrowdStrike Services stands ready to assist any potential victim of this criminal activity with forensic investigative resources. Contact the CrowdStrike Services team at services@crowdstrike.com.
on the analysis of the specific malware samples found at Target in the last 24 hours. The following YARA and Snort rules can be used to detect some known components of BlackPOS malware used to steal the credit card information from Point of Sales (POS) Terminals at Target as well as the exfiltration tools that the criminals had used to get the stolen data out of the organization.
YARA Rules
rule CrowdStrike_targetbreach_exfil
{
meta:
description = "Tool Responsible for Exfiltration of CC Data."
last_modified = "2014-01-16"
version = "1.0"
in_the_wild = true
copyright = "CrowdStrike, Inc"
strings:
$fmt = "data_%d_%d_%d_%d_%d.txt"
$scramble1 = ""-BFr423mI_6uaMtg$bxl\sd1iU/0ok.cpe"
$scramble2 = "gBb63-t2p_.rkd0uaeU/x1c$s\o4il"
$scramble3 = "x"a-201Mt6b3sI$ /ceBok_i\m.rdpU4Fulg"
$scramble4 = "omv3.a 1%tNd\4ils60n2Te_w"
$scramble5 = "4mei gd2%rob-"
$scramble6 = "8pCt1wq_hynlsc0.u9a"
condition:
$fmt and 1 of ($scramble*)}
rule CrowdStrike_blackpos_memscanner
{
meta:
description = "Tool Responsible for Scanning Memory For CC Data."
last_modified = "2014-01-16"
version = "1.0"
in_the_wild = true
copyright = "CrowdStrike, Inc"
strings:
$message1 = "S region:"
$message2 = " found <"
$message3 = "> bytes of pattern:<"
$message4 = "CC2 region:"
$message5 = "CC memregion:"
$message6 = "KAPTOXA"
$message7 = "=== pid:"
$message8 = "scan process with pid for kartoxa and string pattern:"
$message9 = "scan process with pid for kartoxa:"
$message11 = "scan all processes for string pattern:"
condition:
2 of ($message*)}
Snort Rules
The following Snort rules can be used to detect potential BlackPOS activity.alert tcp any any <> 199.188.204.182 21 (msg: "TargetBreach Exfil C2"; sid: xxx;)
alert tcp any any <> 50.87.167.144 21 (msg: "TargetBreach Exfil C2"; sid: xxx;)
alert tcp any any <> 63.111.113.99 21 (msg: "TargetBreach Exfil C2"; sid: xxx;)
