The Sally Beauty hack: a cautionary tale we should all learn from

The problem with targeted attacks, of course, is that they are designed to stay hidden, as we learned from a recent hacking case, says Kev Pearce.

Kev Pearce, CTO, Osirium
Kev Pearce, CTO, Osirium

Many of today's online attackers are as fast, silent and deadly as a ‘cyber-sniper' – giving their victims little chance of stopping them before disaster strikes. But it can sometimes be hard convincing IT leaders of this emerging trend without real world examples to point to. The problem with targeted attacks, of course, is that they're designed to stay hidden – so many organisations will at this very moment be under fire without even realising. And those that eventually find out are loathe to reveal too many details.

That's why it was fascinating to read a recent Brian Krebs' interview with a former IT worker at breached US cosmetics retail chain, Sally Beauty. The store was hit by PoS malware last year in a breach which may have affected hundreds of thousands of customers at virtually all of its 2,600 stores US-wide.

It should be a cautionary tale to organisations everywhere to improve their log-in security policies and ensure that privileged accounts – a major new attack vector – are a whole lot better managed.

What happened?

The anatomy of the attack as described in the blog provides some illuminating insight into just how carefully planned and managed such campaigns are. The hackers, for example, exfiltrated stolen data from the PoS machines by transmitting it as DNS traffic – which few companies keep detailed log records of so it could easily fly under the radar of security systems.

But without analysing the entire post, there are two areas in particular I'd like to highlight.

The first illustrates perfectly the potential dangers of shoulder surfing. According to interviewee Blake Curlovic, the attackers managed to gain a vital first foothold in the Sally Beauty network via Citrix remote access portal for remote workers. How did they do this? By compromising the log-in credentials of a district manager who had his username and password “taped to the front” of his laptop.

This isn't to say that if this middle manager had been more careful with his access credentials the hackers wouldn't eventually have gotten in – there are just too many ways for a determined attacker to do so. But it would at least have made matters more difficult, and sometimes making yourself a harder target is enough to put the bad guys off, so they focus on an easier-to-breach organisation.  

Secondly, once inside they looked for network manager usernames and passwords in order to take over privileged accounts. After one had been located, in Visual Basic script, they used it to download the malware files onto all of the retail chain's 6,000 nationwide PoS devices.

Privileged accounts like those owned by the IT department are increasingly being targeted by sophisticated attackers because they know that by doing so, they can cut straight to the chase and gain immediate access to the systems they covet. It's a major Achilles heel for organisations, but many still believe that IT admins are smart and savvy enough that they will never let their credentials fall into the wrong hands.

Well, sometimes they do – after all, spear-phishing emails are increasingly well researched and almost impossible to spot. And other times, as in this case, it really has nothing to do with IT competence at all as the hackers were already inside.

Foiling the cyber-sniper

In effect, Sally Beauty allowed the cyber-snipers targeting its PoS systems to take a clear shot – effectively because they still rely, like many organisations, on password-based authentication.

As we pointed out in recent research, shoulder-surfing is an ever present danger to users and IT admins alike, with some cameras today providing a clear line of sight to computer screens even from as far away as another building altogether. But updating password management policies will not solve the fundamental issue. There are at least 60 ways for attackers to access administrator passwords.

Organisations therefore need a new way of doing things: a form of Privileged User Management to randomly automate the generation of strong passwords, but crucially hide that step from users. If they aren't called upon to enter a password in the first place, the credential can't be phished, shoulder-surfed or stolen in some other way by hackers. It also can't be shared, or changed by the user to something easier to remember (and crack).

In short, you've effectively blinded the cyber-sniper.

Contributed by Kev Pearce, CTO and co-founder, Osirium