Published On Mar 13, 2023
A story of the Heartland Payment Systems breach from 2007-2009, the world's largest at the time. The specific details of how everything went down is unknown, so this is built on top of the USSS/FBI advisory, and various articles. The FBI advisory (see the third source) covered dozens of breaches that occurred in the late 2000s, all of which had the same attack pattern (Windows, SQL Server, xp_cmdshell, etc). But it's theoretically possible that Heartland was the odd one out, and that everything in this video is wrong ☺️
SQL injection simulator: https://www.hacksplaining.com/exercis...
Sources:
https://www.bankinfosecurity.com/hear...
https://blog.comodo.com/e-commerce/th...
https://www.researchgate.net/publicat... (***Link to FBI advisory is reference [7]***)
https://community.fico.com/s/blog-pos...
https://www.wired.com/images_blogs/th...
https://www.darkreading.com/attacks-b...
https://www.forbes.com/sites/davelewi...
https://www.justice.gov/opa/pr/two-ru...
https://www.cutimes.com/2015/06/05/he...
https://kwcsec.gitbook.io/the-red-tea...
https://www.hypr.com/security-encyclo...
https://blog.quest.com/ntlm-authentic...
https://www.crowdstrike.com/cybersecu...
Assumptions:
- In the hackers' conversation at 1:05, I arbitrarily chose Gonzalez as the "boss" since he's the only one with a Wikipedia page and I suppose has the longest resume.
- For 1:38, Amazon does not use a relational database for its product listings, and therefore no SQL queries are used in reality. But this is a relatable and simple example.
- At 2:38, whether or not Heartland used the 2000 version of SQL Server is a guess. The above Research Gate paper "Heartland Data Breach Analysis" says 2000 is likely as the website was developed 8 years prior. I believe xp_cmdshell was also first introduced in SQL Server 2000, so it could not have been a version prior to that one.
- Whether or not the web portal was connected to SQL Server with sysadmin credentials is also a guess (5:03). It is possible that the role was not sysadmin, but was granted permission to execute xp_cmdshell for unknown reasons (sysadmin can grant other roles permission to use xp_cmdshell)
- Heartland's use of NTLM (7:07) is also a guess. Many companies would have not switched over at the time, and the FBI advisory points out the use of fgdump, which is specifically used for NTLM.
- It is alluded to at 9:02 and onward, but credentials and privilege escalation could have also been obtained through other means.
- The whole "privilege escalation + hop through various hosts" illustration at 9:18 could be completely wrong, and is the biggest gap in the story. This is just the simplest way the payment network could have theoretically been reached. For all we know the hackers actually did exploit Microsoft Office to hack into the mainframe.
- Heartland never specifically said what the packets contained (9:34), but they mentioned everything that wasn't leaked, like SSNs, so the assumption here is that packets contained everything that they didn't say wasn't leaked.
- There's a HSM (hardware security module) section in the FBI advisory as well, but I figured that wasn't too important as the primary issue mentioned throughout every article is the unecrypted in-flight data.
Error corrections:
- 3:17 dll files literally contain machine code, usually compiled from C or C++
Chapters:
0:00 Brief introduction of Heartland
0:44 The Beginning
1:34 SQL and SQL injection
2:37 Heartland's use of SQL Server
5:41 Almost Caught?
6:13 Jump to the payment network
9:57 Attack shut down, public disclosure
10:48 The Perpetrators
11:24 Preventive measures
12:54 Conclusion
Music:
Aloft (by LEMMiNO) - • LEMMiNO - Aloft (BGM)
"Film Noir Background Music for Videos I Noir Jazz Playlist I No Copyright Music" - • Film Noir Background Music for Videos...
