*** Joint USSS/FBI Advisory ***

PREVENTIVE MEASURES

Over the past year, there has been a considerable spike in cyber attacks against the financial services and the online retail industry. There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization's ability to detect and respond to similar incidents quickly and thoroughly.
Attacker Methodology:
In general, the attackers perform the following activities on the networks they compromise:

1.They identify Web sites that are vulnerable to SQL injection. They appear to target MSSQL only.
2.They use "xp_cmdshell", an extended procedure installed by default on MSSQL, to download their hacker tools to the compromised MSSQL server.
3.They obtain valid Windows credentials by using fgdump or a similar tool.
4.They install network "sniffers" to identify card data and systems involved in processing credit card transactions.
5.They install backdoors that "beacon" periodically to their command and control servers, allowing surreptitious access to the compromised networks.
6.They target databases, Hardware Security Modules (HSMs), and processing applications in an effort to obtain credit card data or brute-force ATM PINs.
7.They use WinRAR to compress the information they pilfer from the compromised networks.

We are providing the following preventive measures. Performing these steps may not prevent the intruders from gaining access, but they will severely impact their effectiveness based on current attack methods.

Recommendation 1: Disable potentially harmful SQL stored procedure calls.

Continue Reading this USSS/FBI Advisory at Visa (PDF)