Avatar

This blog post was authored by Martin Lee and Jaeson Schultz.

With the announcement that yet another major retailer has allegedly been breached, it is important to review how attackers compromise retail systems and how such intrusions can be prevented. In this latest case, retailers are working to determine if a large cache of credit card information offered for sale on an underground trading forum originated as a result of a systems breach.

The presence of large amounts of financial and personal information within retail systems means that these companies are likely to remain attractive targets to attackers. Illicit markets exist for such information so that attackers are able to easily monetize stolen data. Although we don’t know the details of this specific attack, it may follow the same pattern as other major breaches in the retail sector. Incidents involving Point of Sale (POS) malware have been on the rise, affecting many large organizations.

In addition to the risk of fraud to the individuals affected, the consequences for the breached organizations are severe. News of customer data theft not only damages the brand, but recovering from the breach can also cost into the millions of dollars as systems are investigated, cleaned, repaired, and new processes are implemented to prevent future similar attacks.


POS Attack

A typical POS attack unfolds in the following manner:

  1. Attackers first gain a foothold on a system. This may be by exploiting a vulnerability on a system, or by spear phishing.
  2. Once having gained access to a system, attackers exploit vulnerabilities and weaknesses to gain full control over the system.
  3. The attackers then reconnoitre the internal network and expand the breach to take control of further systems.
  4. Attackers compromise key systems that allow the attack to spread to point of sale systems.
  5. Attackers install malware on point of sale systems by exploiting a vulnerability on the POS system, or potentially by installing the malware via compromising system update functionality.
  6. Once installed on the POS systems, the malware collects financial and personal information.
  7. Stolen data is transferred to a system with Internet access.
  8. Stolen data is exfiltrated outside of the organization to the attacker.

If you can disrupt any of these steps, you can stop an attack in progress. Often, indicators of the attack can be found in system and network logs. Identifying indicators of a compromise while an attack is ongoing allows security teams to take action to remediate the attack before data is stolen by the attacker. Maintaining externally facing systems to be fully patched, protected by a firewall, and conducting regular penetration tests to identify potential vulnerabilities helps to minimize the chances an attack will succeed. While it may not be possible to ensure that systems are entirely resistant to initial attacks, by frustrating and slowing the attackers we increase the chances that the attack will be detected. When coming face-to-face with a layered, vigilant defense, some attackers may simply give up and try to compromise an easier target.

Nevertheless, motivated attackers still expend large amounts of time searching for means of ingress, or perfecting the use of social engineering techniques to trick users into gaining access to systems. Attackers may also attempt to gain physical access to a retail network environment, or perhaps compromise local wireless networks in order to establish a foothold.

The presence of an attacker may be able to be ascertained by watching for anomalous network activity. Desktop anti-virus software can detect many of the tools used to escalate privileges on the initially compromised systems. Again, keeping systems fully patched can slow down attacks at this stage. Network reconnaissance and attempts at launching attacks on internal networks are detected and blocked by Intrusion Protection Systems (IPS). Segmenting networks to separate different networks with firewalls, and scanning for malware on the network using the advanced malware detection capabilities of FireAMP can stop an attack at this stage.

No matter what, security teams must remain vigilant for such activity, yet be able to distinguish false positive results from usual network traffic, and react appropriately and swiftly once an attack is identified. Ideally, key systems that allow access to sensitive POS systems should be monitored to ensure that any attempt at unauthorized access is investigated. Security teams should be aware that attackers may be using stolen, but perfectly legitimate user credentials. Attackers may seek to disguise their malware as legitimate system updates.

The Backoff malware and its variants are good examples of malicious programs designed explicitly to steal financial information from POS systems. Ideally POS systems should be restricted so that only authorized software is able to execute, and networks should also be tightly restricted so that only expected traffic is permitted. IPS devices and FireAMP can alert security teams to the presence of anomalous traffic in such environments.

Attackers may seek to disguise the transfer of exfiltrated data as legitimate network traffic; nevertheless, any unexpected activity within POS networks should be investigated post haste by security teams. Once stolen, data can be moved to an externally facing system, but it is often difficult to distinguish exfiltration from legitimate activity, except as part of a forensic investigation, in which case it’s already too late.

To protect against becoming the next organization to hit the headlines due to a high profile retail data theft, companies must have in place suitable security long before such an attack hits their network and have already planned how they will detect and respond to suspicious activity on their systems.

Organizations should:

  • Secure and separate externally facing systems.
  • Monitor internal network traffic for malicious reconnaissance activity.
  • Detect and block malicious traffic on internal networks.
  • Separate networks containing point of sale systems.
  • Closely monitor point of sale networks for evidence of unauthorized activity.
  • Block all but expected and permitted activity on point of sale networks.
  • Have a prepared team with an established plan ready to respond to attacks.
  • Determine what activity will lead to activation of the response plan.

 

Protecting Users Against These Threats

coveragetable

Multiple types of protection are necessary to protect against these threats. The Network Security protection of IPS and NGFW is necessary to counteract many phases of the attack. Advanced Malware Protection (AMP) is well suited to detect and block the malware used in these attacks. CWS or WSA are helpful in preventing malware being downloaded. ESA provides protection against malicious email messages.

 

Backoff Malware Detection

Further information on the Backoff malware is available from the Homeland Security, US Secret Service advisory:
https://www.us-cert.gov/sites/default/files/publications/BackoffPointOfSaleMalware_1.pdf

We have previously written about detecting payment card breaches and POS malware in our blog here:
http://blogs.cisco.com/security/detecting-payment-card-data-breaches-today-to-avoid-becoming-tomorrows-headline/

Backoff point of sale malware can be detected by various different solutions. Deploying multiple means of detection increases the probability of detecting the presence of new malware variants.

Snort Signatures:
Signature ID: 31586

Cisco IPS Signatures:
Signature ID: 4555-0, 4555-1, 4555-2

ClamAV Signatures:
Win.Trojan.Backoff-2
Win.Trojan.Backoff-3
Win.Trojan.Backoff-4
Win.Trojan.Backoff- … etc.

FireAMP Signatures:
See this List of SHA256 Hashes and Detection Names



Authors

Jaeson Schultz

Technical Leader

Cisco Talos Security Intelligence & Research