Thanks for choosing Orange County Computer, Inc.

Sales: (949) 699-6619 | Support: (949) 699-6619 | 8am – 5pm Monday – Friday : Saturday by Appointment

Orange County Computer INC.
  • See Service Pricing
  • OCC Home
  • About Us
    • Blogs
    • Location Tech Repair Center
    • Orange County IT Company
    • Testimonials
    • Partners
    • Computer Repair Warranty
  • Contact Us
    • Customer Referral Program
  • Tech Center Services
    • Desktop Repair
    • Laptop Repair
    • Virus Removal
    • Tech Support Services
    • Data Recovery
    • E-Waste Recycling
    • Disaster Recovery
  • Business IT Services
    • Orange County Network Support Services
    • Orange County Cyber Security Company
    • Orange County IT Support Services
    • Enterprise Wifi Solutions
    • Orange County Managed IT Services
    • Managed Services
    • Software Licensing
    • Why Choose a Microsoft Partner
    • Software Application Development
  • Technologies
    • Disaster Recovery Solutions
    • Data Backup and Storage Solutions
    • Offsite Backup
    • Software Support
    • Virtualization
    • Firewall & Security
    • Servers
  • Web Services
    • Domain Registrar
    • Hosting Services
    • Web Design
  • See Service Pricing
  • OCC Home
  • About Us
    • Blogs
    • Location Tech Repair Center
    • Orange County IT Company
    • Testimonials
    • Partners
    • Computer Repair Warranty
  • Contact Us
    • Customer Referral Program
  • Tech Center Services
    • Desktop Repair
    • Laptop Repair
    • Virus Removal
    • Tech Support Services
    • Data Recovery
    • E-Waste Recycling
    • Disaster Recovery
  • Business IT Services
    • Orange County Network Support Services
    • Orange County Cyber Security Company
    • Orange County IT Support Services
    • Enterprise Wifi Solutions
    • Orange County Managed IT Services
    • Managed Services
    • Software Licensing
    • Why Choose a Microsoft Partner
    • Software Application Development
  • Technologies
    • Disaster Recovery Solutions
    • Data Backup and Storage Solutions
    • Offsite Backup
    • Software Support
    • Virtualization
    • Firewall & Security
    • Servers
  • Web Services
    • Domain Registrar
    • Hosting Services
    • Web Design

Warning: New Point of Sale Malware Attack

Orange County Computer INC. > OCC News > Warning: New Point of Sale Malware Attack

Warning: New Point of Sale Malware Attack

On August 18, 2014  the National Cybersecurity and Communications Integration Center, NCCIC, and United States Computer Emergency Readiness Team, US-CERT, issued an alert that there is a new POS, Point of Sale Malware Attack.

US-Cert Point Of Sale Malware

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense.
Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point of sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.
USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified point of sale malware dubbed “Backoff”, associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.
Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider.

Description

“Backoff” is a family of point of sale malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).
These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality.

Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
• Scraping memory for track data
• Logging keystrokes
• Command & control (C2) communication
• Injecting malicious stub into explorer.exe
The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Solution

At the time this advisory is released, the variants of the “Backoff’ point of sale malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[9],[10],[11] IOCs can be found above.
The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:
Remote Desktop Access
• Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[12]
• Limit the number of users and workstation who can log in using Remote Desktop.
• Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[13]
• Change the default Remote Desktop listening port.
• Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[14]
• Require two-factor authentication (2FA) for remote desktop access.[15 ]
• Install a Remote Desktop Gateway to restrict access.[16 ]
• Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[17],[18]
• Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
• Limit administrative privileges for users and applications.
• Periodically review systems (local and domain controllers) for unknown and dormant users.
Network Security
• Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
• Segregate payment processing networks from other networks.
• Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
• Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
• Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
• Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).
Cash Register and PoS Security
• Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
• Install Payment Application Data Security Standard-compliant payment applications.
• Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
• Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
• Perform a binary or checksum comparison to ensure unauthorized files are not installed.
• Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
• Disable unnecessary ports and services, null sessions, default users and guests.
• Enable logging of events and make sure there is a process to monitor logs on a daily basis.
• Implement least privileges and ACLs on users and applications on the system.

If you feel that your system or network may be under attack or at risk of attack contact the Cyber Security Experts at Orange County Computer® so we can minimize the damage. Call our Tech Center at (949) 699-6619 or visit us online at  OrangeCountyComputer.com. We are happy to help.

15-Year-Seal_Silver

See by the full US-CERT alert here.

You might also like

  • The Power of DNS Filtering
  • Cybersecurity Awareness Month: Social Engineering
  • Cybersecurity Awareness Month
  • Farewell to QuickBooks Desktop Professional 2021: Navigating the Transition
  • PII Compliance – Protecting Your Business from Costly Data Breaches: The Importance of Managed Services
  • CISA Updates #StopRansomware Guide
  • The Safeguards Rule: Financial Institutions Must Protect Client Data!
  • AdSense Fraud Campaign: Is your site infected?
  • Celebrating 25 Years as a Technology Solutions Provider!
  • The Southwest Airlines IT Meltdown
  • ‘Tis the season… to avoid holiday scams!
  • Google Chrome Users, it’s Time to Say Goodbye to Windows 7
← Researchers create unlock key to reverse CryptoLocker Virus
Warning: Breach of Patient Identification Information →

Recent News

  • The Power of DNS Filtering
  • Cybersecurity Awareness Month: Social Engineering
  • Cybersecurity Awareness Month
  • Farewell to QuickBooks Desktop Professional 2021: Navigating the Transition
  • PII Compliance – Protecting Your Business from Costly Data Breaches: The Importance of Managed Services

Contact Us

Orange County Computer, Inc.

26150 Enterprise Way, Suite 400
Lake Forest, CA 92630

Sales: (949) 699-6619

Support: (949) 699-6619

Recent Posts

  • The Power of DNS Filtering

    Safeguarding Your Network with Managed Services In today’s ever-evolving cyberse

  • Cybersecurity Awareness Month: Social Engineering

    Cybersecurity and Social Engineering: Don’t Let Hackers Trick-or-Treat at Your B

Search

    • Home
    • Site Map
    • Remote Support