US-CERT is warning of a fresh malware dubbed Backoff, associated with several point of sale (PoS) data breach investigations. It’s a concerning bug in the sense that the malware variant has so far had low to zero anti-virus detection rates, which means that even fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.
Backoff is responsible for scraping memory from running processes on the victim machine and searching for credit card track data, which can be used to make counterfeit cards or give fraudsters what they need to use card data online. It has been witnessed on at least three separate forensic investigations and it’s evolving quickly; researchers have identified three primary variants already. These variations have been seen as far back as October 2013 and have continued to operate as of July 2014.
“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers and email addresses to criminal elements,” US-CERT warned in the advisory. “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”
US-CERT found that Backoff in general has four capabilities: Scraping memory for track data; logging keystrokes; command & control (C2) communication; and injecting malicious stub into explorer.exe, which is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the bug.
The security body noted that aid escalating data breaches at high-profile targets, recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications.
“Remote desktop solutions like Microsoft's Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMEIn Join.Me offer the convenience and efficiency of connecting to a computer from a remote location,” it noted. “Once these applications are located, the suspects attempted to brute-force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale malware and subsequently exfiltrate consumer payment data via an encrypted POST request.”
"We have been seeing attacks like this one on PoS systems over the past few years,” said Jaime Blasco, labs director of security startup AlienVault, in a comment to Infosecurity. “Again in this case, the attackers brute-forced remote access tools, including Remote Desktop and LogMeIn, and when they gained access, they deployed the malware. Like others, Backoff scraps the memory to extract track data (i.e. credit card information). Once hackers obtain that data, they filter that information to a remote server where they can then sell it on the black market.”
A few months ago, AlienVault alerted the industry of a botnet that was looking for PoS systems connected to the Internet and was bruteforcing Remote Desktop using common usernames for PoS devices and vendors — because, by default, most PoS systems have common usernames and passwords.
“Backoff shows that businesses haven’t learned the lesson yet,” Blasco said. “The lessons to learn from the latest retailer breaches are: don’t expose critical systems such as PoS devices to the Internet, especially if you are running Remote Desktop or similar. If for some reason you have to do it, try to create access lists so that only certain IP addresses can access those devices and use strong passwords or even two-factor authentication. Lock all the data and monitor all of your network traffic. Deploy detection technology to be able to look for suspicious traffic."
US-CERT added that a “defense in depth” approach to mitigating risk to retail payment systems should be the norm until AV signatures catch up with the malware—a concept echoed by security experts.
“Breaches are happening more often, and from the inside,” said Eric Chiu, president and co-founder of HyTrust, in an email. “The reason for this is that attackers look just like any other employee once the person is on the network, giving them the ability to siphon off sensitive or confidential data without being detected.”
He added that to achieve this goal, attackers are posing as employees and IT administrators by stealing credentials or looking for other ways in, such as the aforementioned remote access systems.
“Companies need to shift their approach to security from an 'outside-in' mentality of perimeter-based security to an 'inside-out' model where they assume the bad guy is already on the network,” said Chiu. “Access controls, role-based monitoring and data encryption are critical requirements to protect critical systems from insider threats, which can be especially damaging in concentrated environments like cloud infrastructure.”