Skip to content ↓ | Skip to navigation ↓

One of the earliest most persistent forms of cybercrime today focuses on the highly successful Point-of-Sale (POS) hack, prevalent in many variations. Organized gangs and some led by notable individuals, such as Albert Gonzalez (who was convicted in 2010 and is serving a 20 year sentence), have used sophisticated orchestrations of small changes and detectable breach activity to steal vast amounts of credit card and personal data over long periods of time.

“Backoff” Point-of-Sale (POS) malware techniques have been found across a number of recent investigations, and Friday, August 22, 2014, US-CERT issued an updated Alert TA14-212A with the stated purpose “…to provide relevant and actionable technical indicators for network defense against the POS malware dubbed ‘Backoff,’ which has been discovered exploiting businesses’ administrator accounts remotely and exfiltrating consumer payment data.”

Backoff Impact

According to the Secret Service, Backoff malware has affected an additional 1,000 businesses, hit by the same type of cyberattack that stole the personal information of millions of Target customers last year. “There are a lot of retailers out there that have been compromised by this and they simply don’t know it yet,” said Tripwire security researcher Ken Westin.

Westin added that many businesses simply don’t have the tools in place to monitor for these types of attacks. Furthermore, it’s clear that nearly any retailer conducting business with credit card transactions could be a target for Backoff malware, including hospitals, universities, hotels, restaurants, government organizations, etc.

What Is It?

Backoff is a recent discovery, but upon forensic investigation has been seen as early as October 2013. It’s a family of malware that scrapes memory of POS devices and has been seen across three separate forensic investigations. It continues to be seen in operation and in various versions.

Researchers have identified three specific variants of Backoff: v1.4, 1.55 (multiple flavors of this one), and 1.56. Across the capabilities of all the variations, it has been seen to have the capacity to install itself, get its own software updates, can inject malicious code into the explorer.exe process (thereby making it persistent and able to access other processes), exfiltrate data and delete itself.

Step 1 – Infiltration

image1
Source: 2014 Verizon Data Breach Investigations Report

First of all, and especially important, cybercriminals frequently do not have access to the POS device directly in their initial infiltration activity. This is typical of so many attacks on critical assets – they infiltrate often through phishing emails with a malware payload and then make their way to the customer data environment (CDE).

In the case of Backoff, recent investigations showed that the primary attack vector used was through a variety of remote desktop applications to brute force the login feature. Applications included Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway and LogMEIn Join.Me. Once a valid set of credentials are in hand, the attacker just looks like an insider.

These factors make a case for installing an agent and monitoring all systems, including desktops, not just critical assets. Further, Westin advises segmenting POS systems away from more sensitive portions of their infrastructure and installing monitoring software that can detect and notify them of any changes made to their systems. He adds that organizations must make sure customer credit card information is always encrypted.

Step 2 – Traversing the Infrastructure

Following a successful payload, there are indicators to look for all along the path as the Backoff malware executes and the attacker makes way to the goal of POS systems. What they’re searching for is customer data environment (CDE) – any people, processes and/or technology that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD). Once inside the CDE, malware can be executed to steal card data from the POS systems.

“Weak, Stolen, or Misused Credentials – The attacker’s choice nearly 80% of the time.”
– 2013 Verizon DBIR

The most effective and least sophisticated method of traversing the network is through valid user credentials – essentially becoming an “insider threat.” Methods used include keylogging, password hash extraction, cracking, replaying login sequences, or even brute force can ultimately help an attacker reach administrative level credentials, domain controllers which would give them powerful access to all the computers in the network.

What To Search For

Seeking out any desktop or other system using one of the remote desktop login applications would be a smart start, since that’s the prime attack vector for Backoff. Assure that password hygiene in your organization is hardened, making credentials more difficult to compromise. Setting monitoring software to look for specifics typical of Backoff malware is also a good idea, both for the initial investigation and for future possible attack.

Here’s a list of specific files and system changes that can be indicators of compromise (IOCs) when attackers are using Backoff malware. Checking for these can be added to network security systems like Tripwire Enterprise to search for whether these are already in place.

Even if these IOCs are not found on initial investigation, it would be prudent to have continuous monitoring with real-time alerting on these changes if credit card information is being processed. These and other IOCs are available directly from the US-CERT Alert TA14-212A:

Backoff  v1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E
Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8
Install Path: %APPDATA%\AdobeFlashPlayer\mswinsvc.exe
Mutexes:
uhYtntr56uisGst
uyhnJmkuTgD
Files Written:
%APPDATA%\mskrnl
%APPDATA%\winserv.exe
%APPDATA%\AdobeFlashPlayer\mswinsvc.exe
Static String (POST Request): zXqW9JdWLM4urgjRkX
Registry Keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent: Mozilla/4.0
URI(s): /aircanada/dark.php

Summary

Improvements in credit card security technologies and infrastructure (EMV chips or Point-to-Point encryption); the continuous security configuration monitoring required of the current Payment Card Industry Data Security Standard (PCI DSS) version 3.0; and stronger corporate internal security, infrastructure and maintenance are all needed to combat this cyber threat and others like it.

Payment systems expert Slava Gomzin discusses different components of payment systems, terms and protocols in his new book, “Hacking Point of Sale: Payment Application Secrets, Threats & Solutions,” in a way that is easily understandable by business leaders and technical audiences alike. A free chapter is available here, covering overall payment system architecture, vulnerabilities and threats in retail payment systems.