The U.S. Department of Homeland Security has issued a report linking a newly uncovered point-of-sale malware campaign to several recent data breach investigations, though the government agency has not clarified whether known breach victims like Target and Neiman Marcus were among those impacted.
The report, issued in conjunction with the U.S. Secret Service, the Financial Sector Information Sharing and Analysis Center (FS-ISAC) and other organizations, said that variants of the newly uncovered "Backoff" point-of-sale malware had been discovered as part of at least three separate investigations dating back to October 2013, approximately a month before Target was struck by one of the largest data breaches in retail history. The malware family was still active as of July 2014.
The Backoff malware is initially installed onto PoS devices via remote desktop applications in use by employees of potential targets. Then, attackers simply brute force the login credentials for applications such as Microsoft's Remote Desktop and Splashtop, which the report noted were often being used by employees with administrator or privileged access accounts.
Once the Backoff malware is installed, the attackers also inject malicious code into the explorer.exe process so that malware is able to function if the executable is stopped.
As for the functionality included in Backoff, Jerome Sagura, senior security researcher at Malwarebytes Labs, said that the malware's components aren't "overly sophisticated." Indeed, most Backoff variants feature typical keylogging functionality, according to the report, as well as a command-and-control infrastructure that exfiltrates stolen data and provides updates to the malware on infected devices. HTTP POST requests are used exclusively for the C&C communications, and exfiltrated data is encrypted with the RC4 algorithm.
The report also noted that the Backoff malware family is capable of "scraping memory from running processes on the victim machine and searching for track data," also known as RAM scraping, which was the subject of a U.S. Federal Bureau of Investigation advisory in January. At the time, the FBI warned retailers that such RAM scrapers had already been involved in around 20 cases similar to the Target breach, and that such attacks would likely continue to grow.
There are several potential mitigations that organizations could put in place to fend off this PoS malware campaign, according to the report. For instance, remote desktop access applications can be configured to lock out users after a specified number of failed login attempts, effectively preventing brute-forcing. The report also advocated the use of EMV-based chip and PIN technology for point-of-sale hardware, a measure that Target and other retailers in the U.S. are already rushing to implement.
A number of network security controls can also be utilized to defeat Backoff, the report noted, including reviewing firewall configurations to ensure that only allowed ports and IP addresses are communicating on the network.
"This is especially critical for outbound [e.g., egress] firewall rules, in which compromised entities allow ports to communicate to any IP address on the Internet," said the Department of Homeland Security report. "Hackers leverage this configuration to exfiltrate data to their IP addresses."
Josh Grunzweig, a malware research with Trustwave Spiderlabs, a contributor to the Department of Homeland Security report, said in a blog post that while none of Backoff's features should be consider "innovative," that doesn't mean it should be ignored.
"The author simply made use of pre-existing practices when writing this malware," said Grunzweig. "While this malware is not revolutionary, it should still be treated as a threat."
Need to know more about defending point-of-sale environments? Chester Wisniewski of Sophos details his research into point-of-sale security issues in this video interview, and resident threat expert Nick Lewis explains how enterprises can fend off RAM scraping malware like Backoff.