Security → CERT Alert - Backoff Point-of-Sale Malware

quote:

---

Systems Affected

Point-of-Sale Systems

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

USSS, NCCIC/US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed "Backoff", associated with several PoS data breach investigations. At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

Similar attacks have been noted in previous PoS malware campaigns [7] and some studies state that targeting the Remote Desktop Protocol with brute force attacks is on the rise.[8] A Mitigation and Prevention Strategies section is included to offer options for network defenders to consider.

Description

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:
•Scraping memory for track data
•Logging keystrokes
•Command & control (C2) communication
•Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

---

Complete details here »www.us-cert.gov/ncas/ale ··· A14-212A

Heads up as someone might have their hand in your cookie jar.

Blake

Sure would be nice if MS had "innovated" RDP to allow admins to lock out that access after excessive login attempts, without locking out the user account.

(the article mentions a substantial uptick in brute-force attacks via RDP)

Same thing with OWA.

We actually talked about that a long time ago and lock outs can become low hanging built in DOS attacks, but you can set it up for example

»www.mobydisk.com/techres ··· top.html

Blake

That locks out the entire account after invalid login attempts and yes, can be a DOS vector. What I'm suggesting would lockout *access* (but not the entire account) via RDP or OWA after invalid login attempts through those systems.

Increase security, decrease DOS. Win-win.

There are lots of ways folks are doing this, for example Cyberarms or RdpGuard (note I don't either, I'm only suggesting them as examples) has something that might help:

»cyberarms.net/features/s ··· ces.aspx

»rdpguard.com/

Windows Server 2012 has a delay built into the RDP login to slow down brute force attacks and prevent DOS brute force type attacks (ie it blocks the connection during the delay so CPU cycles are available for other processes).

Your not the first person to ask for some sort of RDP lockout, one suggestion I liked was not to lock the account but to drop the connection after so many failed attempts so they could configure their firewall to simply block future traffic from that IP address (based on reoccurring connection attempts) which really shuts the door on the attacker (rather then having them just switch the user id for example).

On some products I wrote I included an admin notification of brute force attacks so they could decide what the appropriate response should be (from blocking at the firewall, to locking accounts etc).

Blake

Sounds like fail2ban in Linux and it seems like an easy add to the basic firewall built into Windows. See, this is the kind of 'innovation' I'd really like to see in Windows Server, and there's no reason for them to not be doing so, other than no one is breathing down their neck with competition.