The problem of malware for PoS - terminals in the hotel industry
Only I alone noticed the recent increase in data leakage in the hotel industry, frightening in its scale? While traveling, you are in a vulnerable position, and you want to be sure that your booked suite will be safe. And this security will be provided with doors with several locks, rooms, which often have small safes for storing valuables and security surveillance system, available in the hotel.
In hotels, of course, there are various similar means, and the staff bears a certain responsibility before us, as the owner before the guest.
')
But hotels also store your data, usually credit card details. Taking into account the resonant theft of data in hotels, we can summarize that this industry has not justified itself in terms of security. It turns out that the attack direction chosen by attackers is exactly the same as in the case of using malware to attack PoS terminals (Point-of-Sale) of large retail chains.
Yes, definitely, BlackPOS and other types of backdoors have chosen hotels and hotels for holidays for several months, apparently, to check the catch of credit cards.
And what is most striking is how little useful experience has been learned from cases of huge data leaks in retail.
Malware Attack Script for PoS (PoSware)
In fact, studying all these incidents, it can be noted that there is nothing new in the chosen targets for an attack. Although one thing still exists: it is the secrecy of the occurring infections of PoS, in contrast to the already known methods.
In any case, most security specialists will probably agree with the following scenario:
• Attackers penetrate security holes — phishing, SQL injections, and other well-known vulnerabilities (default passwords, etc.). Remote attacks (RAT) or similar applications are often used to launch attacks.
• Having penetrated inside, they move on using standard methods like port scanning, standard naming conventions in Active Directory and other infrastructure objects, password cracking, and pass-the-hash. The goal at this stage is to find a PoS terminal or server.
• After the PoS device (s) has been determined, attackers generate payloads using special software such as RAM-scraping, which helps to examine the server's memory and capture data during its processing. At this point, Posware takes control, and attackers control it remotely.
• Then PoSware launches a search in the server’s memory and collects credit card data, periodically dumping it onto the file system.
• Finally, PoSware sends a file with credit card information to attackers' servers by embedding this file in the Post / Get HTTP message request.
Despite the large number of options encountered in practice, it can be noted that the above scenario is quite typical for most of the attacks on PoS devices that we have encountered in recent years.
Playing defense
As we all know, when an attack occurs - a hacker attack, information security specialists also understand the kill chain - how to stop an attack at various stages.
It should also be noted that one of the factors that changed the situation with the burglary of PoS, is that amateurs were driven out by professionals. Criminal groups such as the Black Atlas have turned PoS hacking into the criminal industry.
Thus, it becomes even more important to increase the priority of the kill chain (protection strategy) for PoSware in the existing structure of tasks solved by IT, especially if you work in the hotel industry or in the leisure industry.
Here are a few key areas where, I think, small investments will bring great security benefits:
• Employee education - if you explain to employees how phishing emails look, you can prevent most attacks from the beginning. This is a good preventive measure - to convey to employees - never to launch links or attachments from external senders without first verifying the sender’s reliability or unambiguously identifying his address.
• Data management - intruders, they are not aliens from a more advanced civilization. Like all other people, they must have access to the file system for initial observation and analysis of information. The idea is to thoroughly analyze ACLs (access control lists) and restrict access so that hackers cannot use the credentials of a random user, i.e. could not read, copy and create files in important folders and directories.
• White lists - for the PoS system, the list of installed software products must be strictly defined. In the end, this is a computer that only solves one problem: processing credit card transactions. Theoretically, the application of the white list protects the system from running non-standard executable files and is an effective antidote for hacker software. Although the situations are different. For example, in some recent attacks, rootkit technologies are used when the kernel is modified, making malware almost invisible to the operating system.
• Current Updates - Make sure you have the latest security updates installed.
• Managing credentials / weakening the role of Pass-the-Hash (PtH) attacks is a vast area, the essence of which is to deprive hackers of easy ways to obtain credentials. Make sure that your organization has strict password policies implemented, searching for and deleting passwords stored as text files or hash files and, if possible, disabling Windows components that store passwords in clear text in LSASS memory. Finally, make sure that domain administrator accounts are not used on the local network, on users' computers — this allows hackers to commit theft through PtH.
Uba?
Attackers always seek to use their chances, and they can get them - unchanged default passwords, patches and updates that were not installed on time, or, say, a successful phishing or attack with the aim of co-operating the IT director.
There are also zero-day vulnerabilities from which it is impossible to protect.
In such a situation, notification and monitoring functions begin to play a crucial role. It’s not just external intrusion detection and antivirus scans. Remember: PoS-attackers act from the inside and their activity is almost imperceptible, while you continue to use purely standard and well-known detection methods.
In these realities, my advice will be expressed in three words: Behavioral analysis of users (UserBehavior Analytics)
You - the information security specialist in the hotel industry - cannot detect these intruders without taking into account the current activity of users and the system on the existing infrastructure.
By generating activity that imitates the work of a regular user, attackers can simultaneously access system configuration files, copy or move large volumes of files, and encrypt credit card data — that is, create activity that is no longer routine for that user.
And here comes the behavioral analysis. It allows you to control the average or, let's say, the normal behavior of a real user within their rights and job responsibilities, and in case of deviations, notify employees of the security department.
And although, perhaps, you can not prevent the very fact of an external invasion of the hotel's PoS system, but using behavioral analysis, you can determine the segments chosen for the attack, and ideally prevent the theft of credit card data.
In hotels, of course, there are various similar means, and the staff bears a certain responsibility before us, as the owner before the guest.
')
But hotels also store your data, usually credit card details. Taking into account the resonant theft of data in hotels, we can summarize that this industry has not justified itself in terms of security. It turns out that the attack direction chosen by attackers is exactly the same as in the case of using malware to attack PoS terminals (Point-of-Sale) of large retail chains.
Yes, definitely, BlackPOS and other types of backdoors have chosen hotels and hotels for holidays for several months, apparently, to check the catch of credit cards.
And what is most striking is how little useful experience has been learned from cases of huge data leaks in retail.
Malware Attack Script for PoS (PoSware)
In fact, studying all these incidents, it can be noted that there is nothing new in the chosen targets for an attack. Although one thing still exists: it is the secrecy of the occurring infections of PoS, in contrast to the already known methods.
In any case, most security specialists will probably agree with the following scenario:
• Attackers penetrate security holes — phishing, SQL injections, and other well-known vulnerabilities (default passwords, etc.). Remote attacks (RAT) or similar applications are often used to launch attacks.
• Having penetrated inside, they move on using standard methods like port scanning, standard naming conventions in Active Directory and other infrastructure objects, password cracking, and pass-the-hash. The goal at this stage is to find a PoS terminal or server.
• After the PoS device (s) has been determined, attackers generate payloads using special software such as RAM-scraping, which helps to examine the server's memory and capture data during its processing. At this point, Posware takes control, and attackers control it remotely.
• Then PoSware launches a search in the server’s memory and collects credit card data, periodically dumping it onto the file system.
• Finally, PoSware sends a file with credit card information to attackers' servers by embedding this file in the Post / Get HTTP message request.
Despite the large number of options encountered in practice, it can be noted that the above scenario is quite typical for most of the attacks on PoS devices that we have encountered in recent years.
Playing defense
As we all know, when an attack occurs - a hacker attack, information security specialists also understand the kill chain - how to stop an attack at various stages.
It should also be noted that one of the factors that changed the situation with the burglary of PoS, is that amateurs were driven out by professionals. Criminal groups such as the Black Atlas have turned PoS hacking into the criminal industry.
Thus, it becomes even more important to increase the priority of the kill chain (protection strategy) for PoSware in the existing structure of tasks solved by IT, especially if you work in the hotel industry or in the leisure industry.
Here are a few key areas where, I think, small investments will bring great security benefits:
• Employee education - if you explain to employees how phishing emails look, you can prevent most attacks from the beginning. This is a good preventive measure - to convey to employees - never to launch links or attachments from external senders without first verifying the sender’s reliability or unambiguously identifying his address.
• Data management - intruders, they are not aliens from a more advanced civilization. Like all other people, they must have access to the file system for initial observation and analysis of information. The idea is to thoroughly analyze ACLs (access control lists) and restrict access so that hackers cannot use the credentials of a random user, i.e. could not read, copy and create files in important folders and directories.
• White lists - for the PoS system, the list of installed software products must be strictly defined. In the end, this is a computer that only solves one problem: processing credit card transactions. Theoretically, the application of the white list protects the system from running non-standard executable files and is an effective antidote for hacker software. Although the situations are different. For example, in some recent attacks, rootkit technologies are used when the kernel is modified, making malware almost invisible to the operating system.
• Current Updates - Make sure you have the latest security updates installed.
• Managing credentials / weakening the role of Pass-the-Hash (PtH) attacks is a vast area, the essence of which is to deprive hackers of easy ways to obtain credentials. Make sure that your organization has strict password policies implemented, searching for and deleting passwords stored as text files or hash files and, if possible, disabling Windows components that store passwords in clear text in LSASS memory. Finally, make sure that domain administrator accounts are not used on the local network, on users' computers — this allows hackers to commit theft through PtH.
Uba?
Attackers always seek to use their chances, and they can get them - unchanged default passwords, patches and updates that were not installed on time, or, say, a successful phishing or attack with the aim of co-operating the IT director.
There are also zero-day vulnerabilities from which it is impossible to protect.
In such a situation, notification and monitoring functions begin to play a crucial role. It’s not just external intrusion detection and antivirus scans. Remember: PoS-attackers act from the inside and their activity is almost imperceptible, while you continue to use purely standard and well-known detection methods.
In these realities, my advice will be expressed in three words: Behavioral analysis of users (UserBehavior Analytics)
You - the information security specialist in the hotel industry - cannot detect these intruders without taking into account the current activity of users and the system on the existing infrastructure.
By generating activity that imitates the work of a regular user, attackers can simultaneously access system configuration files, copy or move large volumes of files, and encrypt credit card data — that is, create activity that is no longer routine for that user.
And here comes the behavioral analysis. It allows you to control the average or, let's say, the normal behavior of a real user within their rights and job responsibilities, and in case of deviations, notify employees of the security department.
And although, perhaps, you can not prevent the very fact of an external invasion of the hotel's PoS system, but using behavioral analysis, you can determine the segments chosen for the attack, and ideally prevent the theft of credit card data.
Source: https://habr.com/ru/post/277477/
All Articles