PoS attacks: Undetected vulnerabilities lay in wait

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Attivo Networks issued a report detailing severe vulnerabilities in the nation’s POS systems that could lead to large breaches during the Holiday shopping period and on into next year.

pos attacks

The report, based on primary research, shows how attackers are moving laterally undetected through networks, compromising asset management servers and then using them to plant malware on POS terminals for either timed or remote activation, creating the foundation for wide-scale credit card information theft.

The lack of visibility into POS attacks provides an environment where attackers can operate with as much time as they need to find and compromise a key asset such as an Active Directory or patch management server that will expose the POS payment processing gateways.

Once identified, the attacker deploys malware through the patch-management software and then compromises the payment processing application using a RAM scraper as a final payload of the attack to steal and upload card data. Once compromised it remains a constant challenge for organizations to have visibility into how widespread the attack may be and how to conclusively shut down these attacks.

Many of today’s POS devices are particularly vulnerable to malware since they run on older, unprotected Windows XP or even DOS based systems in which anti-virus is not available. Additionally, in some cases, the patch management systems run in a trusted mode and there may not be anti-virus running at all. The report notes that having an endpoint security solution is not a fail safe way to prevent attacks because many of these attacks are targeted and originate from the endpoints using stolen credentials to breach the systems.

“With an approach based on attacker engagement, deception traps make a highly efficient and accurate method for detecting evasive advanced threats and their lateral movement,” said Marc Feghali, co-founder of Attivo Networks. “Early visibility into these threats and the reduction of dwell time can mean the difference between a minor incident or a wide scale public breach. We found that deception changes the game and adds detection in the heart of the attacker operations. Early detection of attempts to compromise asset management servers, POS terminals and gateways is the key to stopping wide-scale attacks and the breaches we all too often read about.”

“Based on this research, we predict that in 2017 there will be a significant increase in reported POS attacks, largely due to the high probability that these systems have already been breached and attackers are already active throughout many networks today, undetected and unchecked,” concludes Tushar Kothari, CEO of Attivo Networks. “There is a high likelihood that breaches during this Holiday period won’t be detected until well later in the year and unfortunately well after the cardholders have suffered the consequence of shopping for what will no longer feel like a good holiday deal.”