LinuxQuestions.org - US-CERT TA14-212A: Backoff Point-of-Sale Malware

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - US-CERT TA14-212A: Backoff Point-of-Sale Malware (https://www.linuxquestions.org/questions/linux-security-4/us-cert-ta14-212a-backoff-point-of-sale-malware-4175515379/)

US-CERT TA14-212A: Backoff Point-of-Sale Malware

Quote:

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1] Apple Remote Desktop,[2] Chrome Remote Desktop,[3] Splashtop 2,[4] Pulseway[5], and LogMeIn[6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

The US-CERT notice, https://www.us-cert.gov/ncas/alerts/TA14-212A, details the problem, the variants of the malware and information for dealing with Backoff and its variants.

If you deal with Point-of-Sale systems you may want to read the notice for additional information.

Hope this helps some.

If a PoS user is using a PCI-certified platform (as they are by mandate), this should not be a problem. PCI should disable most remote access tools, as well as default administrative users.

TA14-212A: Backoff Point-of-Sale Malware (Revised August 22, 2014)

Looks like some folks are still having problems (for whatever reason), thus a revision was published yesterday (22 Aug 2014):

Quote:

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed "Backoff" which has been discovered exploiting businesses' administrator accounts remotely and exfiltrating consumer payment data.

Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1], Apple Remote Desktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], Pulseway [5] and LogMeIn [6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.

The revising notice may be found at https://www.us-cert.gov/ncas/alerts/TA14-212A

Hope this helps some.