By Andy Green, technical specialist, Varonis
Am I the only one finding the recent upsurge in hotel data breaches troubling on some primal level? You’re in a vulnerable position as a traveler, and you want to believe that the suite you’ve booked is your castle. And a secure one – doors often have multiple locks, rooms have those teeny safes for storing valuables, and security cameras help guard lobbies.
Hotels, of course, have long recognised that as hosts, they have special responsibilities.
But hotels also host your data, particularly credit card data. Based on the spike in hotel data heists, this industry has fallen short, security-wise. As it turns outs, the attack vector for these hotel breaches is the same PoS malware used against big box retailers.
Yeah, that’s right. BlackPos and the other RAM-scrapers variants have found hotels a good place to vacation—for months, apparently—and to check out with a haul of credit card numbers.
What makes all this so startling is that it appears little has been learned from the huge retail breaches.
PoS Malware Attack Scenario
There’s really nothing new in the attack chain in these incidents. Well, perhaps one thing. There’s new PoS malware afoot that’s stealthier than the old-school techniques, and may have been involved in some of the hotel data heists.
In any case, most security analysts would probably agree with the following scenario:
Attackers gain entry through—yawn–phishing, SQL injection, or some other well understood vulnerability (default passwords, etc.). They likely use a RAT or other tool for the initial part of the attack.
Once they have a beachhead, they move laterally, using standard techniques such as port scanning, working out host-naming conventions, password cracking, and pass-the-hash– all the methods we’ve talked about in the pen-testing series. The goal is to find a PoS machine or server.
After the PoS device(s) have been identified, the attackers load the payload, the special RAM-scraping software, and then exit. At this point, the PoSware takes over, controlled remotely by hackers from their C2 servers.
The PoSware begins searching OS memory and collecting card data, and then periodically dumping the data to the file system.
Finally, the PoSware exfiltrates the card data file to the C2 servers by embedding it in HTTP Post/Get requests.
While there are variations, the sketch above holds true for most of the POS attacks we’ve seen in recent years.
But just as we know how the attack unfolds, security experts also understand the kill chain—how to stop the attack at different points in its cycle. We’ve also collected some of this advice in a blog post we wrote back in 2014.
One factor that may have changed the game, though, is that the amateurs have been supplanted by the pros. Criminal gangs such as Black Atlas has turned PoS hacking into a criminal enterprise.
So it becomes even more critical to move the kill chain for PoSware up a few notches in IT priorities, particularly if you’re in the hotel and leisure industry.
Here are few key areas where I think a modest investment will yield huge security benefits:
Employee Education – If you explain to employees what a phish mail looks like, you can stop most attacks from the start. It’s good policy to tell employees to never click on a link or attachment from an outside email without making sure of the sender’s identity. We recommend our own e-book on the subject, Anatomy of a Phish.
Data Governance — The attackers are not aliens from an advanced civilization. Like the rest of humankind, they need access to the file system in their initial surveillance work and exfiltration. The idea is to carefully review ACLs and restrict access so that the hackers can’t leverage a generic random user’s credentials to read, copy, and create files in sensitive folders and directories.
Whitelisting – PoS systems should only be running software from a well-defined set—after all, these are single-purpose computers for handling credit card transactions. In theory, whitelisting software that prevents the OS from launching non-standard binaries is an effective antidote to this hackware. Mileage may vary though. Some of the recent attacks involved using rootkit techniques where the kernel is modified, thereby making the malware practically invisible to the OS.
Patch Management — Make sure you have the latest security patches. Enough said.
Credential Management/Pass-the Hash (PtH) Mitigation – This is a broad category. Simply put: don’t make it easy for hackers to get credentials. Make sure you have solid password policies in place, search for and remove plaintext password or password hash files, and if possible disable Windows storing of plaintext passwords in LSASS memory. Finally, ensure that domain-level admin accounts are not being used to network to users’ machines—this allows hackers to steal the crown jewels through PtH.
The attackers play the odds, and so they can still get lucky— default passwords that weren’t changed, a patch that was neglected, or, say, a successful phishing or watering-hole attack against the Director of IT.
And there are zero-day exploits that are impossible to protect against.
This is where monitoring and notification come into play. But not just standard intrusion detection or virus scanning. Remember: the PoS attackers are on the inside, and they play a very stealthy game as far as conventional detection techniques are concerned.
My advice now can be summarized by three words: User Behavior Analytics (UBA).
You won’t be able to spot these intruders without taking into account existing user file and system activities.
While they may look like ordinary users, the attackers will tip their hand by accessing system configuration files, copying or moving a large number of files, or encrypting credit card data—activities that are likely atypical for that user.
And that’s where UBA comes in. It understands the average or normal behavior of the real user behind the credentials, and then notifies the security group when variances occur.
While you may not be able to prevent intrusion into a hotel PoS system, with UBA you will be able to spot the attackers’ activities further down the kill chain, and ideally prevent the extraction of the credit card data.