Point of Sale (POS) Systems' Servers in Hong Kong Likely Infected by Malware

Adapted "System recepcyjny HORECA13" by Travelarz

POS malware infection uncovered in Hong Kong

In the past 6 months, security vendors FireEye [1] and ArborNetwork [2] released reports on point of sale (POS) malware, which mentioned that IP addresses in Hong Kong were in contact with POS malware 'Command and Control' (C&C) server, i.e. computers on these IP addresses were infected and controlled by the cybercriminal via C&C server. FireEye report further pointed out that the campaign 'BrutPOS' already stole payment card data with the malware. Since there is a potential financial loss, HKCERT has passed the information to police for follow-up.

Besides, several computers in Hong Kong were infected as bots to help the cybercriminals to try to crack POS system. We will notify related ISP about the information.

Recent disastrous data breach on POS system

How disastrous can a POS malware cause? In November 2013, news about data breach being investigated in Target, one of US' largest chain retail stores, broke out [3]. It turned out that 40 million credit and debit card accounts were affected [4], and personal and financial information of more than 110 million customers were exposed [4]. The cause of the incident was malware infecting and propagating into Target's POS system at checkout counters [5]. 6 months after the incident, Target CEO Gregg Steinhafel stepped down as he was held responsible for such massive breach [6].

Why cybercriminals target at POS system?

The security of POS system has become a hot topic since the Target breach. POS system becoming a favourable target of cybercrooks makes sense due to the following reasons:

• To support various payment methods such as credit card, EPS (i.e. debit card), Octopus (i.e. contactless smart card), POS system has already evolved into a very complex system, including network interfacing with respective payment processors. That means various 'attack surfaces' can exist so that different types of breach can be carried out, e.g. memory scraping malware can expose credit card data stored in RAM before encryption.
• POS system incorporates many value add functions, such as membership management, inventory management, interface to different payment processors etc. to support various business needs. That means not only financial data but also personal data also exist in the POS system.
• POS system is widely adopted in various industries such as retail, food and beverage, hospitality, inventory etc. That means POS systems are installed in wide areas, and they may also be connected to corporate network through the Internet. That also increases the 'attack surfaces' for exploit. 

Preventive measures

• Most malwares including BrutPOS will crack a computer by brute force attack of the default user name and password. For example, BrutPOS first brute force attacks the Remote Desktop service so that back door is opened for dropping the malware. Therefore, the first line of defence is to change the default user name and password of the system, and also suspends or removes unused user accounts.
• POS system should not be connected to open network such as guest WiFi access point. POS system should be isolated from public Internet to limit the attack surfaces.
• If your POS systems are embedded Windows systems, you can refer to Microsoft's POS hardening guideline:
  http://download.microsoft.com/documents/en-us/Protecting_Point_of_Sale_Devices-April_2014.pdf 

Reference

1. BrutPOS: RDP Bruteforcing Botnet Targeting POS Systems, FireEye
2. [PDF] Dexter and Project Hook Break the Bank, Arbor Networks
3. Sources: Target Investigating Data Breach, KrebsOnSecurity
4. Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores, Target
5. A First Look at the Target Intrusion, Malware, KrebsOnSecurity
6. Target CEO resigns after data breach fallout, CNET