According to current reports, over 1,000 US companies have been hit with the Backoff POS (point of sale) virus so far. Infections date back as far as October 2013, and the customers who have been hit include Dairy Queen, UPS, Supervalu, and Neiman Marcus. The impact is now in the millions—millions of customers who have had their credit card information stolen; millions of dollars it is costing the infected companies.
Many articles (including one posted by CourtesyIT on Aug 21: Backoff POS Alert ) encourage companies to follow industry-standard best practices to protect themselves, and give a high-level listing of those practices (“use firewalls to restrict access to remote desktop”).
At SolarWinds®, we realize that “industry standard best practices” are frequently NON-standard and UN-practiced. We also realize that not everyone has the expertise to implement ACL's and lock down ports on machines, or perform regular checksum comparisons on filesystems—all of which need to happen on production networks and sales systems without impacting actual business operations.
But you probably realize that you also can't afford to do nothing.
WE realized that we would couldn't sit by and do nothing either. While combating viruses may not exactly be in the SolarWinds mission statement, our decades of experience in systems monitoring, management, and automation makes us uniquely suited to help. So we are.
While we intend (over the course of the next few days) to provide concrete solutions to specific aspects of this threat, for the moment we're opening the floor up to discussion.
For a more specific list of things you can do now, jump to “Actions you Can Take Right Now”, below.
The US Computer Emergency Readiness Team (US-CERT) has assembled comprehensive information about the virus. A detailed explanation of how the virus works on systems can be found here http://www.us-cert.gov/sites/default/files/publications/BackoffPointOfSaleMalware.pdf.
The following link provides an overview of the virus elements (files, functions, etc.) as well as industry-standard best practices you can follow to detect whether you are infected and to block further damage: https://www.us-cert.gov/ncas/alerts/TA14-212A.
For the rest of this post we're going to break down the CERT notice into logical groups and offer general information on high-level actions you can start taking.
While the exact attack or infection vector is still not known (see here for more: http://www.securityweek.com/root-cause-analysis-stop-playing-whack-mole), the indicators that a system has been compromised are extremely easy to spot (in some cases, a simple “dir /s” would do the trick). These indicators include files created/written, registry keys created/written, URIs accessed, and POST requests.
As stated earlier, it's not known exactly how the infection occurs. At this time, the mechanism of compromise seems to target remote authentication mechanisms like RDP, LogMeIn, and others.
First, let's just run through a few items that you should be able to easily lock down:
- Remote Desktop
Limit the use of remote desktop on your point of sale systems. Disable it if you can or limit access to specific users or computers (using GPO or routing rules) if you must permit it.
If nothing else, you should block RDP traffic going to/from any external source.
Along with that, you should be monitoring the network devices that control ingress/egress to the POS network for changes. You will want an alert if the firewall rules or ACLs are updated without an approved change.
- Admin privileges
Limit users with admin privileges to the POS systems. This can be done in a variety of ways from having your POS systems in a separate domain and thus having a separate domain admin group to simply having a separate “POS domain Admins” group and assigning that group to the POS systems instead of the regular one.
You'll also want to monitor the systems themselves for admin logins.
- Users and passwords
Most of the preventative options are common sense—require complex passwords that change regularly. Limit usage/access of admin accounts. Disable/delete unused accounts, etc.
Assuming you've battened down the hatches, here are high-level descriptions of some actions you can take right now to determine if you have been affected.
- Authentication data
Similar to the prevention tip for locking down RDP, monitoring for RDP authentication attempts (any to start, and then filter out permitted computers/users as you get a sense of what normal usage is) will help identify unauthorized access.
Separately, monitor for usage of service/admin accounts to watch for unexpected activity.
- Changes on the targeted system
It's clear from this and other viruses that you need to be much more sensitive to changes (e.g. new files or registry entries) on your POS systems than other devices. Whether you use a scan-and-checksum technique or a full inventory option, being alerted to new (and unexpected) files on your POS devices is a must.
- Command and control access
The whole point of this virus is that it connects to an external system and uploads keystrokes, user details, etc. Watching for those connections will give you a heads up that something is amiss. Ways you can do that include:
- Use a proxy server to filter out record access to the unknown URI's.
- Check firewall logs for connections to external systems (and attempts to bypass the proxy).
- Monitor for connections to anything OTHER than the things they SHOULD be accessing. These systems shouldn’t be accessing a whole lot of network sources—especially on the Internet. So if you see activity on them that’s out of the norm, that's a big red flag.
If you find you need more, just sit tight. As mentioned earlier, we'll be posting detailed information, files you can import into your existing environment to get a leg up, and more over the next few
Please contribute your observations, opinions, or questions either in the comments below or by direct-messaging me on Thwack.com.