2 Replies Latest reply on Sep 8, 2014 12:15 PM by Leon Adato

    Backoff POS Alert


      Backoff POS Alert

      If you accept any form of credit card payment, please read this.


      On July 31, the US Computer Emergency Response Team (CERT) issued alert TA14-212A for Backoff Point-of-Sale malware (Backoff POS). This malware targets Point-of-Sale (POS) systems for the purpose of compromising the POS and capturing cardholder data.


      Backoff POS is able to identify systems configured to use Remote Desktop Protocol (RDP). Once systems are identified, it uses a brute force password attack to gain access—which oftentimes is privileged access. When Backoff POS compromises a Point-of-Sale system, it can then expose consumer data to unauthorized use. At present, many antivirus programs do not detect Backoff POS.


      The CERT advisory provides specific strategies for minimizing the possibility of a BackOff POS attack. Regarding desktop/server and network, these strategies are:

      Desktop and Server Security:

      • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. 
      • Limit the number of users and workstation who can log in using Remote Desktop.
      • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
      • Change the default Remote Desktop listening port.
      • Define complex password parameters. 
      • Require two-factor authentication (2FA) for remote desktop access.
      • Install a Remote Desktop Gateway to restrict access.
      • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.
      • Require 2FA when accessing payment processing networks. 
      • Limit administrative privileges for users and applications.
      • Periodically review systems (local and domain controllers) for unknown and dormant users.
      • Enable logging of events and make sure there is a process to monitor logs on a daily basis.


      Network Security:

      • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. 
      • Segregate payment processing networks from other networks.
      • Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
      • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.


      What You Can Do

      If you comply with Payment Card Industry Data Security Standard (PCI DSS), then the 12 sections defined in version 3.0 provide recommended controls which make a network and systems resistant to the Backoff POS attack. To review a whitepaper describing how to building secure PCI compliant networks please click here.


      How SolarWinds can help

      SolarWinds Network Configuration Manager (NCM) can be used to manage configurations needed to segment networks and control access by configuring routers and other core devices and to monitor unauthorized configuration changes. In addition, NCM can audit device configurations and report compliance against PCI DSS 3.0 standards. To learn more, click here.