Analysis of the threats targeting Point of Sale systems
A point of sale (POS) system refers to the critical piece of software used by customers to execute a payment for goods or a service. This also includes the physical devices in stores, where POS terminals and systems are used to process card payments. These are often the primary targets of financially motivated organised cybercrime groups (also known as eCrime advanced persistent threats). Successful intrusion of a POS system can lead to the theft of vast amounts of financial data from customers. This can be used for immediate gain or sold on underground markets for fraud. A combination of hard-to-detect data-exfiltration malware; legacy hardware - which is difficult to patch; and general OS vulnerabilities, mean that this particular threat is common and can be difficult to defend against.
APT groups such as FIN6, FIN7, and FIN8 are currently some of the most significant threats to large retailers, restaurant chains, hotels, the leisure industry, and to the technology that supports these sectors. These groups are responsible for running the attack campaigns, mass data theft, and for fueling the darknet marketplaces. These financially motivated groups have been targeting POS systems for years and have been very successful at turning a profit while doing so. The focus of this blog is on POS systems but these groups are also known for running 'Magecart' web skimming campaigns against eCommerce online stores as well as deploying malware to dispense the cassettes of ATMs at banks.
Figure 1. Malicious document template sent by FIN7.
One of the first steps to successful intrusion against POS systems is locating them. This can include looking to expose POS systems on the internet, buying them from access brokers, or infiltrating a specific organisation for its data. Cybercriminals often go after so-called low-hanging fruit due to it requiring less time and less resources to compromise. Threat groups are regularly scanning the internet or purchasing access from other brokers who have done the time-consuming part for them. Attackers often search for systems vulnerable to bugs such as CVE-2018-2636 - which allows an unauthenticated attacker with network access via HTTP to compromise the Oracle Hospitality Simphony POS system.
POS malware is sophisticated and a significant threat to any organisation handling face-to-face card payments. The attackers operating POS malware often have extensive knowledge of the targeted software. The proficiency of the operators could stem from multiple scenarios, including stealing and reverse-engineering the proprietary software, misusing its leaked parts or by buying code from an underground market. There has been a growing number of new POS malware families entering the threat landscape which organisations should be made aware of.
In 2019, researchers from Forcepoint investigated the vulnerabilities in unsupported operating systems in POS systems and leightweight and evasive malware files, such as TinyPOS. POS malware is a thriving part of the cybercriminal ecosystem. Of the 2,000 samples analysed, 95% were downloaders used to distribute malware to systems. Under normal circumstances it would not be hard to defend against, but because of the out of date POS systems used by many organisations, they leave themselves at serious risk of attack. Notably, systems for swiping cards are more common than chip and pin or contactless in the United States. Card data swiped by a POS system is often stored in plain text and in unsecured databases. This provides malicious actors with ready-made data troves worth targeting. (source)
In June, payment processor giant, VISA, published a security alert revealing that two North American organisations in the hospitality sector were compromised and infected with POS malware in May and June 2020. Three different strains of POS malware were found: RtPOS, MMon (also known as Kaptoxa), and PwnPOS. Remote Access Trojans (RAT) and credential dumpers were used to access various systems, move laterally, and deploy the malware. The researchers could not, however, identify the intruders' entry point into the system. The May attack used a phishing campaign to gain access to the company systems, compromising user and administrator accounts. Legitimate administrative tools were used to access the cardholder data environment (CDE), into which a memory scraper was deployed to harvest payment data stolen by the TinyPOS malware. (source)
Also in 2020, FIN7 (also known as Carbanak) was identified deploying its POS malware, known as Pillowmint, in its campaigns against the hospitality and restaurant industry for the past three years. Pillowmint is installed using malicious shim databases, which can then be used to leverage the Windows Application Compatibility Framework and establish persistence on a device. The Pillowmint malware has various capabilities, including logging its own actions, scraping memory on a device, reading memory content, capturing track 1 and track 2 credit card data, stealing data every six seconds, command and control functionality, terminating malware processes, and simulating a device crash. (source)
In November, ESET Research disclosed a new modular backdoor, dubbed ModPipe, targeting POS systems used in the hospitality sector. ModPipe gives its operators access to sensitive information stored on the Oracle Micros Restaurant Enterprise Series (RES) 3700, software that is deployed in hundreds of thousands of businesses in the hospitality sector. ModPipe first appeared at the end of 2019: in April 2020, three new modules appeared in the wild, which had been fully upgraded and used in an ongoing campaign collecting and decrypting transactional databases. (source)
In December 2019, US convenience store and petrol station chain, Wawa, was struck by a data breach affecting all 850 of its stores. Malware was found on its payment processing servers which had been present for an undisclosed amount of time. It was later confirmed that the attackers were able to exfiltrate up to 30 million customers’ unencrypted card data. (source)
Last October, three million cards were stolen from Dickey’s BBQ. Security blogger, Brian Krebs, contacted the restaurant for comment and Dickey's responded that they are aware of the situation and are working with the FBI to establish the details. The breach is believed to be as a result of an attack on the magnetic stripe of the leaked cards. This suggests that either physical skimmers were deployed in the restaurant locations or a sophisticated breach of unencrypted card data is behind this breach. (source)
DSG Retail, the group owners of the UK-based Carphone Warehouse and Currys PC World, was recently issued the maximum pre-GDPR fine (£500k) after a cyberattack led to the theft of 5.6 million payment cards. Point-of-Sale malware had compromised 5,390 cash tills belonging to DSG Retail between July 2017 and April 2018. DGS Retail has worked with the UK NCSC, an arm of GCHQ, to remediate the intrusion. With additional pressure from Covid-19, DSG Retail has since permanently closed all 531 standalone Carphone Warehouse stores, cutting 2,900 jobs. (1, 2)
In July 2016, a Russian organised crime group (likely FIN7) reportedly breached hundreds of computers belonging to Oracle. The attackers compromised the customer support portal for companies using Oracle’s MICROS Point-of-Sale card payment system. MICROS is among the top three POS vendors globally. It is used at more than 330,000 cash registers across 180 countries at some 200,000 food and beverage outlets, 100,000 retail sites, and more than 30,000 hotels. (source)
Once these eCrime APT groups have successfully located a vulnerable system, infiltrated it, deployed the malware, and stolen the cards they move onto the darknet markets. One of the largest stolen card marketplaces is known as Joker’s Stash (abbreviated to JStash). This is where the 30 million cards stolen from Wawa ended up, which multiple fraud intelligence firms later confirmed. (source)
Figure 5. Joker’s Stash advertisement on other underground forums.
Earlier this year, whilst researching, I uncovered a number of live Joker’s Stash phishing pages targeting the credentials of other users trying to access the market. These attacks demonstrate just how lucrative fraud of this nature can be. As it is available all in one place, it even makes the fraud bazar itself a target for other threat actors.
Figure 6. Phishing pages targeting JStash Bazar.
Point-of-Sale systems are often outdated and seldom replaced, meaning that publicly known flaws can be targeted for exploitation. Recently, other financial threats such as ransomware and web skimming have had more media attention: the aforementioned attacks, however, show that POS systems are still an attractive target for attackers and should be protected accordingly.
Researching and writing this blog helped me understand the threats against the hospitality industry, which I wished to learn more about. As part of a CTI team, we are often asked by clients to investigate the fallout of these large breaches and whether it affects them. Although, these large breaches are not an everyday occurrence - as it takes time for a persistent attacker to infiltrate - their repercussions can last for months, if not years. These systems should be considered as an organisations ‘crown jewels’ as the result of a compromise often leads to headlines, blogs (such as this), training material, and conference talk topics for years to come.