PoSeidon Case: How to Prevent POS Malware from Stealing Data

Researchers with Cisco’s Talos Security Intelligence and Research Group have identified a new point-of-sale (POS) malware family – referred to as ‘PoSeidon’ – that takes steps to maintain persistence and also has mechanisms for updating. The new malware targets POS systems, scrapes the memory of infected machines for payment card information, and ex-filtrates the data to servers – many of which are hosted on Russian domains, according to a post by SC Magazine last week.

Upon infection, PoSeidon takes steps to achieve persistence so that the malware will survive should there be a system reboot, according to the post.

Craig Williams, senior technical leader for Cisco’s Talos Security Intelligence and Research Group, said that “PoSeidon is interesting because it is self-update-able. It has interesting evasions by using the combination of XOR, Base64, etc, and it has direct communication with the ex-filtration servers, as opposed to common POS malware, which logs and stores for future ex-filtration from another system.”

Williams went on to say that “securing against these types of threats should involve a threat-centric approach built on superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum”.

My opinion?

I would disagree with Cisco’s approach, in that POS systems should be protected against advanced persistent threats and continually monitored.  The answer is to take credit card data away from POS systems, so they no longer pose a threat. POS systems are notoriously difficult to secure, namely as they are spread across vast geographical locations, left in the hands of transient staff workers and subject to the least-spend-possible by retailers.

Such malware can get onto POS systems a number of ways.  The easiest way is an inside job, or boot up a POS system with a malware-infected USB stick.  Or just hop onto the network, exploit typically easy-to-guess credentials and manually install it. If criminals want malware on your POS systems – they’ll find a way to do it. Stores are unlikely to pick this up as they’re busy places, and deliberate, well planned attacks can take many months to execute, by which time the 30-day retention period of most CCTV systems removes all traces of the perpetrator.

Retailers are ultimately looking to reduce cost, as opposed to spending money on mitigating risks and unfortunately this is a well known fact, demonstrated by data breaches at some pretty big household names as of late.

As for the malware being advanced, I’d disagree.  Pretty much all decent malware is capable of what Cisco describe, and has been capable for many years.  All it takes is for malware to get root level privileges in order to tamper with the boot record and reinstall itself on reboots.  Trivial. Symantec acknowledged the resurgence of MBR infections back in 2011 .

My advice?

  • Don’t put sensitive data on the least securable endpoints, such as POS devices, mobile phones, laptops, desktops.
  • Investigate end to end encryption solutions embedded on the PED, (and it doesn’t have to be P2PE).  These can be hugely beneficial, and they’re relatively cheap too.  Or certainly cheaper than putting into place Cisco’s APT early warning systems.
  • Carefully consider the benefits of anti-malware solutions on POS devices.  As most modern malware evades anti-malware technology, you might conclude you don’t need it.  System hardening or application whitelisting could be a better, lower-maintenance approach.
  • Don’t make it easy for criminals.  At least change those default passwords, and don’t put POS devices on a public wireless network and/or make public network jacks available in shops (we’ve actually seen this happen!).
  • Keep up to date with the threat landscape.  Criminals are constantly changing their attack vectors, as they too are cost-sensitive.  They’re looking for the cheapest, lowest-effort way into your systems.  If retailers don’t even at least investigate such issues, they will become the next headline breach.

Tim Holman is the CEO at 2-sec and Director of the Information Systems Section Association (ISSA) international board. Tim has over 20 years professional experience as a  PCI DSS and Cyber Security consultant.  He was one of the first QSAs accredited in Europe and heads up 2-sec’s PA-DSS and penetration testing lab. Tim was the recipient of the Microsoft MVP for Security Award in 2004, 2005 and 2006, and in 2014 was awarded Fellowship of the Information Systems Security Association (ISSA), only the second person to do so in the UK over ISSA’s 27 year history. Connect with Tim on LinkedIn and follow him on Twitter for more.