POS System Update With The Infected Code - Case Study 

Posted by lantelligence on Apr 5, 2018

Attack Attempt To A Large Dealership

“When someone uses third party software or devices like POS Systems, medical devices etc., they are at the mercy of the levels of security the vendors have built into them. Vigilant CyberDNA can give you visibility into remote devices without needing to have any agents installed on them."

POS_system_850

Detection Approach

One of the Vigilant’s customers, an automotive dealer with double digit dealership locations, was performing routine maintenance on their POS systems and upgraded them to the most recent infected firmware.

This attack was not detected by the customer’s firewalls or their Anti-Virus, Vigilant CyberDNA saw it immediately and stopped what could have been a very expensive and damaging attack.

In order to detect attacks like this, Vigilant places their collection devices very carefully as an attacker that is working remotely has to travel across the network at some point on their way out to the Internet. This allows for an interesting vantage point as no matter what way the attacker tries to change the way they look they still have to travel the network and are detectable if you are able to look at the data the right way.

Detection Process

Vigilant immediately noticed that this specific POS had two changes to its behavior:

1. In addition to sending DNS requests internally like it normally would it began sending DNS traffic outbound to Europe and

2. Each outbound DNS packet was slightly larger in packet size than the request to the Customer’s internal server. (DNS is used to point computers to host names and websites by translating an IP address to an easier to remember host name.)

Vigilant’s analyst team went to work, inspected the traffic, looked at all recorded network traffic and quickly identified that the reason the DNS packet was slightly larger is that there was credit card information from a card swipe located in clear text within the credit card packet.

Steps Of Detection

1. An attacker infiltrated the code repository of the POS vendor.

2. Customer downloads and installs POS update.

3. CyberDNA was operating within the environment and in an agentless way detected both the behavior change of the device and the Credit Card information in the DNS packet.

4. All Firewall based IDS/IPS and detection methods available within Customer network did not detect the attack.

5. Vigilant’s Analyst team notified the customer of the compromised system, the customer removed the systems from the network, cleaned them and notified the manufacturer of the vulnerability.

Download Auto Dealership Cyber Security Full Case Study (PDF)

Related article: Detecting an Embedded OS Infected with Conficker On Patient Medical Monitoring Device

Tags: Vigilant, Cyber Security