It now appears that the string of recent data breaches at US retail establishments was not a coincidence, but rather related attacks using the same malicious software kit.
In a security advisory from the US Secret Service dated 22 August 2014, obtained by the New York Times, the government said the malware known as Backoff has struck more than 1000 US companies since October 2013.
US government agencies including the Secret Service first publicly warned businesses of the Backoff malware in a bulletin on 31 July 2014, but only now is the extent of the malware’s reach becoming clear.
Backoff is a type of malware called a RAM scraper, because it steals clear-text payment card data out of RAM (Random Access Memory) on point-of-sale (PoS) computers.
The recent Secret Service bulletin doesn’t name any of the impacted businesses, but does say that seven PoS system providers have confirmed that they have had “multiple clients” infected with the Backoff malware:
Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1000 U.S. businesses are affected.
Even though the report doesn’t name any victims, you may have read speculation that Backoff is the same malware that turned up in Target’s breach, or that it is the malware behind recently-announced breaches such as the one at UPS Stores.
We’re not aware of any evidence to support either of those theories, but we’re not convinced that it really matters, anyway.
Your security goal should ideally be a defense-in-depth strategy that helps to protect against any and all malware, as well as against a range of other potential security problems.
Backoff – what it does
The cybercrooks behind the Backoff malware seem to have focused on poorly-secured systems, breaking in by means of remote access applications such as Microsoft Remote Desktop (RDP), Apple Remote Desktop and LogMeIn.
According to the US Computer Emergency Readiness Team (US-CERT), the criminals use publicly available tools to locate businesses that use these remote desktop tools and then simply guess at the necessary passwords to gain administrator access.
Then the criminals are able to deploy the Backoff malware, which scrapes the PoS system’s memory for payment data and sneaks it out of the infected network hidden in an encrypted web upload (an HTTP POST request) to servers controlled by the crooks.
Additionally, Backoff has a general purpose command-and-control (C&C) function that can also update the malware, uninstall it, or download yet more malware.
US-CERT’s alert says researchers have identified three primary variants of Backoff, which have been around since as far back as October 2013.
Since that time, Backoff has added keylogging functionality, which it can use to steal keystrokes such as passwords.
How to stay safe
US-CERT has updated its alert to advise businesses on ways to mitigate Backoff.
Application control and network monitoring can help detect the presence of connections to these systems as well. Careful monitoring should be able to detect or prevent unexpected or unauthorized remote connection attempts.
Tips for businesses
- Segregate your networks.
Shield your PoS computers from the all-purpose computers in your business.
- Limit the applications allowed on your PoS computers. Consider using Application Control to be notified if someone or something tries to install risky software on a cash register.
- If your anti-virus has a Live Protection service, make sure it is on and working. With a suitable firewall rule, your PoS computers can benefit from almost-instant updates when new threats emerge.
- Don’t ignore warning signs. Target failed to react to reports from its own IT support center that would probably have led to much earlier detection and remediation of its massive malware infestation.
- If your anti-virus has a Host Intrusion Prevention System (HIPS), use it on your PoS computers. Software behavior on a PoS system ought not to change without warning, so deviations are always worth blocking and investigating. (See also #2 and #4.)
- Review your remote access policies and procedures. Consider requiring the use of a Virtual Private Network (VPN) with two-factor authentication (2FA) support.