Threat Profiles

Any internet-connected device that has latent hardware or software vulnerabilities can be ripe for hijacking by a malicious actor seeking to create a botnet. In order to do so, the malicious actor begins looking for specific devices that possess an easily exploitable vulnerability. He can find these devices by using a search engine specifically designed to expose their existence and location. The information that these search engines can reveal include the make and model of a device, as well as the location, IP address, the operating system, open ports, running services, and much more.

Once the malicious actor locates a device he wants to exploit and compromise, he uses a port scanner to determine what ports are listening, what services are running, and what operating system is being used. As soon as the malicious actor gathers enough information about the device and how it’s connected, he uses that information to his advantage and utilizes his skills and tools to gain unauthorized access. He may use default login credentials to access the administration panel of the device or he may attempt to brute-force the login screen. He may discover that the device is not password-protected or that the particular vulnerability he’s looking to exploit has been hardcoded into the device by the manufacturer.

After the malicious actor has gained access to the device, he installs malware onto it, either by delivering and launching an executable file or by replacing the firmware with a modified version. This malware is designed to allow him remote access of the device or it tells the device to establish contact with a command-and-control (C2) server and wait for additional commands. It can also act as a worm, establishing peer-to-peer (P2P) connections with additional vulnerable devices and spreading the infection automatically, saving the malicious actor the time and trouble of compromising each device individually.

Once the botnet has been created, the malicious actor decides how he will use it and issues commands to the zombie devices through the C2 server, which is either an Internet Relay Chat (IRC) channel or a dedicated server.

This is not an exhaustive list and will be updated periodically:

• Disconnect the infected device from the network.
• Disconnect the infected device from its power source, and drain the remaining power from the internal battery, if applicable. Some botnet Trojans run from the memory of the infected device so removing the power source will clean the infection.
• Perform a reboot and, if possible, reset the device to its factory-default settings.
• Access the device’s administration panel. This may be done either on the device itself or through a web browser. Once you have gained access, immediately change the default login credentials to something more secure, using a combination of upper and lowercase letters, numbers, and non-alphanumeric characters or symbols.
• Ensure that the device has the most up-to-date version of the firmware installed and apply patches as soon as they are released. Consult the product documentation or the manufacturer’s website for instructions on how to check the firmware version and download and install patches and updates.

It is important to note that, in some cases, resetting the device, changing login credentials, and updating firmware will not completely eliminate the possibility or potential of compromise, especially if the malware is being delivered via the firmware itself or if there is an issue with the underlying hardware. Also, if the device contains hardcoded credentials or if consumers cannot disable SSH or Telnet access to the device, there is the potential for additional compromise.
Click to Enlarge

Image Credit: Kaspersky Lab

• Establish a network activity baseline prior to connecting any IoT devices to your network. Continue to monitor both the inbound and outbound traffic on your network after connecting the device(s) for spikes in traffic or other anomalies.
• Disable Universal Plug and Play (UPnP) on routers.
• Disable SSH (TCP 22) and Telnet (TCP 23) access.
• Block ports TCP 103 and TCP 2323.
• Block outbound connections on port TCP 48101.

If your organization is the victim of a botnet attack, or would like to learn more about how REAL Solutions Technologies prevents botnets, please contact us at Support@REALSolutionsTech.com.

There are four key stages to an EK attack:

1. Contact - the victim accesses a link that connects to an EK server (i.e. from a malicious ad, compromised website, or email hyperlink)
2. Redirect - the victim is filtered based on a set of criteria specified by the EK attacker, such as the IP address or browser type, and redirected to the server that hosts the EK, and then delivers them to the landing page that will determine what vulnerabilities to exploit.
3. Exploit - once the vulnerabilities are identified, the EK server downloads the exploit files to target the appropriate applications
4. Infect - once the vulnerabilities are exploited, the attacker downloads and executes malware on the victim’s machine, often a banking Trojan or ransomware

The constantly evolving nature of exploit kits underscores the need for a progressive and proactive cybersecurity posture - one that equally addresses the vulnerabilities and exploits of people, processes, and technology. Below are some mitigation strategies to help defend against EKs:

A typical kit includes a directory page for exploits, one for images and sometimes another for configuration data. The kit also includes a statistics page that allows the user to view exploited computers and their data--geographical location, operating system and version, software installed, exploits already delivered, and much more. This data is usually used to see which systems are most poorly secured and can be used to spread more malware.

The two most important parts in a toolkit are the landing page and control panel. The landing page is used as a starting point for the exploitation process. It collects data on the victim and uses that data to determine which exploit to use. The control panel is used to adjust exploits and also upload custom malware to be implemented afterwards.

Exploits kits are expected to become more advanced in the coming years and will remain a top cyber threat. They are difficult to track down, especially since organized crime gangs won't let just anyone rent or lease a kit. Often a user has to go through a rigorous process before they can get their hands on even the cheapest of kits.

To avoid being targeted, constantly check to make sure your software is up to date and avoid any unsolicited websites at all costs. These toolkits are set up to exploit any possible vulnerabilities and you just never know who is tracking your data.

If your organization is the victim of a Exploit Kit attack, or would like to learn more about how REAL Solutions Technologies addresses Exploit Kits, please contact us at Support@REALSolutionsTech.com.

Mobile malware can infect user's mobile devices through a number of means, including clicking malicious links in SMS texts and webpages and downloading malicious applications. Once a device is infected, the actor can conduct malicious activity or load additional malware onto the device.

Banking Trojans designed to steal user credentials for online banking accounts and mobile are the most prevalent form of Mobile Malware, accounting for 30 percent of all mobile malware according to IBM Security Intelligence. Other mobile malware variants have the capability to log keystrokes, steal personal information, send SMS texts from the mobile device, and download crypto-ransomware to lock the device or encrypt files until the user pays a ransom.

• Immediately apply patches and updates supplied by operating system vendor, the phone manufacturer, or the network carrier.
• Avoid downloading third-party applications from unauthorized sources.
• Avoid “rooting” devices, which allows the user to retain administrative privileges and provides attackers with ample opportunity to control a device.
• Bluetooth should be disabled when it is not required or in use.
• Consider downloading or purchasing an anti-malware app. (Malwarebytes or Kaspersky)
• Never trust text messages sent from an unknown user, especially on third party messaging apps.
• Avoid responding to or clicking links in unsolicited text messages from unknown senders.
• Organizations operating with BYOD policies are urged to educate employees on mobile threats and vulnerabilities, implement monitoring and endpoint protection on all mobile devices, establish the capability to remotely wipe lost or compromised devices, and ensure programs and users have the lowest level of privileges necessary to complete tasks.

Consumer awareness of mobile security threats still lags behind the reality of the situation. Users who would never install software from an unverified source on their PC readily click on links in SMS messages and unwittingly download files from unknown sources on their mobile devices.

As a result, SMiShing (SMS phishing) campaigns designed to distribute mobile malware are exponentially more effective then email phishing, especially when customized to target the client base of a specific financial institution or service provider.

Users are also notoriously slow to update their mobile devices’ OS. It is therefore no surprise that mobile malware commonly observed in attacks on consumers, such as the Basebridge Trojan, exploit vulnerabilities in outdated mobile systems.

Worst yet, a significant segment of mobile users actually take steps to jailbreak or root their devices in order to access unofficial app markets or get free programs. In doing so, they not only annihilate their phone’s built-in security, but also drastically increase the risk of downloading a malicious app. In fact, according to recent reports, up to 32 percent of apps on unofficial markets contain malicious content.

If your organization is the victim of a Mobile Malware, or would like to learn more about how REAL Solutions Technologies handles Mobile Device Management, please contact us at Support@REALSolutionsTech.com.

PoS malware targets consumers personal and financial data stored on one of up to three "tracks" on the magnetic strip located on the back of a payment card. The majority of payment cards in the U.S. contain two tracks of data used by financial institutions to store a customers information; some cards contain a third track.

• Stores 79 alphanumeric characters containing the customers name, primary account number, card expiration date, and card verification value (CVV) code, along with additional characters to differentiate between data fields and identify endpoints.

• Stores 40 numeric characters and contains nearly the same information as the first track, except for the customers name.

• Is not standardized among banks and therefore rarely used. If present, however, it may include an encrypted Personal Identification Number (PIN), country code, and currency units.

When a payment card is swiped through a PoS system, unencrypted payment data from Track 1 and Track 2 of the card are briefly stored in the systems Random Access Memory (RAM) for authorization and processing before being encrypted for transmission and storage in the payment server for that company. Although the payment card industry has uniformly adopted a strict set of data security standards which require end-to-end encryption of payment information, the RAM remains the one vulnerable location where PoS malware can exploit unencrypted payment information.

1. Infection: The malware is introduced onto the targeted system or network.
2. Execution: The malware then scans and monitors processes to find data, creates or modifies registry entries to maintain persistence, and may even introduce additional elements such as keylogger malware or bot functionality.
3. Collection: PoS malware uses RAM "scrapers" to evaluate the clear-text RAM data by using regular expressions (regex) or the Luhn Algorithm to differentiate between Track 1 and Track 2 data versus other types of data.
4. Extraction: The malware then extracts the payment card data and transmits it back to the hackers via a command and control (C2) server.
5. Profit: That information can then be used to create fraudulent cards for physical use at retail stores and automated teller machines (ATMs), to make online purchases, or to sell for profit on black-market websites or forums.

A 7 step breakdown of how the infection works. Please review the graphic below:

Click to Enlarge

Image Credit: Websense Forcepoint

There is always too much focus on the latest POS malware infection, as opposed to retailers having failed to put in place, the defenses that would better blunt these types of attacks. Every time the POS malware hits the market, everyone goes crazy, we have all these news releases, and we may even have a graphic released with the new malware. Yet, we ignore the fact that there's malware getting on the point of sale in the first place.

What retailers need to do is ensure they submit POS devices to security audits before they're rolled out. The problem is the vulnerabilities in the point of sale as well as the lack of deep-dive testing in the point of sale. Retail establishments are not doing their due diligence.

One common mistake retailers make is failing to scrub default passwords or account names from devices. In about every 3 or 4 out of 10 retail stores, the password is default. Any business that is bigger than a mom-and-pop shop to use network segmentation to better isolate POS systems and make related malware infections easier to block and detect.

We recommend table-top exercises, involving outside consultants, to help brainstorm the easiest - and thus most likely - ways an attacker would try to penetrate any particular retailer's network. You're not going to make any modern system bulletproof, but you can make it less profitable for the attackers to attack you.

• Implement all recommended vendor patches and test to ensure the patch is successfully integrated.
• Enforce up-to-date AV signatures, but do not only rely on AV signatures alone; criminals often customize PoS malware in order to bypass the targeted networks AV solution.
• Monitor firewalls for outbound traffic to unknown or suspicious IP addresses and domains.
• Mandate regular password changes, especially immediately before and after the holiday season, and enforce complex password rules for all network and remote access users.
• Implement multi-factor authentication wherever possible, especially for remote access applications and employees who manage customer data.
• Lock user accounts after multiple failed login attempts.
• Implement malware detection software to identify anomalous and suspicious patterns of behavior.
• Implement software to detect key-loggers on PoS terminals.
• Deploy a host-based intrusion prevention system (HIPS).

• Ensure that your PoS systems have a firewall or proxy installed for protection.
• Deploy an appropriately configured intrusion prevention system (IPS).
• Employ proper network segmentation, such that PoS systems operate on a separate, protected subnet.
• All VPN access should be performed through the IPS and must use up-to-date authentication mechanisms.
• Segregate your PoS system from other network functions such as email and non-PoS related applications. If the PoS is attached to enterprise resource planning (ERP), inventory, or finance systems, use application gateways to ensure the PoS functionality is logically protected.

• Confirm what data is at rest on PoS terminals and deploy endpoint encryption for those devices.
• Encrypting Card and PIN information before going into the payment terminal memory has been an effective technique to safeguard the payment data. There are several vendors who provide this technology.
• Some retailers have elected to replace in store payment terminals with new technology to encrypt card account numbers and other track data as it is swiped in the mag stripe reader or read by the chip reader.

• If the PoS is processed by software operating on a single terminal, consider not allowing that terminal Internet access, or restricting its internet access to only those destinations required for PoS functions (such as payment gateways).
• Do not use PoS terminals or other computers with access to PoS systems for Internet surfing, checking email, or accessing social media.
• Consider requiring two or more employees to approve any updates of the payment processing applications and, if possible, filter updates to terminals through a controlled server on the network.

• Ensure that there are no active USB ports or other media drives open on a PoS terminal. If running a Windows OS, ensure that auto-run is disabled to protect against insider threats.
• Inform employees to be on the lookout for skimmers, USB sticks, or other devices connected to PoS systems.
• Check all PoS systems, including card swipe equipment, for connected devices on a daily basis.
• Keep a detailed log of employees, vendors, and 3rd parties who access PoS terminals and servers.

• Enforce a strict application whitelisting policy.
• Log and configure alerts triggered by any changes made to that whitelisting policy.
• Record and change default settings of any PoS hardware and software, including default passwords.

• Perform Open Web Application Security Project (OWASP) audits on any web applications.
• Test databases and web login portals against brute force password attacks and SQL injections.
• Secure webservers that contain customer data, including payment gateways and e-commerce applications.
• Ensure that no unauthorized code has been introduced to the production environment.
• Run regular vulnerability scan against your approved applications and patch vulnerable software immediately.
• Re-run vulnerability scans whenever new or updated applications are introduced.

• Segregate the payment processing systems from remote access applications when possible.
• Restrict the network resources remote access users can access.
• Monitor remote user accounts for login abnormalities such as frequent failed login attempts, logins during non-normal working hours, and abnormal duration of logon.
• Enable and regularly review host-based security logs.
• Disable unused ports and services especially those that support remote access such as remote desktop protocol (RDP) and virtual network computing (VNC).

• Conduct information security and risk assessments of all third party vendors with access to your network.
• Do not allow vendors to remote access your network with outdated and unsecure operating systems.
• Maintain an accurate list of third parties with remote access or physical access to the network perimeter.
• Require vendors to use multi-factor authentication (MFA) for remote access when possible. If MFA is not available, disable remote access except when specifically requested and scheduled by the vendor.
• Establish baselines for all 3rd party vendor network activity, including remote access and logins.
• Monitor 3rd party vendor activity for anomalous behavior such as frequent failed login attempts, logins during non-normal working hours, and abnormal duration of logon.
• Evaluate and limit third party network access privileges. For example, whitelist third party network addresses on a firewall provisioned to control remote access by third parties.
• Segment the network if possible through the use of secured VPNs with managed access control.

If your organization is the victim of PoS Malware, or would like to learn more about how REAL Solutions Technologies prevents PoS Malware, please contact us at Support@REALSolutionsTech.com.

1. Installation: A Trojan is typically introduced onto a system after a user-initiated action, either through social engineering, web-browsing, or use of filesharing or peer-to-peer networks.
2. Command and Control: Once a victim unknowingly allows a Trojan onto their machine, it connects to the malicious server to receive instructions from the attacker.
3. Download: Trojans will often load additional malware onto the compromised system, such as keyloggers, remote administration tools, or ransomware.
4. Objective: Once the attacker has installed the right tools or established the access they need, they can copy, delete, and modify data, cause damage to the compromised device, or maintain control over the system for other malicious purposes.

Trojans typically seek to perform one or more of the following activities:

• Trojans can wreak havoc on a computer system by forcing it to slow down or completely crash, corrupting data, reformatting discs, or encrypting data (Ransomware).

• Trojans can be used to enlist a computer or server into a Botnet.

• Trojans are used to access files, log keystrokes, watch the user's screen, access and enable the webcam or microphone.

• Trojans are used to steal personal, medical, or financial information that is then sold on the dark web or used to commit identity theft or fraud. Attackers can also use compromised financial information to transfer funds electronically.

• Trojans can serve as ransomware, encrypting files, or locking down a system until a ransom is paid by the victim.

Click to Enlarge

Image Credit: IBM

Following basic best practices will decrease your chances of being compromised by a Trojan:

• Use a reputable antivirus program and set to update automatically.
• Run antivirus scans as frequent as possible.
• Ensure your firewall is enabled.
• Only download software and files from legitimate sources.
• Scan all files and programs before installing them.
• Update your operating system and all software as soon as updates become available.
• Require administrative permission to install new apps and programs.
• Never open email attachments or links in suspicious emails.
• Avoid clicking online ads or pop-ups.
• Avoid illegitimate or suspicious websites and file-sharing services.
• Use a quality email filtering service - We offer a detailed email security service for any email system.

If your organization is the victim of Trojans, or would like to learn more about how REAL Solutions Technologies prevents Trojans, please contact us at Support@REALSolutionsTech.com.