Poseidon attack

"Enterprises continue to fall victim to the phenomenon that Illumio calls the “paradox of the perimeter” - spending 80% of their security dollars to secure 20% of the traffic."

A new POS malware has been spotted in the wild by CISCO, that is, allegedly, more sophisticated and nasty than previously seen POS malware.

The "PoSeidon" malware is built on the shoulders of Zeus, and sports improvements to BlackPOS which plundered millions from Target payment terminals in 2013.

It scrapes memory from POS terminals, siphoning the captured card data off to Russian domains for likely resale, Cisco says.

PoSeidon contains a loader that maintains persistence on infected boxes to survive reboots and user log-outs.

A subsequently downloaded binary FindStr implants a keylogger which scans memory in pursuit of credit card number sequences. Identified numbers are verified using the Lund algorithm and encrypted and shipped off to one of a dozen hardcoded command and control servers. 

Richard Cassidy, technical director EMEA, Alert Logic says:

“ePOS systems remain a top target for hacker cells and we’ve already seen a great deal of variants of many successful ePOS malware programs this past 12 months.

“The groups behind these threats are well aware that organisational IT & Security teams are up against a monumental challenge in terms of managing the security and data transaction estate with a great deal of effort being focused on achieving compliance more than can be afforded on effective security practices.

“This gives attackers a greater window of opportunity than ever before and the challenge is only becoming greater for businesses.”

This isn’t to say that organisations aren’t focusing time on security monitoring and response capabilities argues Cassidy, it’s simply a case that the data analysis needed (log, traffic flows, application transactions and user activity) for effective security insights and protection is proving so great, that security teams are finding It increasingly difficult focus the time and effort needed to detect directed malware activity of the ilk of “PoSeidon”.

Casssidy continues:

“The fact that this particular malware now implements a keystroke logger, is interesting on two fronts; first it means that its threat footprint is easier to detect and secondly it shows that this particular malware may not have been written to stand the test of time as we’ve seen with more cleverly designed malware such as the infamous BlackPOS malware application that hit Target back in 2013.

“The hardcoded domain names should offer some instant help in detecting data exfiltration attempts, however good old fashioned security practices on locking down data transfers from key financial systems to only trusted destinations, will make it more difficult for attackers to get the data back to its intended destination.

“The challenge is that if we continue as businesses to deploy more and more security systems, we’re going to bury ourselves deeper into content output that we simply cannot analyse effectively enough to stay one step ahead of the new threats released by very well resourced and talented hacker cells.

“Overall, organisations need to look at how they can more effectively build big data analytics and deeper security insight knowledge into their own security processes, perhaps this is where cloud based solutions can offer instant gratification and immediate outcomes from security and compliance perspective.”

Adam Winn, manager, OPSWAT says:

“The use of hard-coded C&C server addresses is very surprising. With the apparent effort that went into building this malware, it would seem a marginal investment to code-in a dynamic C&C server address mechanism. This implies a few possibilities:

  • The coders aren’t as sophisticated as the rest of the packaging implies
  • This is a one-time attack with no plans of re-use (unlikely)
  • This was simply a proof of concept or first attempt, and we should expect to see variants soon with new batches of C&C addresses coded-in

Chandra Sekar, Sr. Director of Product Strategy, Illumio says:

“While the new malware includes abilities to survive reboots and user logouts at PoS terminals, the techniques used continue to exploit the “soft-and-chewy” insides of enterprise data centers that rely mainly on perimeter protection.

"Enterprises continue to fall victim to the phenomenon that Illumio calls the “paradox of the perimeter” - spending 80% of their security dollars to secure 20% of the traffic. A vast majority of the data traffic that happens inside the data centers is under-protected and hackers that have made their way past porous perimeter defenses take advantage of this situation.”

Retailers and enterprises handling sensitive credit card information need to consider the following steps to deter hackers from exploiting PoS systems.

  • Gain systems and transactional visibility inside their data centers and clouds to know where sensitive data is being handled.
  • Invest in security technology that provides easy ways to segment systems inside data centers including PoS systems.
  • Provide policy-based encryption of data in motion and data at rest.
  • Lock down transactions to the narrow set of permitted flows to prevent lateral movement from potentially compromised systems.
  • Prevent exfiltration of sensitive content by enforcing data residency controls for servers within their environment “