Since October 2013, at least 600 businesses have discovered malicious software that is being referred to as “Backoff”installed on their networks.
When first discovered, this malware had very low anti-virus detection rates, so even fully updated anti-virus software on updated and patched computers did not detect its presence.
Backoff is installed on point of sale (POS) systems through remote desktop applications used in back-office operations of affected retailers. Backoff injects malicious code into explorer.exe, so that even if the executable is stopped, the malware continues to function.
The “Backoff” malware was first detected last October.
What It Does and Potential Impact
Backoff has four main capabilities:
• Logging keystrokes
• Scraping memory for data
• Command and control communication
• Injecting malicious code into explorer.exe
POS systems compromised by this malware threaten both business and customer with the possibility of exposure of sensitive data. If you work in the IT department of an organization that uses POS devices, it’s critical that you protect your network to prevent exposure to this malware.
What Memory Scraping Does
Memory scraping is a way for malware to find important personal data. It searches a device’s memory for sensitive data that’s not available elsewhere, and is considered one of the most dangerous attack techniques used today. Memory scraping malware, for example can steal encrypted data from applications through which data passes unencrypted, rendering many security measures useless. Backoff scrapes memory, logs keystrokes, and searches for track data, accessing sensitive information like credit card numbers. Once in possession of such information, Backoff encrypts it and transmits it to a system under the attacker’s control.
How Access to POS Systems Is Gained
According to the US Department of Homeland Security (DHS), Backoff attackers use publicly available tools to find businesses that use remote desktop applications. These publicly available tools include Microsoft, Apple, and Chrome Remote Desktop, LogMeIn, Join.Me, Pulseway, and Splashtop 2. It’s possible that other remote access products that facilitate file sharing could be vulnerable too. These applications may be set up by IT administrators, vendors, or outsources for remote management and support of systems. Anyone using a tool to access even a single desktop remotely could find his or her credentials used to install this malware, allowing hackers to use the infected machine as a launch point to more important systems.
Remote desktop control can be extremely useful, but be aware of risks.
This Is One Way “Shadow IT” Can Be Dangerous
If employees in your organization use “shadow IT” to, for example install a share and sync product without going through proper software acquisition channels, they could inadvertently give malware attackers like those behind Backoff a remote access channel that could be exploited. It’s critical that organizations educate employees on this danger and provide approved remote access methods that can be monitored for unusual activity. “Shadow IT” apps on machines of those with access to corporate networks can turn these machines into very attractive targets.
Defending Against Backoff
If your organization uses remote desktop applications, they should be configured to lock users out after a specific number of failed login attempts. This can defend against the brute force methods Backoff uses. Review firewall configurations to make sure only allowed IP addresses and ports communicate on the network. Outbound firewall rules are particularly important, because compromised entities allowing ports to communicate with any IP address allow hackers to exfiltrate critical data to their own IP addresses. The DHS provides a number of guidelines for securing remote access to protect against Backoff.
Additional security steps include:
• Setting up alerts for unexpected activity (like a vendor logging in over a weekend)
• Limiting administrator privileges to critical personnel and limiting points from which they can gain remote access
• Implementing multi-factor authentication and forbidding shared logins
• Consolidating remote access tools for central management
• Blocking open listening ports like TCP 3389 after installing central remote access
Whether you work in the retail sector or not, the Backoff malware should make you stop and think. Remote desktop control can be great for saving time, but when it’s not managed and secured properly, it can open the way for attackers to gain access to critical company or customer data. Reviewing administrator privileges and who has access to remote desktop applications is a smart step whether or not your organization is a likely target for hackers like those behind Backoff.