Less than two years ago, much of the world was introduced to RAM scraping malware thanks to the retail breach involving Target. While this type of attack has been seen since 2011, the 2013 Target breach was the largest-scale infiltration event that a RAM scraper had ever been involved in.
Since then, RAM scraper malware has become a favorite of sorts for malicious actors. Due to the ability to target a company's point-of-sales system directly, a number of RAM scraper malware attacks have been carried out since the infamous Target breach. These resulted in other considerably impactful and damaging breaches, including one related to Home Depot, which is now thought to be the most extensive breach yet.
Earlier this year, researchers discovered a new strain of RAM scraping malware, known as PoSeidon, that also seeks to target the plain text data archived in the memory of a store's PoS system. Today, we'll examine this new sample, its similarities to other RAM scraping malware and strategies that can help prevent a breach of this kind.
RAM scrapers: Nothing new
As noted, this type of attack didn't begin with the Target breach. Dark Reading contributor Mathew Schwartz pointed out that hackers have been utilizing this type of malware for a number of years now. The first sample recognized that year was Trackr, also known as Alina, which infected a series of hotels, an Australian auto dealership and at least one institution of higher learning. However, the RAM scraper-based attack on Target "set a new high," according to Schwartz, due to the number of records hackers were able to access and compromise.
"Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," said security researcher Graham Cluley.
Then, just under a year later, came the breach involving home improvement retailer Home Depot, where cybercriminals again leveraged a RAM scraper to infiltrate the chain's PoS system. This attack proved to be even larger than that of Target, where a total of 56 million customer payment cards had been compromised – 16 million more than had been impacted by the Target breach, according to The Wall Street Journal.
PoSeidon: New kid on the block
Since the attacks on Target and Home Depot, security researchers and retailers alike have trained their focus on this type of malware sample, working to better understand how such infiltrations can take place, and how they can be prevented. Recently, researchers from Cisco's Security Solutions team uncovered a new point-of-sale Trojan that serves to scrap the RAM to identify and compromise payment card information.
According to Computerworld, the new strain has been dubbed PoSeidon, which is actually made up on three malware components working in tandem to breach and scrape sensitive data. The malware includes a keylogger, a loader and a memory scraper that has keylogging capabilities as well.
The keylogger is a key part of this malware, as it enables hackers to snoop and steal authentication credentials for a remote access application. The sample is able to delete these credentials and profile information when users enter them, forcing them to enter the data a second time and allowing the keylogger to capture the details.
"Past studies have showed that PoS terminals are typically compromised through stolen or brute-forced remote access credentials, as many of them are configured for remote technical support," wrote Computerworld contributor Lucian Constantin. "[T]his keylogger is potentially used to steal remote access credentials that are needed to compromise point-of-sale systems and install PoSeidon."
Once the credentials are in place, the loader component is installed, which establishes the registry keys required to ensure the malware's consistent presence, even after a system reboot. At this point, the malware downloads the FindStr file from its command-and-control server, enabling the sample to identify payment card numbers being ran through and stored on the PoS system.
While these functions are typical to any other RAM scraping malware, there is something that sets PoSeidon apart from other infections.
"Unlike other PoS memory scrapers that store captured payment card data locally until attackers log in to download it, PoSeidon communicates directly with external servers and can update itself automatically," Constantin wrote.
Researchers went public with their findings after the PoSeidon discovery, hoping to warn retailers and other organizations that this new sample was a threat. Currently, there have been no reports of PoSeidon being discovered in connection with a data breach in the wild.
Protecting against a RAM scraper
While protecting against this type of threat can be difficult, there are strategies companies can adopt to improve their chances of mitigating their vulnerability. The first step is understanding what type of businesses are at risk.
Although the majority of high-profile breaches involving RAM scraper malware have involved the retail sector, this isn't the only industry that is at risk. Naked Security contributor Numaan Huq noted that organizations in education, food services, hotel and tourism and health care are also targets for hackers.
In addition, experts suggest utilizing monitoring capabilities to maintain visibility of all the points where a hacker could strike. This type of technology can help identify suspicious activity that could be associated with the beginning stages of an attack.
"To defend against RAM scraping, it's a good idea for enterprise IT security managers to make sure preventative and detective measures are in place for the organization's high-value targets, typically devices where sensitive data resides or that may represent a way to easily obtain access to it," wrote TechTarget contributor Nick Lewis.
In addition, employees should be taught what to look for to help identify an attack of this kind. For example, the PoSeidon malware deletes users' authentication credentials when initially entered, enabling the sample to capture this information when it is input a second time. If an employee notices their username and password inexplicably deleted from the login portal, they should alert the IT team.
Lewis also suggests having a plan in place that will govern how the organization will react if an attack of this kind is discovered.
"Putting a process in place to follow up on potential RAM-scraping attacks (or any attacks, for that matter) is as important," Lewis wrote. "If network-monitoring systems identify when a high-value target, such as a stationary point-of-sale terminal, starts communicating with new systems on an internal network in the enterprise or on the Internet, this alert should not only draw the attention of the security staff, but also be investigated quickly."
This can help prevent an attacker from further compromising the network and mitigate the overall damage caused by the breach. Working with a third-party security expert like Trend Micro can also be helpful to ensure that all sensitive points are covered and the proper monitoring security is in place.