• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Data Breaches: A Warning To System Admins

Data Breaches: A Warning To System Admins

  • Posted on:January 26, 2014 at 10:21 pm
  • Posted in:Malware, Targeted Attacks
  • Author:
    Trend Micro
2

We noted in our 2014 predictions that we believed that there would be one major data breach per month. Reports of data breaches against retailers ushered in the new year, where the credit card information of several million shoppers was stolen. There is no denying the scale and severity of breaches of this kind. While much ink–online and offline–has been focused on matters like who the author of the malware was, in the longer view what’s important to note is that there were many ways this attack might have been prevented–or security steps that could have been taken to thwart this kind of attack.

For example, POS systems represent a near-ideal situation for whitelisting and/or locked down systems: there is no compelling need to run general-purpose applications on a POS system. A locked down system would have made it more difficult to run malware on the POS devices.

Alternately, it is highly unlikely that such a large-scale attack was carried out with malware installed onto POS systems on an individual basis. It’s almost certain that some form of remote management software was used to install the malware onto the POS systems. This isn’t the first time that systems used to automatically install software onto systems has been compromised; last year the auto-update system of several applications in South KoreaĀ was used to plant malware onto affected systems.

The movement of such significant amounts of data across networks should also have been detectable as well. Network defense solutions would have been able to detect the internal network traffic used by this attack, or the data exfiltration traffic, or both.

The broad outlines of this attack are known, but specifics – such as what exact security procedures were in place and how/if they were evaded – are not yet public. However, businesses that handle critical data can take this incident and use it to determine if they, too, are at risk from similarly well-executed attacks. Companies in such a situation should double-check that all possible security procedures and products are in use and set up correctly, as well as for trained IT personnel to handle incidents as they happen.

One thing thatĀ is clear is that for high-value targets, simple endpoint security is no longer sufficient. As we mentioned earlier, protections based on detecting network and system behavior (such as Deep Discovery and Deep Security) would have been very useful in dealing with these kinds of threats. Enterprises that doĀ not have these solutions in place should consider implementing them in order to be able to guard against similar attacks; there is a good chance thatĀ other companies in similar situations will now have to deal with copycat attacks.

We detect the malware that we believe was used in this attack as TSPY_POCARDL.AB and TSPY_POCARDL.U; if any related threats are found we will release further protection as necessary. Frequently asked questions about this incident are answered in theĀ Simply Security blog.

For more detailsĀ on various targeted attacks, as well as best practices for enterprises, you may visit ourĀ Threat Intelligence Resources on Targeted Attacks.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE Ā»
SMALL BUSINESSĀ»
HOMEĀ»
Tags: data breachMalwarenetwork securitypoint-of-salePOSTargetTargeted Attack

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, ę—„ęœ¬, ėŒ€ķ•œėÆ¼źµ­, å°ē£
  • Latin America Region (LAR): Brasil, MĆ©xico
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Ɩsterreich / Schweiz, Italia, Š Š¾ŃŃŠøŃ, EspaƱa, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.