Gourmet sandwich cyber-hack leaves FBI in a pickle

POS malware hits US retailers including Jimmy John's 'gourmet sandwich' chain

Gourmet sandwich cyber-hack leaves FBI in a pickle
Gourmet sandwich cyber-hack leaves FBI in a pickle

The FBI has stepped in to issue a new malware warning after a restaurant chain's credit card system was compromised last week across several US states. The Jimmy John's ‘gourmet sandwich' chain was among other trading names linked to a cyber-attack designed to steal customers' personal financial data.

The FBI's own cyber-investigators identified notorious malware-related software signatures used in Point-of-Sale (POS) systems known as Punkey. The name derives from a 1980s era US sitcom about a little girl called Punky Brewster.

An FBI alert known as a Flash notice has stated that in the past year, there has been an increase in restaurants, casinos, hotels and resorts targeted by POS malware. The Bureau (as it is known) further states that cybercriminals today infect victim networks to extract credit card information and quickly monetise it within cyber-criminal forums.

Retrofit your customer front-end

Speaking to SCMagazineUK.com on this story this week was TK Keanini CTO of Lancope. He suggests that, “It is ‘painfully obvious' by now that these Point of Sale systems were built without the consideration of this kind of threat. Let's all be aware of this and retrofit what we can today and as we face a future of the Internet of things, so that we learn from these oversights and take into account modern threat modelling.”

The Jimmy John's chain was just one of several brand names linked to POS attacks in the US in recent times. Other names include general purpose store Target, Home Depot, craft store Michaels and department store Neiman Marcus. The PF Chang's Chinese restaurant chain has also been named.

The FBI's legal requirement rulings states that its team of investigators have “high confidence” that new malware was used in “a recent network intrusion against a restaurant chain” – although neither of the above restaurant brands was acknowledged individually.

The FBI is “distributing indicators” to enable [all firms'] network defence activities to protect secure payment networks and to reduce the risk of similar attacks in the future.

Just one ‘wafer thin' margin

Security specialist for IBM UK Neil Warburton says that he knows of an instance where a hacker broke into the company's network and stole log-in credentials from the firm's vendor-partner to use those credentials to remotely access Point of Sale systems.

Speaking to SCMagazineUK.com this week, Warburton stated, “In this kind of scenario especially in retail, IBM sees supply chain attacks being a common route for introducing vulnerabilities and malware which can then also amplify these attacks. The retail industry is known for having to operate with wafer thin margins. The additional cost of these high visibility data breaches can make all the difference between profit and loss for many retailers.”

The Punkey hack itself is marked out by its ability to inject other malicious files such as software updates into the systems it is used to attack. It's important to remember than a software update itself can be used as a means of avoiding detection by security defence software.

Tendering tokenisation

Technical director for UK &  Ireland at F5 Gary Newe says that the rise in mobile payment platforms such as Apple Pay and Android Pay helps prevent situations like these. As people use their mobile devices with these payment methods, they are actually using a tokenisation solution he says.

Speaking to SCMagazineUK.com directly, Newe said that what this means is that the customers' credit card number never actually reached the merchant, thereby bypassing this type of malware.

“Payment processors might usefully look to add additional intelligence to provide more points of information on the terminals to allow a more informed decision on whether a transaction should be accepted or not. At the moment online retailers use this type of info and pass it (in some cases) to the payment processors to reduce fraud, but the days are gone when it could be assumed that the payment terminals were ‘clean' and the processors need to implement additional protections for their terminals. This is not a surprise at all and we will see more of this type of fraud/hacking in the future. These terminals run software and they are vulnerable and exploitable,” said F5's Newe.

Reconnaissance tools and privilege escalation

The Punkey hack's intelligence capabilities are thought to have shown up in more than one hack, as is suggested by the number of US brands affected by this story. Further then, this suggests that more than one ‘actor' may have customised the original malware code in use. Punkey has also been said to exhibit the ability to ‘execute additional reconnaissance tools and perform privilege escalation', hence, this is powerful malware.

Also commenting on this story is Boatner Blankenstein, director of solutions engineering at Bomgar. The company has retailers that use its privileged access management and remote support appliances to control access to POS devices.

Blankenstein spoke to SCMagazineUK.com to explain that there are a huge number of new malware attacks being developed that target POS devices – and there have been at least four major ones so far this year. But he says, however sophisticated they might be, there are simple steps that can be taken to reduce or eliminate the risk that these new attacks represent.

Good network (and sandwich making) hygiene

“If you look at the most high profile breaches on retailer POS networks, their POS systems and IT networks were supported by third-party providers. These organisations often use remote access tools to manage those devices. If those third party companies don't exercise good hygiene around access control, then they can be compromised. Once a hacker gets inside this network, they can then use that privileged account to compromise the retailer and then upload malware, like Poseidon, to multiple victims' POS systems,” said Blankenstein.

His opinion centres around the suggestion that this abuse of privileged access can be difficult to protect against as the retailers often don't directly control what tools are used in many cases.

As a best practice, retailers should therefore enforce use of secure remote access by the vendors that they work with as a condition of winning their business, as well as auditing their suppliers' identity management and security processes so that they can see that best practices are being followed.

“The recent changes in PCI DSS v3 made it clear that responsibility around hacking attacks always resides with the vendor, irrespective of whether they outsource their IT management or not. Keeping this in mind will help retailers and their suppliers keep POS networks secure, regardless of whatever new malware attacks are created,” added Blankenstein.