Question

Assume a scenario where the hackers gained access to information through malware on Point-of-Sale (POS) systems of more than million credit and debit card. The firewall had captured the first malware code and an alert was issued which was ignored. The hackers started downloading the collected data. The cyber criminals have hacked the system to gain credit and debit card information.

1. Explain in your own words what happened in the above discussed data breach. [5 Marks]

2. Identify and experience the type of attack experienced in the above scenario [2 Marks]

3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware. [3 Marks]

4. What would have hackers done for privilege escalation? [2 Marks]

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload? [3 Marks]

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources. [5 Marks]

Answer 1

1.) The attack which took place in the given description is a point of sale malware attack which is specially designed for point of sale terminals and related systems with the goal of stealing of payment data and associatedated card data. This type of attack is used by the cyber criminals who want to resell the data they captured from the attack on the POS. The payment card data is encrypted end to end and is decrypted only at the the RAM memory of the device while the payment is processing. The malware attack enters the system through a compromised or weakly secured point and it iterate over the RAM memory to find the payment card data. Since, in the RAM memory, malware can find the an unencrypted data so through the internet connection, all these data are sent to to hacker in an unencrypted form.

IT professionals also referred to the POS malware as a process scanner because it checks for the active processes on the computer and it iterate over anything it might found helpful including the payment and card information. It looks for the data which fits in the format of encoding in a credit card magnetic strip. Search data format include the name of card holder card number which may include pin. As soon as the encrypted card information arrives at the RAM the malware get a very limited period of time to capture the data which gets unencrypted on the RAM. The malware gets very little time to capture such information while the the transformation of of information forms. The breaches which occur due to the malware attack at POS systems are are the breach of of authentication, information and data security. It is an unauthorised access. It is also a breach of confidentiality of information where sensitive data is being accessed by an authorised entity.

2.) It is a type of malware web based attack.Usually, attacks targeting POS networks are multi-staged in a mature scenario and can cover all phases of the cyber killchain (recognition, weaponization, distribution, manipulation, installation, command and control, and aim action).

In addition, most current POS systems are typically built on a general purpose operating system ( OS), making them more vulnerable to a broad range of attack scenarios and encouraging the creation of tools, malware or exploits by cyber criminals that can potentially impact a large number of victims.

The aim in of the cyber criminals to capture such data is to sell them on the dark web which in turn it is bought by some other cyber criminal to make fraudulent transactions based on information of the cards. These breaches are also done in order to prove oneself that the attacker is capable of doing such a sophisticated attack on any system.

3. & 4. ) There are various methods that an attacker can use to gain access to a network hosting POS systems, such as:

searching for vulnerabilities in externalfacing systems , e.g. using a web server SQL injection, or sending an organisation some spear-phishing e-mails. The attacker use and take advantage of some software bugs are vulnerabilities is which mein keep some point of entry into the system open inadvertently. This vulnerability is likely hidden within the code of the system and it is a race between the cyber security expert and cyber criminals to find search vulnerabilities to serve their respective purposes. Common exploited softwares includes the operating system itself on which the POS system is installed or the the server which is serving the client of POS systems. Cyber criminals may also get access to the system with the use of a spam emails which are sent to the POS company's employee in which the employee is tricked into downloading the malware from the email and the malware copies itself to the disk. This way it can find its path to the POS server and administrative privilege is gained over the the whole system.

Another such way to gain the administrative Access on the target system is when employee of the target system is tricked into you downloading some word document with malicious macros. Those who search macros on the system insects their machine with a dynamic link library downloader. This DLL is designed to download additional malware over the internet on the victim's computer. The threat actor move laterally to the other system within the environment and a memory scraping tool is flushed into the victims network to identify the system handling payment card data and steel track 1 and track 2 card data.

One more such attack which can be performed by the attacker is by installing key logger on the compromise device which will scan the systems to get the keystrokes of card number and password.