Early detection halts Avanti kiosk attack

Tukwila, Wash.-based Avanti Markets Inc., a self-service solutions provider, shut down kiosks in select U.S. office breakrooms that may have been compromised by malware. Forensic analysts believe the intrusion occurred July 2, 2017, and praise the company for detecting and stopping the attack within 72 hours. Avanti alerted the FBI and issued a public statement July 4, with recommendations to those who may have been affected.

Avanti representatives said kiosks do not store personally identifiable information (PII) and do not have universal configurations, which makes them less susceptible to wide-scale attacks. Customers who paid by credit card at infected kiosks during the malware's 72-hour window may have exposed card credentials; those who paid by "Market Card" may have exposed names and email addresses, company representatives noted. However, they confirmed that biometric data was protected by end-to-end encryption used in all Avanti fingerprint readers.

Protecting the POS 'gray zone'

Jonathan Sander, Chief Technology Officer at STEALTHbits Technologies, said POS systems are not a big area of focus for many security professionals. "The POS systems are often brought in from the outside, used by contract or part-time employees, and even connected to networks that aren't fully IT managed," he said. "They live in a gray zone that makes them both hard to manage and easy to target."

Companies must act swiftly to update aging POS infrastructure, added Ido Wulkan, Intelligence Team Lead, IntSights Cyber Intelligence Ltd. Wulkan said criminals used similar attack vectors against Avanti and other major chains, such as Intercontinental Hotels in 2016. "This type of malware infects [POS] machines, collects the credit card data and transfers it to a remote server," he stated. "POS devices are known to operate on old and under-maintained systems, which makes them more susceptible and vulnerable to malware."

Wulkan also observed the Avanti threat actor used the same SSL certificate as the group behind the PoSeidon and Chanitor POS malware attacks. "This group tends to re-use its C&C infrastructure in different campaigns, and its servers are hosted in Eastern Europe, which might indicate that it is of Eastern-European origin," he stated. "The group utilized Microsoft Office Macro Vulnerabilities and phishing emails as attack vectors for its previous campaigns, which means these methods might also have been used for this campaign to some extent." Failing to protect external-facing computers can leave them open to unauthorized entrants who can infiltrate an organization's network and utilize vulnerabilities to attack POS systems, Wulkan said. He recommended the following tactics to mitigate against POS threats:

• Update all technologies and products. Work to ensure that old and unmaintained POS devices are patched or replaced with newer versions that operate on supported systems.
• Properly segment external-facing networks and the cardholder data environment.

• Change default passwords on devices, which attackers use to gain access to external-facing devices.

• Monitor third-party vendors to ensure they comply with common security standards, and minimize their access to internal networks as much as possible.

Automating responses, technology

Gilad Peleg, Chief Executive Officer of SecBI, sees a tough road ahead for forensic investigators as they sift through millions of log files to identify the machines that communicated with outside IP addresses and correlating these incidents over the time-span of the breach. "Regardless of which incident response firm they have called to their aid, this task could take weeks and they should really consider using [artificial intelligence (AI) and machine learning algorithms] to reduce this time, deliver conclusive results and no false-positive alerts," he stated. SecBI's Autonomous Investigation technique uses AI and multiple layers of machine learning to mimic an expert cyber security analyst at machine speed investigating and hunting through billions of logs to detect the full scope of malicious incidents, Peleg noted. "As an example, we use unsupervised machine learning and cluster analysis to piece together seemingly benign events into suspicious incidents (clusters) that go undetected by other systems."

Lisa Baergen, Marketing Director at NuData Security, a Mastercard company, said the Avanti breach is a reminder of the need for organizations to rethink how they protect and verify user identities in the digital world. "Using a multilayered approach of integrating device intelligence, active and passive biometric analysis, and behavioral analytics is the key to truly understanding the user behind the device – which will effectively devalue the stolen identity data to any other person or entity," she added.

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.