The recent surge in news stories, white papers, blog posts, interviews, and technical briefings regarding the Point of Sale (POS) system breaches at many major retailers, has left most organizations speculating as to whether or not they could be susceptible to the same type of attack. Many security companies are claiming that they can protect organizations against this type of attack, some even claiming that this incident was sophisticated and advanced. RSA IR analyzed many of the samples that were used in the attack against the largest of these companies and based on our analysis; the actual malware that was used on the POS endpoints appears to have been in the wild since at least June of 2013. Some organizations are trying to treat this threat symptomatically. Instead, RSA suggests that organizations should look at how an intruder would get from outside of the network to POS machines and what measures are in place for detection and identification for this type of intrusion.
The malware that was used in this breach has been well documented by many research companies, some of which have claimed to attribute an author to the different pieces of malware. This report will not delve into the technical artifacts of the malware, but simply how RSA tools like Security Analytics and ECAT would have alerted an organization about this type of intrusion, leading to expedited response time, reduced exposure, and subsequently helping stop the attack before data was exfiltrated. Included along with this report is content that can be deployed to RSA products to detect different aspects of this attack.
The accompanying digital appendix includes Yara Signatures that can be used by organization to determine if they currently have these types of malicious files present in their enterprise. Also available in the digital appendix is a Blacklist that can be imported into ECAT to help an organization quickly identify and categorize known files.