Incident: New Jersey Business Infected with Point-Of-Sale Malware

TLP: WHITE | On October 13, 2015 a New Jersey business discovered an infection of a point-of-sale (PoS) malware variant, detected by antivirus software as lanst.exe, one of many variants commonly known as Dexter. It remains definitively unclear how an employee laptop was initially exposed to the malware, though the NJCCIC assesses it was likely via a spear-phishing or drive-by download tactic. In this instance, the malware exploited the business’ lack of two-factor authentication and ‘flat’ network—meaning there was no segregation between various components—as well as outdated computer systems and weak security policies. There is currently no evidence that any business or customer data was exfiltrated from the network.

Summary

During routine maintenance, a system administrator observed that a Windows security event log had been deleted by a known user account. It was determined that prior to the incident, an authorized system administrator logged on to a user’s laptop with administrator privileges to troubleshoot an issue that was preventing the user from printing. This particular laptop, used for marketing purposes, was potentially compromised with malware, though the initial infection vector remains unknown. Once the system administrator logged in with privileges, the threat actor was able to infiltrate the network by using the administrator’s legitimate credentials and install the Dexter malware onto a server within the internal network. Once executed, the Dexter malware, inclusive of the lanst.exe file, scanned and mapped the network architecture and identified key components. The malware then compiled network topography, encrypted user passwords, and customer transaction data into individual folders in preparation for exfiltration.

Last week, researchers from cybersecurity firm FireEye revealed a cybercrime group known as FIN5 that used similar tactics to steal 150,000 credit card numbers from a casino in 2014. This group used a Tornhull backdoor and virtual private network (VPN) client, Flipside, to maintain persistence on the infected network, even after mitigation steps were taken. Again, in this case, two-factor authentication was the effective remediation.

DOWNLOAD FULL ANALYSIS

Contact Information
To report an incident, or if your organization would like to learn more about the NJCCIC, please contact a Cyber Liaison Officer at NJCCIC@cyber.nj.gov or visit www.cyber.nj.gov.

Traffic Light Protocol: WHITE
TLP: WHITE INFORMATION MAY BE DISTRIBUTED WITHOUT RESTRICTION