US-CERT issued an alert earlier today that a new malware threat, dubbed "Backoff," was discovered targeting point-of-sale devices. "Backoff" variants have been traced back to October 2013 and is responsible for uncovering data and keylogging. The points of entry for suspects are remote desktop solutions. Once the remote access application is located, suspects brute force the login. Now inside the system, the malware is deployed on the POS system and customer payment data is exfiltrated.
This is just the latest in a string of attacks that have targeted Remote Desktop Protocol with brute force. As part of their advisory, US-CERT included a list of strategies for remote access, network and POS security. Many of their recommendations for remote desktop access are available in more secure solutions, such as Netop Remote Control, straight out of the box.
The US-CERT remote desktop access security strategy recommendations:
- Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.
- Limit the number of users and workstation who can log in.
- Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).
- Change the default Remote Desktop listening port.
- Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.
- Require two-factor authentication (2FA) for remote desktop access.
- Install a Remote Desktop Gateway to restrict access.
- Add an extra layer of authentication and encryption by tunneling your remote desktop through IPSec, SSH or SSL.
- Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
- Limit administrative privileges for users and applications.
- Periodically review systems (local and domain controllers) for unknown and dormant users.
At the time the advisory was released, the "Backoff" malware was not detectable by most anti-virus solutions. The variants are quickly being added, however; companies are advised to maintain up-to-date anti-virus engines and signatures. In the interim, applying indicators of compromise can be applied (a listing of IOCs is included in the advisory).