Multiple sources are reporting that a targeted strain of malware has infiltrated the point-of-sale (PoS) systems of U.S. retailer Home Depot.
It appears to be a very close variant of the Backoff malware that affected P.F. Chang’s last summer. Backoff itself was a variant of the malware the infiltrated Target’s systems in 2013.
This latest attack may have begun in April or May. If so, it would be the longest-running attack of its kind, potentially affecting thousands of consumers.
If all this sounds eerily familiar, it should. The recent P.F. Chang’s and Target breaches, attributed to a hacking group based in Russia, affected thousands of consumers and was widely documented. In all three cases, the attack code employed the same RAM scrapping capabilities and the same AV evasion capabilities.
The attackers have put for sale in underground forums the data allegedly stolen from Home Depot and labeled it as “American Sanctions” and “European Sanctions”. This seems to indicate that this was an act of retaliation against the U.S. and Europe for the economic sanctions placed on Russia in response to its actions in the Ukraine. If this is in fact a nation-state sponsored attack, it clearly raises the stakes for commercial organizations to urgently reform their security practices.
Why, for example, in the aftermath following the attack on Target in 2013, did PoS providers and retailers not put in place defenses to detect and block similar attack methods?
Instead, many PoS providers and retailers continued to use the same security methods. This status quo mentality makes this latest attack less of a surprise and more a given. If current approaches don’t change, it’s likely to happen again.
To prevent these PoS breaches, many are urging the adoption of EMV “chip and PIN” cards, which make counterfeiting extremely difficult by removing reusable data. Transition to EMV cards in the U.S. has accelerated, and will certainly deter future breaches. But what about the malware threat? It’s clear by now that anti-virus systems alone are not enough to mitigate these attacks.
As evidenced by the Home Depot incident, a new paradigm is required to stave off major breaches. Security must reside on the actual device being protected, not in an emulation or virtualized sandbox, where it can natively monitor live endpoint activity, detect the malicious behavior and block it.
That’s why SentinelOne has developed technology that keeps security ahead of threats, even zero-day and targeted attacks. At the first sign of suspicious activity, our Predictive Execution Inspection engine anticipates threat behavior and blocks the attacker’s next move.