With “Backoff” POS Malware, Attackers Use Your Security Tools Against You
Yesterday the US Department of Homeland Security issued a warning to US businesses against a new POS malware attack called “Backoff”. The attackers are targeting common remote access systems like Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway and join.me. To make matters worse, this little bug is difficult for anti-virus software to detect.
US-CERT issued the warning along with mitigation steps that organizations should take which you can view here. The warning contains the following recommendations designed to prevent data loss and detect malicious behavior related to this new threat:
- Implement data leakage prevention/detection tools to detect and help prevent data exfiltration
- Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials)
When attackers go after your remote access systems they are doing it knowing full well that these systems provide access to high value data and that they are cloaked in encryption - which you unwittingly provided to them. If you aren’t monitoring your encrypted traffic at the network level it may be difficult to impossible for you to detect anomalous behavior or a compromised identity.
Malware like "Backoff" is designed to exploit the fact that most organizations do not monitor or control their encrypted traffic. Despite the risk, many companies rely on traditional privileged access management (PAM) solutions (ie. jump hosts) and end point security alone to do the job. Unfortunately, as most of the 600 or so companies that have already been victimized by this latest attack could probably tell you, traditional approaches to defending against attackers targeting encrypted networks just don't work very well.
Fill in the gaps in your network security. An encrypted channel monitoring solution will provide you with network level visibility into your encrypted traffic and enable your SIEM and DLP solutions to stop would-be attackers or malicious insiders before they can compromise or exfiltrate your data. The message is simple; don’t let the bad guys use your own security tools against you.