State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Incident: New Jersey Business Infected with Point-Of-Sale Malware

NJCCIC Threat Analysis Report

Original Release Date: 10/28/2015

TLP: WHITE 

Summary

On October 13, 2015 a New Jersey business discovered an infection of a point-of-sale (PoS) malware variant, detected by antivirus software as lanst.exe, one of many variants commonly known as Dexter. It remains definitively unclear how an employee laptop was initially exposed to the malware, though the NJCCIC assesses it was likely via a spear-phishing or drive-by download tactic. In this instance, the malware exploited the business’ lack of two-factor authentication and ‘flat’ network—meaning there was no segregation between various components—as well as outdated computer systems and weak security policies. There is currently no evidence that any business or customer data was exfiltrated from the network.

During routine maintenance, a system administrator observed that a Windows security event log had been deleted by a known user account. It was determined that prior to the incident, an authorized system administrator logged on to a user’s laptop with administrator privileges to troubleshoot an issue that was preventing the user from printing. This particular laptop, used for marketing purposes, was potentially compromised with malware, though the initial infection vector remains unknown. Once the system administrator logged in with privileges, the threat actor was able to infiltrate the network by using the administrator’s legitimate credentials and install the Dexter malware onto a server within the internal network. Once executed, the Dexter malware, inclusive of the lanst.exe file, scanned and mapped the network architecture and identified key components. The malware then compiled network topography, encrypted user passwords, and customer transaction data into individual folders in preparation for exfiltration.

Last week, researchers from cybersecurity firm FireEye revealed a cybercrime group known as FIN5 that used similar tactics to steal 150,000 credit card numbers from a casino in 2014. This group used a Tornhull backdoor and virtual private network (VPN) client, Flipside, to maintain persistence on the infected network, even after mitigation steps were taken. Again, in this case, two-factor authentication was the effective remediation.

Traffic Light Protocol: WHITE information may be distributed without restriction.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.