A major restaurant chain last week announced that malware had infected its order-entry systems to steal customers’ payment card information.
On their point-of-sale (PoS) systems, which are typically the target of retail malware attacks, they had taken the precautionary step of enabling end-to-end encryption. While this encryption blocked malware attacking its POS system, it was completely ineffective against the actual target which was their order-entry system. That system, which has a card reader attached, allows restaurant workers to enter kitchen and bar orders and swipe reward cards.
It appears that some waitstaff employees mistakenly swiped actual payment cards on the order-entry system and the malware managed to collect the cardholder’s name, card number, expiration date and internal verification code data. So, an inadvertent early-warning system was able to detect, collect and manipulate that data, and the IT team was given early notice, enough to take their assessment to a next level.
Back to the Future
That was 5 years ago, and our MSSP conducted a limited security review and vulnerability assessment against the same restaurant chain’s computer infrastructure at the time. The effort was seeded with 49 IP addresses, 34 email addresses and 13 websites. The assessment was successful, in that from the initial data, our team was able to discover more sites that led to an easy presence on their corporate network.
Our team’s simulated attackers were able to compromise 50 user credentials and 21 computers and gain subsequent access to both their POS system as well as their order entry system.
The assessment was conducted in three phases: an external, phishing and internal phase. The external phase was successful in identifying actionable threats against their network including remote code execution via JBoss and SQL injection. The majority of their external attack surface was discovered on their web applications. Their anti-phishing capabilities successfully stopped two of the phishing attack attempts. But, during the internal phase, our team’s attackers were able to move around laterally within the entire network via the external access provided by the JBoss vulnerability.
While the restaurant’s security team excelled at stopping their phishing attempts, none of the other penetration activity outside those two attempts was blocked anywhere. This sampling suggested a critical level of cybersecurity risk to all of their network-based computer operations and the team submitted a specific set of recommendations to mitigate that risk.
The following summary conclusions reflect the restaurant chain’s security posture as viewed from our limited engagement:
- Discovered multiple “links” enabling the team to bypass their security appliance.
- Found 6 high-risk vulnerabilities including SQL Inject and Command Execution via JBoss indicating that a comprehensive review of the entire network of restaurant operations would reveal additional high-risk vulnerabilities.
- Were able to compromise 21 computers and were able to gain credentials to compromise 100 more during the attack.
- We had SYSTEM privileges on all compromised systems, which enabled full admin privileges.
- Were able to compromise 50 user credentials and hashes, i.e., 50 clear text passwords and hashes of accounts that we were able to use to log into OWA (web version of Outlook) or other systems.
- We were also able to log into Outlook mail of those compromised accounts and move laterally in the network while accessing the external OWA to validate that external path.
- We were 2 connections away from achieving complete domain control over the entire network.
We found 13 actionable issues of varying severity against which we proposed a remediation solution that would significantly reduce the risk of successful cyberattacks. This restaurant chain decided they were unwilling to spend an additional $44,000 for an extended 6-week red-team PenTest and vulnerability assessment and another $149,500 annually on software that would improve their ability to detect and respond to threats like the order processing attack.
As we saw with the Target lawsuits filed by 47 States for a similar breach, that single settlement alone was $18.5 million or 93 times the cost of the restaurant chain fix we described here. Home Depot paid $19.5 million.
Court Decides on Actual Damages Issue
Both of these settlements were prior to the recent landmark circuit court ruling in the Caremark case that “at the very least, it is plausible to infer that this party has both the intent and the ability to use that data for ill” and is thus sufficient for the plaintiff’s legal standing.
In other words, plaintiffs no longer have to prove current harm, but may instead file lawsuits based on future risk of harm.
On what planet does it not make sense to spend $200,000 to avoid $20 million lawsuits?
Maybe they are about to find that out.
Whatever the final determination, we think it is critical for IT, IOTT and OT practitioners to work remediation plans out in advance because any and all optics need to reflect that attack victims are in control and that they retain leverage over the negotiation process.
Toward that end, we have created response principles in our Incident Response Planning and Execution course-work that assist in preparing security teams during the initial response stages. To learn more about what we are building, join us in our upcoming launch and register at https://cybered.io/.