A large ($3Billion+) and well-known restaurant chain announced early this year (pre-COVID-19) that malware had infected its order-entry systems and allowed bad guys to run off with millions of their customer’s payment card information.
Their point-of-sale (POS) systems which are typically the target of retail malware attacks had been protected, in their minds, by enabling end-to-end encryption. While this encryption neutralized malware attacking its POS system, it was completely ineffective against an attack on its order-entry system, which happened to be the target of the subject campaign.
That system, which has a card reader attached, allows restaurant workers to enter kitchen and bar orders and swipe reward cards.
It appears that some wait staff employees mistakenly swiped actual payment cards on the order-entry system and the malware managed to collect the cardholder’s name, card number, expiration date and internal verification code data.
A Real Story from the Front Lines
A couple of years ago, my red team conducted a limited exercise against a similar restaurant chain’s computer infrastructure. The effort was seeded with 49 IP addresses, 34 email addresses, and 13 websites. Our team’s simulated attackers were able to compromise 50 user credentials and 21 computers and gain subsequent access to both their POS system as well as their order entry system.
The assessment was conducted in three phases: an external phase, a phishing phase, and an internal phase. The external phase was successful in identifying actionable threats against their network, including remote code execution via JBoss and SQL injection. The majority of their external attack surfaces were discovered on their web applications. Their anti-phishing capabilities successfully stopped two of our phishing attack attempts. However, during the internal phase, our team’s attackers moved around laterally within the entire network via the external access provided by a JBoss vulnerability.
While the restaurant’s security team excelled at stopping our phishing attempts, none of the other penetration activity outside those two attempts was blocked anywhere. Our team was 2 connections away from achieving complete domain control over the entire restaurant chain’s network. This sampling suggested a critical level of Cybersecurity risk to all of their network-based computer operations.
Findings and Recommendations
Our team submitted a specific set of recommendations to mitigate that risk and summarized our findings and conclusions to reflect the restaurant chain’s security posture as viewed from our limited engagement. These included:
- The discovery of multiple “links” enabled the team to bypass their security appliance.
- The identification of 6 high-risk vulnerabilities including SQL Inject and Command Execution via JBoss implies that a comprehensive review of the entire network of restaurant operations would reveal additional high-risk vulnerabilities.
- The ability to compromise 21 computers and gain credentials to compromise 100 more servers.
- The capture of SYSTEM privileges for all compromised systems, which enabled full admin privileges throughout the network.
- The ability to compromise 50 specific user credentials and hashes, i.e., 50 clear text passwords and hashes of accounts that we were able to use to log into OWA (Web version of Outlook) or other systems.
- Successful login capture for Outlook mail on those compromised accounts and free, undetected lateral movement across the network while accessing the external OWA to validate the external pathways.
- Confirmation that we were only 2 connections away from achieving complete domain control over the entire network.
In all, we found 13 actionable issues of varying severity that when remediated would significantly reduce the risk of successful cyber-attacks.
The Punchline
We put a remediation proposal in front of them for an extended red-team test and vulnerability assessment to conclude the work we had started at a cost of $44,000 and another $149,500 annually on products that would improve their ability to detect and respond to threats like the successful attack against the other un-named restaurant chain.
They rejected the proposal and continued as if no threat existed.
Three months later, they were hacked and are now facing multiple class action lawsuits winding their way through circuit courts.
Sufficient Legal Standing
The infamous Target lawsuits filed by 47 States for a similar breach resulted in a single settlement alone of $18.5 million, or 93 times the cost of the restaurant chain fix we described here. Home Depot’s hurt even more at $19.5 million.
Both of these settlements were prior to the recent landmark circuit court ruling in the Caremark case that “at the very least, it is plausible to infer that this party has both the intent and the ability to use that data for ill” and is thus sufficient for the plaintiff’s legal standing.
In other words, plaintiffs no longer have to prove current harm, but may instead file lawsuits based on future risk of harm.
In which Universe does it not make sense to spend $200,000 to avoid $20 million lawsuits?
These restaurateurs are about to find that answer.