Hilton Hotels Admits PoS Compromise

This week, we hear the latest on the Starwood and Hilton Hotel property breaches and the recent discovery of the GlassRAT Trojan.

Breach

Hilton Hotels Admits PoS Compromise

Criminals continue to target hotel chains, with the luxury chain Starwood Hotels & Resorts being the latest victim. Starwood reports that 54 locations in North America have been infected with malware that harvested card information from point of sale systems. A couple of days after Starwood’s admission, Hilton Hotels also admitted that it had suffered a similar compromise of point of sale systems during 2014 and 2015.

Organizations that use point of sale terminals need to think carefully about how they are protected. Terminals should be segregated on a dedicated network, separate from other network traffic, and connections to these sensitive systems should be carefully monitored. Criminals are adept at identifying and exploiting weaknesses in credit card processing systems and like any computerized system, point of sale terminals need to be kept fully patched. 

References: BusinessWire: Starwood Notifies Customers of Malware Intrusion | Hilton Hotels: We Were Breached

Mitigation Strategies:

  • 24x7 Security Monitoring to provide anomaly detection.
  • Network traffic analysis to detect data exfiltration
  • Log management could detect anomalies that might be infecting the POS stations including data shares and services being created.

Malware

GlassRAT Trojan Linked to Chinese Targets of Interest

Remote access Trojans (RATs) allow attackers to execute any command or software on an infected machine. Installing such malware on a device allows an attacker to steal stored data and monitor the activity of anyone using the system for as long as the malware remains undetected. The presence of RATs can often be detected by antivirus software or through the presence of network connections to command and control systems.

The GlassRAT Trojan was recently identified, apparently three years after it was first released. The group behind it was careful to sparingly use the Trojan to minimize chances of detection. The malware has been used to spy on Chinese nationals working in commercial organizations and has been linked to other malware campaigns against China’s targets of interest.

Malware writers are often devious in their strategies to hide malware. The code of this particular malware was signed with a stolen certificate to make it seem legitimate. However, remote access Trojans must always connect to their controllers. Often, it is these unusual connections that belie the presence of the Trojan.

Frequent review of external connections and the ability to distinguish normal traffic from connections to command and control facilities allow organizations to identify Trojans on their networks and take steps to remove them..

References:  Stealthy GlassRAT Spies on Commercial Targets

Mitigation Strategies:

Top 20 IP Addresses

111.206.116.217 - NEW 88.198.41.86 - NEW
173.244.197.140 - NEW 46.166.161.166
46.166.173.89 209.58.131.168 - NEW
51.254.221.95 95.141.29.58 - NEW
31.28.5.100 104.200.151.95 - NEW
123.125.160.216 - NEW 41.224.224.157 - NEW
195.154.241.166 - NEW 108.59.8.142
89.38.209.50 - NEW 195.154.237.149 - NEW
94.141.162.45 213.229.103.90 - NEW
213.133.108.168 - NEW 46.109.168.179 - NEW