Starwood Hotels & Resorts Properties Breached

This week, we hear the latest on the Starwood Hotels & Resorts Properties breach and the emergence of Cherry Picker and AbaddonPOS malware.

Breach

Starwood Hotels & Resorts Properties Breached 

On November 20, Starwood Hotels & Resorts Worldwide announced that the point of sale (PoS) systems of 54 properties were infected with malware, resulting in unauthorized access to customers’ payment card data dating back to November 2014.

Promptly after discovering the issue, Starwood engaged third-party forensic experts to conduct an extensive investigation. The investigation detected malware that affected certain restaurants, gift shops and other point of sale systems at the relevant Starwood properties.  There is no indication at this time that the company’s guest reservation or Starwood Preferred Guest membership systems were impacted. 

The malware was designed to collect certain payment card information including cardholder name, payment card number, security code and expiration date. The affected hotels have taken steps to secure customer payment card information and the malware no longer presents a threat to customers using payment cards at Starwood hotels.

References: Starwood Notifies Customers of Malware Intrusion | Starwood Hotels & Resorts reports payment card information breach at 54 properties | Starwood Hotels & Resorts locations affected by payment card security issues

Mitigation Strategies:

  • Network traffic analysis to detect data exfiltration
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Log management could detect any suspicious user account activity.
  • Point of sale system owners are encouraged to implement the principle of least privilege to prevent an intruder from traversing through the network after compromising a vulnerable host

Malware

New POS Malware Emerges in Time for the Holidays

The Cherry Picker and AbaddonPOS malware, exposed last week, are the latest evolution in stealthy and capable point of sale credit and debit card plundering. Cherry Picker has been targeting retail businesses since 2011 and now sports new anti-analysis tricks, persistence mechanisms, and better card ripping functionality. 

The Cherry Picker malware wipes evidence of itself after an attack occurs by overwriting files multiple times and removing data exfiltration locations. The memory-scraping malware appears on Windows platforms including Windows 7 and the hard-to-kill XP, running remote administration services.  It targets food industry retailers running PoS software.

Separately, security researchers identified capabilities such as anti-analysis, obfuscation, and wiping tricks in the AbaddonPOS malware. Abaddon was found on seven client networks that had been delivered after a Vawtrak infection.

Point of sale malware will be further challenged as the United States deploys EMV credit card technology, notably when crucial PIN features are used in place of antiquated signatures.

References:  More PoS malware, just in time for Christmas | New PoS malware emerges in time for the holidays

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information
  • Netflow traffic may also reveal large data transfers and data leakage
  • Log management could detect external IP information from the attacker if logs are configured 

Top 20 IP Addresses

91.214.202.67 - NEW 185.8.107.161 - NEW
217.170.203.202 - NEW 31.28.5.100 - NEW
108.59.8.142 - NEW 213.184.127.43 - NEW
94.141.162.45 - NEW 46.166.173.89 - NEW
79.141.162.17 - NEW 31.193.128.155 - NEW
51.254.221.95 - NEW 95.141.20.205 - NEW
192.80.186.109 - NEW 192.99.212.176 - NEW
23.101.178.124 - NEW 95.211.205.141 - NEW
95.141.29.59 - NEW 46.166.161.166 - NEW
185.8.107.159 - NEW 5.189.154.187 - NEW