A New Variant in POS Malware

I’d like to talk a little bit about a new POS Malware variant called LogPOS. Being a researcher at LogRhythm I feel it is my duty to talk about any Malware with the word “Log” in it. Ironically this malware does not store its stolen credit card data in a log, instead it utilizes mailslots. Mailslots, just like the name implies, are a virtual representation of a physical mailbox. It’s a mechanism developed by Microsoft that allows processes to communicate with each other. A process can write to a mailslot with the intention that another process can read from it later on. They are similar to named-pipes only they are not connection oriented and can be used for broadcast. The use of mailslots by malware is nothing new and their existence helps this malware fly under the radar of simple POS malware scanners -scanners that look for plain text credit card information which is stored locally on the POS terminal.

LogPOS starts by creating a mailslot named \\.\mailslot\LogCC. Once that mailslot is created the malware systematically searches the host for processes that are not in the white list, shown below. My guess is that these are known common processes that you might find on POS terminals (with the exception of steam.exe) that are not used for scanning credit card data. So, it’s eliminating a few processes right off the bat, maybe for efficiency, but more likely to remain undetected.

  • windbg.exe
  • logounui.exe
  • taskmgr.exe
  • skype.exe
  • thunderbird.exe
  • devenv.exe
  • steam.exe
  • winlogon.exe
  • wininit.exe
  • csrss.exe
  • smss.exe
  • svchost.exe
  • firefox.exe
  • chrome.exe
  • explorer.exe
  • psi.exe
  • pidgin.exe
  • System

Once the malware finds a process not included in the list above, it will inject shellcode into that process. That newly compromised process will then repeat the search looking for more new processes to pwn (again, ignoring white listed processes) and injecting shellcode until all other processes have been hijacked. At this point the malware uses Luhn’s Algorithm to search for credit card numbers. Once a credit card is found it is written to the opened mailslot where the main program will read from it. Once a credit card is read it is then sent to a remote server via GET request.

If you want to take a look and see if you’ve been hit by LogPOS in your environment, you can use this simple search in the LogRhythm Network Monitor to reveal any outbound communication from the POS malware:

Method:GET AND DestPort:(80 OR 443) AND HeaderRaw:(encoding= AND t= AND cc= AND process= AND track=)

Figure 1 : Example LogPOS Traffic in LogRhythm Netwok Monitor (click to enlarge)

Figure 1 : Example LogPOS Traffic in LogRhythm Netwok Monitor (click to enlarge)

On Top of that you can also utilize LogRhythm’s Advanced Intelligence Engine’s white listing capabilities to detect new outbound connections from your POS terminals. This rule along with dozen more are part of LogRhythm’s Retail Cyber Crime Module.

Figure 2 : POS: Abnormal POS Network Communication Detection (click to enlarge)

Figure 2 : POS: Abnormal POS Network Communication Detection (click to enlarge)

The security researchers over at Morphick.com did some great research on this malware. If you’d like to know more about how the malware operates you can read that write-up here.


none | GeneralSecurity


7 Home Network Security Tips

The home network is equally important to secure as the organization you work for. Think about it, this is the network that you use when not in the office; you plug your work laptop in, access sites that are unfiltered/unprotected by your company’s proxy, and then bring the laptop back in to the office the next day and plug it in to the production network. This has the potential to introduce significant risk to the organization. This risk is only exacerbated if someone is able to compromise your home network. In fact, using work laptops outside of the company network is one of the most common ways malware makes it into the organization.

For these reasons it is important to take security seriously both inside and outside of the office. To help with this, I’ve put together 7 steps that you can take to improve the security of your home network.

1. Encrypt your home network using WPA2 and a strong password

Open wireless networks should be avoided unless there is no other option. When using open networks, a VPN should be employed to protect your data while in transit. When it comes to your personal home network, there is absolutely no reason to leave the wireless network open. Encryption is built in to every standard Wi-Fi router so there is absolutely no reason to not enable this. More importantly, Wi-Fi Protected Access 2 (WPA2) should be used as it is the most secure Wireless protocol available for home use. WEP and standard WPA can be cracked and are not considered secure.

In addition to enabling encryption, a very strong password should be used. This doesn’t need to be something ridiculously hard to remember, or so complex that you need to write it down. Remember, when it comes to password strength it’s all about entropy. So, the longer the password the better. This could be something as simple as a sentence with a few capital letters, spaces, and maybe one special character. This makes it very hard to guess but easy to remember, and if someone is able to capture the challenge-response, it will be very difficult for them to crack.

2. Change default router passwords and settings

Just do it… This is the very first thing that every penetration tester will try once connected to a wireless network. If they can log in to the administrative interface using a default or easily-guessable password, then all bets are off. The same goes for default settings. The fact that they are ‘default’ means that they are generally public knowledge and a quick google search will give an adversary everything they need to gain access to your network.

Aside from passwords — which should be changed for obvious reasons, the main setting of concern is the default IP address. This is normally 192.168.x.1 and various exploit kits are hard-coded to take advantage of these default configuration settings. Simply changing the IP address to anything else (IE: will greatly improve the security of the router and subsequently, your home network as a whole.

One other setting that should not be overlooked is Wireless Protected Setup (WPS). This feature is prone to well-known and simple proximity attacks and can be broken very easily. When using WPS to configure devices such as printers or similar technology, it is best practice to enable WPS, add the device, and then disable WPS once the device has associated with the access point.

3. Set up a guest network for family and friends to use when they visit

Guest networks are a simple and effective way to segment your devices from potentially untrusted devices on the network. Sometimes a friends system can contain malware that could infect other systems over the network. Or, if you have guests regularly (think Air BnB) that connect to your network, do you really want them to be able to access your computer, servers, or other systems on your personal network? Another aspect to consider if you have ‘untrusted guests’ is to lock the router away to deter physical access attacks.

Many routers have a built-in guest feature. If yours doesn’t support this, you may want to consider purchasing another cheap router and bridge this off of your normal access point. This segments the network and keeps untrusted devices off of the main network. This could also be key if someone uses your guest network to download torrents or perform other illegal activities, as showing that this was conducted over your guest network by a device that you don’t own could get you out of hot water.

4. Set up a separate network for Internet of Things (IoT) devices

If you can control your lights from the internet, so can anyone else who happens to guess the password to your Internet of Things control center. What’s worse is that if they can get to your lights, what else can they access on your network? With the rise in home automation and remote access to physical devices, it is important to segment the network to reduce the risk of an outsider gaining access to the internal network by way of an exposed service.

5. Disable remote access to your home network

Many routers come with the ability to allow remote access. This can be very dangerous, especially if default passwords are still in place. Once someone gains access to the router remotely, they can sniff traffic and access systems on the internal network from anywhere in the world. Often these technologies are only protected by a username and password, which can be easily broken with a dictionary attack, often without the owner even knowing. This is why it is very important to only enable remote services when you can compensate for the risks by adding protections such as multifactor authentication.

The same precautions should be taken when running a demilitarized zone (DMZ) and exposing Windows or Linux servers to the internet. Unless it is absolutely necessary to access these systems directly from the internet, a VPN with multifactor authentication should be used instead. This will allow you to access your home network remotely in a more secure manner. If you are running a web server or something similar and need to have these services directly exposed, any remote administration protocols such as RDP or SSH should be protected using a public/private key pair in addition to the username/password combination.

6. Use a firewall

Firewalls are a cheap and effective way to curb attacks against your home network. Plus, they give you additional insight into the traffic that is traversing over the network boundary, in addition to maintaining a separate record of traffic history. Firewalls can also be implemented on the router directly, in fact most modern routers come with the built in ability to block specific ports or even filter specific types of traffic. A really good one that I would highly recommend is pfsense.

If you are exposing servers to the internet, Honeyports are a free and easy to use tool can be used to detect and ban IP addresses as attacks are observed. Artillery is one of my favorite tools for this and it can be installed on the server and up and running in minutes. This will prevent known-bad IP addresses from reaching your server once a connection attempt has been made against one of the exposed Honeyport services.

7. Log out of the router when not using it

Many of the attacks against routers today are done by forcing the client to perform an action within the administrative interface of the router on behalf of the attacker. This attack is commonly referred to as Cross-Site Request Forgery (CSRF) and is a very effective means of gaining access to a router. Some of the attacks simply enable remote access to the router and change the administrative password while others completely take over the device and backdoor it. For these reasons, it is important to always log out of the router’s web interface when you are done administering the services.

Tags: , , , , , ,

none | Security


Phase 2 OCR HIPAA Audits – What’s to come in 2015?

Here is a high-level breakdown for the Phase 2 HIPAA Audits being conducted by OCR in 2015:

Back in 2011, the Office of Civil Rights (OCR) was brought on-board to support a pilot HIPAA audit program with the goal of assessing controls and processes implemented by covered entities (focus on Personal Healthcare Information – PHI). OCR had a two phased approach for HIPAA audits, and began phase 2 back in the fall of 2014.  For phase 1, OCR developed audit protocol to measure efforts of some 115 Covered Entities. With phase 2, the audit protocol was updated to encompass both covered entities and business associates.

For phase 2, OCR is revising their audit protocol to encompass some hot topics: timely & thorough security risk assessments, effective & on-going risk mitigation plans, breach notification procedures, encryption, training, and policies/procedures.  This phase also brought Business Associates into the scope (in addition to Covered Entities) of a potential audit. This update has increased the reach of OCR audits and I foresee it continually expanding.

Below I have included some useful definitions and points to better clarify the phase 2 audits.

Definition: A “business associate” is an individual or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.

 Business associate functions and activities: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  

 Business associate services: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

 Example of a Business Associates: A third party administrator that assists a health plan with claims processing. 

 Keys to Success: Business Associates and Covered Entities must enter into a Business Associate Agreement (BAA – somewhat similar to a SAS70, catered to HIPAA) to ensure the safeguard of protected healthcare information (PHI).  Existing BAAs should be revised according any new HIPAA OCR audit protocols. [There are specific agreement requirements to follow]

 Phase 2 Audit Targets: Risk analysis, risk management, content and timelines of breach notification, notice of privacy practices, individual access, privacy standards reasonable safeguard requirement, training on policies and procedures, device and media control, transmission security, encryption requirements.  For Business Associates, specific targets include risk analysis, risk management, breach reporting to covered entities.

Covered Entities had to come within full compliance of the HIPAA Omnibus Rule for some time now, while Business Associates followed suite on Sept. 23, 2014.  In 2014 and into 2015 we now see the enforcement (audit/findings). With most new enforcements being pushed out, those liable enter into a ‘transition phase’ prior to audits. The actual phase 2 audits to assess compliance for Covered Entities started in the fall of 2014 and audits of Business Associates is anticipated to start in 2015.  So in 2015, it’s important to note that both Covered Entities and Business Associates (LR Customers/Prospects) are now in-scope for these revised HIPAA OCR audits and enforcement.

There has been some delay in finalizing the audit protocols, but it is anticipated this will fully roll out sometime in 2015. Again, OCR’s focus will continue to be on more thorough audits of Covered Entities, but will really hit hard on Business Associates this year. OCR has issued a number of surveys over 2014 and into the start of 2015 with a goal to gather information and build up their audit protocol – these were indicators of pending, revitalized audits to come.

Surveys have indicated that only about a third of medical practices and staff were aware of these ‘revised’ audits.  So this in itself indicates many Covered Entities and Business Associates still may not be fully aware of pending audits (or the enhancements to existing audit protocols) that could result in financial settlement or fines for noncompliance.

Be prepared, do your homework, become compliant.

Until next time,

Bob Swanson

Tags: ,

none | Compliance


Network Monitor – Quick Tips and Use Cases

Although Network Monitor is very easy to use, it can still provide an extremely powerful method for analyzing network traffic and finding security risks.

Application and Packet Capture

One of Network Monitor’s strongest features is its ability to categorize and extract relevant metadata for hundreds of network applications. To see a full list, check out the Applications Guide. This should help to identify interesting applications for tracking.

The Dashboard tab is the best place to quickly get an overview of the entirety of your organization’s network traffic. Understanding this composition of applications is the first step towards being able to find and fix problems.


With this knowledge, deciding what applications to save as PCAP becomes much simpler. Ideally, everything could be stored, but obviously disk space is a limiting factor — in the event of an incident, if the network data has aged off, it’s going to make investigation difficult. Thus, it’s wise to select several noteworthy applications. To do so, go to the Configuration tab and click on the ‘Capture’ button. There, applications can be added individually by name.

Example applications that would be useful to capture include DNS, HTTP, FTP, SMTP, TCP, and UDP.

Once captured, PCAPs can be downloaded from the Analyze or Capture tabs. Or use one of available scripts to retrieve them via the API, including a SmartResponse Plugin that can do so directly from the SIEM.

Query and Analyze Data

The Analyze tab is, not surprisingly, the best place to conduct network analysis. The Query bar and Events Table are really the most important aspects of this view.

Finding relevant data is one of the most important capabilities that Network Monitor has. But it’s also one area left mostly to the user, and that makes basic knowledge of Lucene Query Syntax necessary.

Fortunately, it’s very easy — any time you’ve run a Google search, you’ve used Lucene. In Network Monitor’s case, simply putting text in the Query bar, anything from an IP to a string, will search all parsed metadata within the timeframe specified in the time bar. For example, searching the IP “” will show ever session where that IP was parsed — as the source IP, destination IP, or anything else.

But let’s say we want to be very specific and only want to show when our IP is the session’s source. The first step is to look at the Fields window — here, all of the metadata fields will be listed (checking the box next to a field will result in that field and its values being shown in the Events Table).


The field we want to search is SrcIP. Lucene has a very simple syntax for key/value pair matching: SrcIP: To combine pairs, use “AND”: SrcIP: AND application: http. For search within a range, use the TO operator and brackets: SrcIP:[ TO]

Note that Boolean operators must be in all caps: OR, AND, AND NOT, and TO. Also remember, the timeframe for the search must be set using the time toolbar.


Use Case: A good example of a commonly used, simple query is to find captured traffic from a specific host. Let’s imagine that Telnet traffic is observed from host user1.company.com — a definite security concern. Because Telnet is unencrypted, we can find and observe the actual text being transferred with Network Monitor, assuming that Telnet is being captured. Use the Query: host:user1.company.com AND application:telnet AND captured:true to show sessions that were saved. To perform some additional analysis on the host’s traffic, remove the application to see all captured traffic to and from the host. Perhaps we might find something suspicious and realize that the host was compromised.

Use Case: The syntax also supports basic wildcards. An example of this query might be to find certain files exiting the network. The query Filename:*.pdf will find all PDFs that are indexed within a field in Network Monitor. We can add this to a more complex string to find all PDFs sent via SMTP as attachments to email addresses outside of our organization’s domain. Application:smtp AND AttachSize:>1 AND Filename:*.pdf AND -Receiver:organization.com. If we know the name of a specific sensitive file that we don’t want to see, we can obviously change the Filename value.

Note: When searching for special characters, make sure to escape them with a backslash. For example, to search for “over-and-out”, the dashes are special characters and must be escaped: “over\-and\-out”.

Use Case: Phishing schemes may use a fake sender address to more easily fool their victims. However, the emails still have to leave from a sender domain, and that creates a discrepancy between the sender email and sender domain. To find this in Network Monitor, use the following query: SenderEmail:*organization* AND NOT SenderDomain:*organization.com* AND _exists_:SenderDomain

Use Case: Applications may use common network ports to try and hide their traffic among well-known protocols. This technique is often seen by malware trying to maintain a covert channel to a victim. This is known as Port Misuse, and can be easily detected in Network Monitor. For example, to detect non-SSH traffic on port 22, use the following query: Destport:22 AND NOT Application:ssh

Customized Layouts and Alarms

For many queries that are used often, it’s a good idea to customize the layout to better fit the data present for that application. This will give an analyst a clear and efficient workflow for churning through the data.

nm_layoutFor example, for a Query meant to identify phishing via SMTP, use the Fields selector to specify important metafields while weeding out the noise: TimeStart, Receiver, Sender, SenderDomain, AttachSize, Filename, and MessageSize. Additionally, the Table can be expanded to the width of the page so that the data fits and is easily. After the layout is ready, save it using the Layout Control widget.

Finally, regular queries can be turned into alarms that will fire from within Network Monitor. These can be easily configured and monitored from the Alarms tab.


none | Digital ForensicsSecurity


FREAK: organizations need to protect themselves, not wait for patches

This week, security researches at SmackTLS uncovered a new, potentially dangerous flaw that could allow hackers to trick internet-enabled devices into using weak encryption.  The bug, dubbed Freak (Factoring attack on RSA-Export Keys), affects SSL/TLS protocols and could therefore be used to intercept a whole host of data transmitted online – from bank details, to email logins.  There is currently no evidence that the flaw has been taken advantage of by hackers, but there are a number of browsers and websites that could be at risk – including Google and Apple.

While this flaw may not be readily employed by hackers, organizations and individuals alike need to be cautious.  Not least because it isn’t the only flaw that exists – in fact, we hear of so many examples of vulnerabilities and attacks these days, that there’s a very real chance hearing news like this will become the status quo.  Until every organization can be 100 percent confident in its cyber security policies, we need to ensure this doesn’t happen.

While internet companies need to provide patches for flaws such as this, organizations shouldn’t just wait for this to happen.  Instead, they need to take a proactive approach and cut the hackers off before they can take advantage of any weaknesses.   The most dangerous situation for a company to get themselves into, is allowing a hacker to get in and stay in – the longer they are able to do so, the more damage they can cause.

As such, organizations should employ security intelligence strategies, which allow them to reduce the time it takes to detect and respond to any threats.  The problem we have today is that there is so much data crossing networks it can be difficult to differentiate between the good and the bad.  Taking an intelligent approach to network security makes it easier to see what should and shouldn’t be there.  If a hacker wants to get in, they will – either through a flaw like this, or through other highly sophisticated techniques.  Security intelligence provides a moat – they might be able to jump over it, but they’ll be seen doing so pretty quickly.

none | Uncategorized