Open-Source Security Helps SMBs Thwart Black Atlas Threat

By Pedro Hernandez | Posted December 16, 2015

Cybercriminals target point-of-sale (POS) systems for reasons that go beyond the obvious monetary motivation. The holiday shopping season offers a unique opportunity to break in and steal financial data.

Unlike most computer workstations that require frequent updating and maintenance, point-of-sale (POS) systems "are usually touch-once and deploy," Travis Smith, senior security research engineer at Tripwire, a company that specializes in threat detection. "They typically run on old machines, and they generally don't require much in the way of change."

Reluctant to risk an outage during the critical holiday shopping season, retailers often avoid configuration changes and updates to their POS systems from Halloween through the end of January, said Smith—and rightfully so. "There's a business justification to leaving them alone."

This reality offers attackers a three-month window to steal credit card data and other payment information from potentially vulnerable POS hardware. The latest threat in that regard: Operation Black Atlas.

fight small business POS malware with open source tools

How Malware Threatens Small Business POS Systems

Security researchers discovered that attackers have stepped up their game this year, targeting not only retail giants, but also small and midsized companies (SMBs).

"The operation is run by technically sophisticated cybercriminals who are knowledgeable in a variety of penetration testing tools and possess a wide network of connections to POS malware in the underground market," wrote Jay Yaneza, a threats analyst for anti-malware firm Trend Micro, in a blog post. "Its operators built a set of tools much like a Swiss Army knife, with each tool offering a different functionality."

Black Atlas' operators' ultimate goal: infect POS systems with a slew of malware, including BlackPOS (otherwise known as Kaptoxa), a culprit in the game-changing Target breach of 2013. Yaneza noted that other malware strains include Alina, NewPOSThings, and a Kronos backdoor.

Black Atlas is designed to overwhelm a small business' cyber defenses with security tools that criminals can easily attainable online.

Yaneza explained that an attack "involves the use of tools such as brute force or dictionary attack tools, SMTP scanners, and remote desktop viewers. Networks with weak password practices are likely to fall victim to this initial penetration testing stage." Once Black Atlas gains a foothold on a network, there's a good chance that cybercriminals will make off with valuable financial information.

How does an SMB protect itself? Fight fire with fire.

Open-Source Security to the Rescue

SMBs aren't defenseless against sophisticated threats like Black Atlas, even if their IT budgets are tight and their POS systems are off-limits to security updates.

Cybercriminals rely on freely-available security toolkits, and Tripwire's Travis Smith recommends that small businesses use no-cost, open-source tools to unmask and block complex threats like Black Atlas and its ilk. He detailed his strategy in his presentation, "My Bro the ELK: Obtaining Context from Security Events," at the Black Hat computer security conference this past summer.

With a little time and a bit of tech-savvy, SMB IT professionals can piece together powerful tools to protect sensitive data on a network, even if the systems and servers tasked with processing it remain off-limits. "If you can't install tools, you can install things around the perimeter" of the systems to stymie attackers.

One such tool is the Bro network security monitor and intrusion detection system (IDS). "It's very lightweight and highly modular," said Smith. "You can run the Bro IDS on something as small as a Raspberry Pi."

The Critical Stack Intel threat intelligence feed marketplaceoffers point-and-click integration with Bro," said Smith. It provides information on malicious IP addresses, domains known to host malware, and more than "one million indicators of compromise" he added. Better yet, subscribers "get this powerful threat intelligence for free."

Finally, you can enlist Elastic Search, Logstash, and Kibana—otherwise known as the ELK Stack—to collect and visualize log data produced by Bro logs. This provides real-time cyber-attack detection. Smith's documents the process in this whitepaper.

Best of all, small businesses don't have to stretch their budgets. "It's all open source and, they're all free tools," said Smith. It takes a little work, but the payoff is a threat-detection system that provides enterprise-grade security and visibility.

Pedro Hernandez is a contributing editor at Small Business Computing. Follow him on Twitter @ecoINSITE.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date