8 Immediate Steps post resurfacing of Fake Response Malware

advertisement
8 Immediate Steps post resurfacing of
Fake Response Malware
Recent media articles pertaining to Malware Attack on the payment switch application of
one oldest co-operative and losses been reported is disturbing for us at SISA.
SISA on 20th December 2017 had issued a global advisory warning banks that cyber
criminals were identified to be injecting malicious script to payment switch servers for
generating fake response messages to the request received from payment brands.
https://timesofindia.indiatimes.com/business/india-business/security-firm-sisa-alerts-bankson-malware-attack/articleshow/62141684.cms
However, considering the resurfacing of this attack, more importantly, as part of our PFI
activity the intruder is there in the system for more than a year. Hence, we can’t prevent a
breach, but at-least, we will be able to stop lateral movement and egress point. Unless there
is egress, the intruder hasn’t succeeded.
We are recommending the following immediate steps that banks can implement proactively
in order to secure the payment switch application and network environment:
1. Enable multi-factor authentication for any users to login to the Switch application server
2. Enable IP table to restrict only authorized systems access to the switch server
3. Reset the password of all privileged users in the Switch application server.
4. Reach out to your Payment Forensic Investigator (PFI) authorized by Payment Brands
and Listed on PCI Council Website within 24 hours of any suspicion.
5. Conduct a credential based vulnerability assessment scan. A non-credential based
vulnerability assessment scan has limitations in identifying all the vulnerabilities present in
the servers/network components.
6. Conduct web application penetration testing for all web-interfaces present in the network.
All applications which have a web-interface, whether internal or external needs to be tested.
7. Instruct your Security Operations Centre to identify any similar Indicators of Compromise.
Also as part of the S-SOC operations, please have thread hunting activity carried out for this
particular IOC.
8. Ensure PCI DSS certification for scoped environment and deploy PA-DSS validated
application by Authorized QSA’s listed on PCI Security Standard council website.
(https://www.pcisecuritystandards.org/assessors_and_solutions/payment_applications?agre
e=true)
Source : https://www.sisainfosec.com/blogs/8-immediate-steps-post-fake-responsemalware-resurface/
Download