Researchers have uncovered an ongoing campaign against retail VMWare Horizon Point-of-Sale (PoS) thin clients.
The new attack wave, which has taken place over the past eight to ten weeks, is attempting to spread Cobalt Strike, a legitimate penetration testing tool which has also, unfortunately, been adopted in recent years by threat actors.
According to researchers from Morphisec, Cobalt Strike -- in tandem with malicious payloads -- can be used to hijack systems, execute code, harvest credentials, and is also able to circumvent EDR scanning.
The pen testing tool is being used in attempts to infiltrate PoS systems to deploy FrameworkPOS scraping malware, which can be used to harvest credit card information belonging to customers by compromising system memory components. Data scraped by this malware is compressed into .ZIP formats and transferred to command-and-control (C2) servers.
"We identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded [the] Cobalt Strike beacon with PowerShell extension directly into the memory," the researchers say.
The Cobalt Strike beacon has been linked to multiple servers using the same C2 to attack retailers. The servers also host an additional shellcode backdoor beacon with PowerShell and Mimikatz functionality. These servers are still active, but the authorities have been informed of their existence.
The infiltration method used by the threat actors responsible is yet to be identified, but victims have been traced back to countries including the US, Japan, and India.
According to Morphisec, the use of Cobalt Strike, combined with FrameworkPOS, lateral movement across PoS networks, and the use of privilege escalation, may indicate that the new campaign is the work of FIN6.
FIN6 is a cybercriminal group which specializes in stealth rather than sophisticated toolsets. IBM researchers connected FIN6 to a PoS attack campaign against retailers in the US and Europe in 2018, and the theft of millions of credit card numbers in 2016 has also been attributed to the same group.
While attacks against retailers are certainly in the purview of FIN6, the researchers are not entirely confident of attribution as there are also indicators which suggest links to EmpireMonkey, another financially-motivated threat group which was recently linked to a cyberattack against the Bank of Valletta leading to the loss of €13 million.
This month, Akamai's 2019 State of the Internet report suggested that retailers have become the top target for cybercriminals utilizing credential stuffing attacks.
With so much stolen data now available in bulk dumps online, attackers are using these credential lists to automatically launch attacks against retailers and their customers. If successful, accounts can be infiltrated and fraudulent purchases can be made.