A new malware discovered in October called Anchor is being used to target financial, manufacturing, and retail businesses across North America and Europe. The threat actor has been leveraging Anchor and TrickBot together to infect, explore, and exploit high-value targets that implement point of sale systems.
The attacks steal sensitive information by taking over critical assets in the victims’ network. For specific targets, the threat actor installs a backdoor that stealthily communicates over extended periods of time with C2 servers to steal passwords, credit card data, and other sensitive corporate data stored in POS systems.
Our research includes a list of IOCs for the attack and a MITRE ATT&CK breakdown of the techniques used. For this information and an in-depth technical review of this attack, read our research, Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware.
Key Points from this Attack
- The TrickBot-Anchor Operation: Cybereason Nocturnus is investigating a series of targeted attacks against financial, manufacturing, and retail businesses across North America and Europe.
- Targets POS Systems: The attacks target POS systems to steal sensitive information by taking over critical assets in the victims’ network.
- Deploys A Backdoor on High-value Targets: On certain high-profile targets, the attackers selectively use a new malware called Anchor, which installs a backdoor and stealthily communicates sensitive data back to C2 servers.
- Steals Corporate and Sensitive Data: This attack leverages POS systems to steal passwords, credit card data, sensitive data, and corporate data, along with other information found on POS systems.
Why are point-of-sale systems a target now?
When businesses began adopting point of sale systems, they simultaneously accelerated the move away from cash transactions and transformed the way businesses work internally. Data that passes through POS systems extends beyond credit card information to every aspect of the business. In fact, POS has become a fundamental component for business success, integrating business tasks like aggregating tracking inventory, purchasing, receiving and transferring products between locations, customer returns, cost/price/profit analysis, reporting, and sales trends. Their ability to centralize and automate different, related activities enables businesses to scale quickly and efficiently with fewer staff.
These systems dominate the market, with a global installed base of POS terminals numbered at 109 million units as of 2017. POS systems are pervasive, mission-critical for effective business operations, and process a huge set of sensitive data, making them a worthwhile target for threat actors and a critical asset for businesses to protect.
Businesses that Lose Data, Lose Trust
The exposure of credit card information and personal data is not only a breach of regulations, it causes customers to lose confidence in the business. According to Ponemon, 31% of consumers will discontinue a relationship due to a data breach, but even higher numbers, at 65%, will lose trust in the company. Protecting against threats like these affects a business’s bottom line from multiple angles.
How Should Businesses Address this Threat?
Having strong threat intelligence to understand context around these types of attacks is critical. Your team needs to be able to understand what they are dealing with and address it by seeing the full scope of the attack. Combining the latest threat intelligence with the right people, processes, and technology will enable your team to address advanced threats faster.
Despite the attack leveraging new and unknown malware variants, the Cybereason Defense Platform simultaneously prevented it and gave analysts the visibility to see the attack in its entirety. The platform did not rely on signatures, and instead identified this campaign using behavior-based detections across multiple stages of the attack.
Learn more about the capabilities of the Cybereason Defense Platform.