There has been a great deal of focus this week on the WikiLeaks release of documents pertaining to the CIA’s hacking/surveillance toolkit. The first leak (Year Zero) in the series, dubbed ‘Vault 7,’ contains 8,761 documents/files tied to covert hacking operations.
While there is not a great deal of ‘new’ information or earth-shattering zero-day code, there is still a great deal for our industry to comb through and digest. Much has been purposefully redacted, but there are still plenty of details to examine (e.g.: specific security product bypasses, mobile device exploits, and more).
Some of the data in the leak is now stale (specific exploit mitigations, for example); however, it is a great way to understand the ‘timeline’ of the owner’s focus. It is also possible to get an idea of how exploit/malicious code is generated/procured within (allegedly) particular government circles. One need only examine the iOS exploit data section, which contains provenance data, as well as dates and potential departments with whom the code was shared, for an example of what can be gleaned from these reports.
One revelation that came out of the leak was the use of hardware implants for mass storage/slurping and/or exploitation. The YarnBall project, for example, is a USB-device primarily used for keylogging on Apple hardware. Across associated documentation is the NyanCat reference, which is a mass storage device, as well as spoofed Human Interface Devices (HID).
Most referenced vendors are coming forward with statements that speak to the leaked revelations. Apple and Telegram, for example, have each released material around their ‘current’ exposure to the exploits/threats outlined in the Year Zero dataset. More on this story as it develops.
VeriFone, the largest manufacturer of credit-card terminal hardware in the United States, is currently investigating a large-scale breach. In late January 2017, VeriFone began taking internal actions to address a potential breach. External communications also started appearing at this time.
To date, VeriFone’s official statement on the matter is as follows:
“VeriFone’s information security team identified evidence of this very limited cyber intrusion into our corporate network in January 2017, and we proactively notified Visa, MasterCard and other card schemes.”
The event is currently under heavy analysis, and little has been issued publicly from VeriFone. There are some parties speculating on relationships to both the Carbanak gang and the 2016 Oracle MICROS breach. Based on current data, it has become apparent that the internal networks were breached, in addition to the limited ‘activity’ via point of sale (POS) resident malware on the hardware in approximately two dozen gas stations. This occurred over a short time frame.
At this time, it is recommended that customers and concerned consumers verify they are on the latest and most secure versions of affected hardware/software/terminals. In addition, it is imperative to review existing configurations for any perceived weaknesses, update properly configured endpoint controls where necessary, etc. While the scope of this campaign may be narrow, it is worth noting that payment terminals and hosts connected to them are always at risk both locally and remotely.