Recent media articles pertaining to Malware Attack on the payment switch application of one oldest co-operative and losses been reported is disturbing for us at SISA.
SISA on 20th December 2017 had issued a global advisory warning banks that cyber criminals were identified who were using fake response malware to inject malicious script to payment switch servers for generating fake response messages to the request received from payment brands.
However, considering the resurfacing of this attack, more importantly, as part of our PFI activity the intruder is there in the system for more than a year. Hence, we can’t prevent a breach, but at-least, we will be able to stop lateral movement and egress point. Unless there is egress, the intruder hasn’t succeeded.
We are recommend the following immediate steps that banks can implement proactively in order to secure the payment switch applications and network environment:
1. Enable multi-factor authentication for any users to login to the Switch Application Server
2. Enable IP table to restrict only authorized systems access to the switch server
3. Reset the password of all privileged users in the Switch Application Server
4. Reach out to your Payment Forensic Investigator (PFI), authorized by the payment brands and listed on PCI Council website, within 24 hours of any suspicion
5. Conduct a credential based vulnerability assessment scan. A non-credential based vulnerability assessment scan has limitations in identifying all the vulnerabilities present in the servers/network components.
6. Conduct web application penetration testing for all web-interfaces present in the network. All applications which have a web-interface, whether internal or external needs to be tested.
7. Instruct your Security Operations Centre to identify any similar Indicators of Compromise (IOCs). Also as part of the S-SOC operations, have thread hunting activity carried out for this particular IOC.
8. Ensure PCI DSS certification for scoped environment and deploy PA-DSS validated application by Authorized QSA’s listed on PCI Security Standard council website.