Published on August 28th, 2020 📆 | 3620 Views ⚑0
Trojan apparently infects NCR, posing possible supply-chain risk
A trojan infected NCR Corporation, potentially posing a supply chain risk to customers of the popular point-of-sale and ATM software developer, the CEO of cybersecurity firm Prevailion exclusively told SC Media.
Prevailion CEO Karim Hijazi identified the malware as Lethic, an old botnet threat that dates back to roughly 2008. While traditionally it has been used to distribute spam, it has full trojan capabilities including remote access, lateral movement, and the downloading of additional payloads. While Lethic is not new to the scene, Hijazi noted that often such malwares are repackaged so that conventional anti-virus tools won’t catch them.
Hijazi said Prevailion, which monitors malicious command-and-control communications over the internet, witnessed more than 180 days of C2 beaconing activity stemming from an IP address traced to NCR in Atlanta, home to the tech company’s headquarters.
“It’s been going on for an incredibly long time from our perspective… and it looks like there’s been even an uptick in terms of the frequency and cadence lately,” said Hijazi, noting that Prevailion has counted approximately 242,000 C2 beacons received from NCR’s IP address over the course of the infection.
“[I]t has consistently moved up to a severe state, from our perspective, because… the longer something has time to persist in an environment, the more severe it actually is, because it has more time to do damage and has more doors that it can open up,” Hijazi continued.
Perhaps of greatest concern, the possibility that the trojan has compromised NCR in such a way to spread malware to the $6.92 billion company’s clients – perhaps through trojanized POS or ATM software updates.
“Any organization they may be connected to could also be impacted, so this is a contagious scenario,” said Hijazi. “That infection could island hop effectively from them to another party or vice versa – they may have contracted it from others. We don’t really know. The concerning part of this is that, obviously, any organization sharing data with someone like NCR could run the risk of having that data stolen by way of these tools.”
Prevailion had not alerted NCR of the infection, but SC Media has reached out to the company to disclose the issue and request comment. NCR did not respond to the request at the time of publication.
Earlier this month, Prevailion publicly reported that it also saw evidence of a network compromise and malware infection at the cruise operator Carnival for a period spanning from Feb. 2 through June 6, 2020.