Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

Aug 19

Breach at Hy-Vee Supermarket Chain Tied to Sale of 5M+ Stolen Credit, Debit Cards

On Tuesday of this week, one of the more popular underground stores peddling credit and debit card data stolen from hacked merchants announced a blockbuster new sale: More than 5.3 million new accounts belonging to cardholders from 35 U.S. states. Multiple sources now tell KrebsOnSecurity that the card data came from compromised gas pumps, coffee shops and restaurants operated by Hy-Vee, an Iowa-based company that operates a chain of more than 245 supermarkets throughout the Midwestern United States.

Hy-Vee, based in Des Moines, announced on Aug. 14 it was investigating a data breach involving payment processing systems that handle transactions at some Hy-Vee fuel pumps, drive-thru coffee shops and restaurants.

The restaurants affected include Hy-Vee Market Grilles, Market Grille Expresses and Wahlburgers locations that the company owns and operates. Hy-Vee said it was too early to tell when the breach initially began or for how long intruders were inside their payment systems.

But typically, such breaches occur when cybercriminals manage to remotely install malicious software on a retailer’s card-processing systems. This type of point-of-sale malware is capable of copying data stored on a credit or debit card’s magnetic stripe when those cards are swiped at compromised payment terminals. This data can then be used to create counterfeit copies of the cards.

Hy-Vee said it believes the breach does not affect payment card terminals used at its grocery store checkout lanes, pharmacies or convenience stores, as these systems rely on a security technology designed to defeat card-skimming malware.

“These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions,” Hy-Vee said. “This encryption technology protects card data by making it unreadable. Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are utilized at our front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

According to two sources who asked not to be identified for this story — including one at a major U.S. financial institution — the card data stolen from Hy-Vee is now being sold under the code name “Solar Energy,” at the infamous Joker’s Stash carding bazaar.

An ad at the Joker’s Stash carding site for “Solar Energy,” a batch of more than 5 million credit and debit cards sources say was stolen from customers of supermarket chain Hy-Vee.

Hy-Vee said the company’s investigation is continuing.

“We are aware of reports from payment processors and the card networks of payment data being offered for sale and are working with the payment card networks so that they can identify the cards and work with issuing banks to initiate heightened monitoring on accounts,” Hy-Vee spokesperson Tina Pothoff said.

The card account records sold by Joker’s Stash, known as “dumps,” apparently stolen from Hy-Vee are being sold for prices ranging from $17 to $35 apiece. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

As noted in previous stories here, the organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain from big box retailers like Target and Home Depot to smaller but far more plentiful and probably less secure merchants (either by choice or because the larger stores became a harder target).

It’s really not worth spending time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Just remember that while consumers are not liable for fraudulent charges, it may still fall to you the consumer to spot and report any suspicious charges. So keep a close eye on your statements, and consider signing up for text message notifications of new charges if your card issuer offers this service. Most of these services also can be set to alert you if you’re about to miss an upcoming payment, so they can also be handy for avoiding late fees and other costly charges.

Tags: Hy-Vee breach, Joker’s stash

You can skip to the end and leave a comment. Pinging is currently not allowed.

Firewall best practices to protect against ransomware

Ransomware has recently vaulted to the top of the news again, as devastating attacks continue to impact government, education and business operations in many jurisdictions, particularly in the United States.

These attacks start in a number of ways – some start with a phishing email, others begin with hackers leveraging vulnerabilities in networking stacks to gain a foothold and move quickly to other systems on the network. The most famous network vulnerability exploited in a ransomware attack was EternalBlue a couple of years ago. But since then, new vulnerabilities like BlueKeep have been discovered (and patches made available), but there are still many networks out there that are vulnerable.

Unfortunately, many of these network stack vulnerabilities are ‘wormable’ which means that hackers and malware can exploit these holes in an automated method with no user interaction, enabling the infection to spread quickly and easily to a wide group of systems.

Of course, deploying an industry leading anti-ransomware endpoint protection product like Sophos Intercept X, and maintaining a strict patch management strategy are top best practices. But there are also other best practices you should consider to help keep ransomware, hackers, and attacks off your network in the first place.

Your firewall provides essential protection against exploits like EternalBlue and BlueKeep by closing up or protecting vulnerable ports, as well as blocking attacks using an Intrusion Prevention System (IPS). IPS looks at network traffic for vulnerabilities, and exploits and blocks any attempt for attackers to get through your network perimeter or even cross boundaries or segments within your internal network.

While we have a full guide on how to protect your network, here are the essential firewall best practices to prevent ransomware attacks from getting into and moving laterally on your network:

  • Reduce the surface area of attack: Review and revisit all port-forwarding rules to eliminate any non-essential open ports. Where possible use VPN to access resources on the internal network from outside rather than port-forwarding. Specifically for RDP, ensure port 3389 is not open on your firewall.
  • Apply IPS protection: Apply suitable IPS protection to the rules governing traffic to/from any Windows hosts on your network.
  • Minimize the risk of lateral movement: Use XG Firewall and Synchronized Security to protect against threats moving laterally on your network and consider segmenting your LANs into smaller subnets, assigning those to separate zones that are secured by the firewall. Apply suitable IPS policies to rules governing the traffic traversing these zones to prevent worms and bots from spreading between LAN segments.

XG Firewall and Synchronized Security are your best protection against the latest threats with industry leading protection and performance. Stop the latest hacks and attacks dead in their tracks.

Download the guide to learn more.

Blocking attacks against Windows “CTF” vulnerabilities

Operating systems and run-time environments typically provide some form of isolation between applications. For example, Windows runs each application in a separate process. This isolation stops code running in one application from adversely affecting other, unrelated applications.

This means a non-administrative user mode process can’t access or tamper with kernel code and data, and an unauthorized user mode process can’t dig into the code and data of another process.

But it turns out that Windows process isolation is imperfect, thanks to an undocumented and buggy component known only as “CTF”, part of the Windows Text Services Framework (TSF), that is present in all versions right back to Windows XP.

The dated code and insecure design of this subsystem allows a non-administrative, unauthorized attacker to hijack any Windows process – including applications running in a sandbox like AppContainer – and to gain full admin rights.

This design flaw in CTF was discovered and exploited by Google Project Zero researcher Tavis Ormandy, who wrote an in-depth blog article about his findings.

Designated CVE-2019-1162, Ormandy’s attack is what’s known as an Elevation of Privilege (EoP) vulnerability.

That means it doesn’t allow attackers to break into computers in the first place – to exploit this weakness, an attacker must already have got in, perhaps by using credentials stolen from another computer, by exploiting a remote code execution vulnerability, or by tricking the user into opening a booby-trapped document or running malicious software (malware).

Nevertheless – even though Sophos Intercept X already stops attackers getting this initial foothold, and even though the CVE-2019-1162 bug has already been patched by Microsoft – we expect adversaries to try to find additional weakness in CTF, taking advantage of the attack surface that stems from CTF’s old and insecure design.

So, the Sophos Threat Mitigation team has developed a system-level exploit mitigation that prevents abuse of the CTF subsystem.

Dubbed CTF Guard, this new component intercepts and blocks applications that attempt to exploit CTF.

For example, Tavis Ormandy’s cfttool.exe, described as an “interactive CTF exploration tool” that lets researchers probe and try to find holes in CTF, will be intercepted and terminated when it attempts to connect and communicate with the CTF subsystem:

CFT Guard is already available in Sophos HitmanPro.Alert, and is coming soon to Sophos Intercept X.