Protecting Financial Systems from Exploitation Kit with Zero-day Exploits


Many businesses today rely on Point-of-Sale (PoS) devices for onsite financial transactions. Regardless of form-factor (cash registers, computers with PoS software, or tablets with PoS apps) all of these devices depend on the ability to connect securely to centralized systems to process the transactions, typically Virtual Private Cloud (VPC) environments in the Cloud.

Because they process sensitive and valuable financial and credit card information, business with PoS systems are targets of a wide range of cyber security exploits


In this scenario a restaurant’s computer with PoS software operates within a VPC environment using Virtual Private Network (VPN) encryption over a wireless 3G connection. The computer is used both for transactions as well as internet access via a centrally located proxy solution.

Because the PoS computer enables employees to not only perform transactions, but to also read company and private e-mail and browse the Internet, the restaurant was exploited by an attacker that sent one of the restaurant’s employees a targeted phishing email that looked as if it originated from the company headquarters.

Upon opening a link provided within the email the employee was taken to a seemingly harmless website. The user was unaware that this action compromised the PoS system with an exploit that made use of a zero-day (never seen before) vulnerability.

With this successful exploitation, the attacker was able to make the PoS computer download an Exploitation Kit (EK) to establish itself as a Command-and-Control (C2) device with connections to malicious servers used to provide further instructions from the Attacker.

Consequences Avoided

With this restaurant subscribed to the CTS-AI service, the attempted C2 connections would be immediately detected using a combination of machine learning, threat intelligence and responsed to contain the threat and prevent further compromise. A notification is sent immediately to the client with a reference to a Security Incident Report detailing the life cycle of the security incident.

Because it continuously analyzes activity and irregular behavior patterns, CTS-AI can immediately detect and block malicious outbound C2 connections to prevent the PoS computer from being used as a staging host for further compromises. This is all possible with CTS-AI Analysis Engine developed by NTT and WhiteHat Security and a global threat intelligence ecosystem normally reserved for larger enterprises.