May 22, 2022

Cash Register Vendors Targeted, AutoSoft Compromised by Ransomware in a Supply-Chain Attack 

On May 17th, the cash register vendor AutoSoft has been targeted by the infamous ‘LockBit 2.0’ ransomware. 

According to a private statement sent to their customers by AutoSoft, 200 computers have been compromised, and attempts are being made to contact all customers that could potentially be affected by the attack. 

This is a supply-chain attack. There is a risk of other cash register vendors being attacked, and currently, there is also a risk of compromise to companies that are not AutoSoft customers as they can be compromised either directly or indirectly by other cash register vendors, or their customers. 

Mitigation

CYREBRO recommends requesting that your cash register systems/service provider (referred to as “vendor”) implement and assist with the following steps: 

• Reset any passwords related to the vendor’s systems and services. 
• Enforce multi-factor authentication for remote connection to the vendor’s registers and administrative panels. 

• Consider modifying the network’s architecture to ensure that customer access to the vendor’s registers is routed through the vendor’s servers, rather than a direct connection. Combined with strong authentication, this will allow limiting remote register access strictly to the vendor’s addresses. 
• It is recommended to digitally sign files destined to be distributed to the registers. Ensure the signature is legitimate and the files are malware-free prior to distribution. It is also recommended that only specific, permitted users will be able to distribute the files. If the legitimacy of the files received by the vendor is in question, contact them to ensure that the files were indeed sent by them. 

CYREBRO recommends following these steps to mitigate the risk of compromise: 

• Consider implementing multi-factor authentication in all online services.
• Ensure all hardware, firmware, and software in the organization is up to date. 
• Ensure critical data is backed up routinely and those backups are held in a safe and separate environment (preferably off-site, if possible). 
• Be alert of suspicious emails or other forms of communications as the results of this and potential upcoming attacks might be an increase in phishing attempts.