Patching issues fast is a step toward software security. But as the Click2Gov breaches show, zero-day vulnerabilities resist even the most persistent patchers.
The original version of this post was published in Forbes.
Just about every organization, including the biggest of all—government at all levels—encourages you to pay your bills online. You know the pitch: It’s easy! It’s quick! It’s convenient! It saves paper!
And, they also say, it’s safe and secure!
Except when it isn’t.
Which has been on display for more than a year now, due to an apparently continuing breach of Click2Gov, an online bill-payment portal developed by Superion that allows users to pay for local government services such as utilities, building permits, and business licenses.
While at least one vulnerability has been patched since the company first acknowledged a breach in October 2017, a report released earlier this week by Gemini Advisory found that it is ongoing. It said compromised credit card data now for sale in underground online marketplaces had “likely been stolen from local municipal services that license Click2Gov software.”
Gemini said it had found at least 46 compromised U.S. locations and one in Canada, some of those compromises as recent as this past month, adding that, “As of this writing 294,929 payment records were compromised, earning criminals at least $1.7 million.”
It also said more than 12,283 compromised payment cards connected to the breach were discovered in just the past 30 days, “indicating that hackers still maintain the access to infiltrated systems.”
All of which offers several sobering reminders: It is crucial to build security into software from the ground up. That means making it part of the software development life cycle (SDLC) from start to finish. And, it is crucial to maintain a rigorous malware detection system after software is deployed.
Superion, now part of CentralSquare, said on the company website in October 2017 that a breach had affected “a small number of our customers’ computer networks,” but that a forensic investigation “found no evidence of credit card scrapers or evidence of credit card data extraction on any server we’ve analyzed.”
It also said at the time that it had notified customers, some as early as September 2017, about possible vulnerabilities in their networks “and provided them with recommendations for addressing the same.”
Eight months later, this past June, after more reports of suspicious activity, the company issued another post saying it had patched the vulnerability that led to the 2017 breach, and that problems had been reported only on locally hosted, on-premises networks.
“Not a single client in Superion’s data centers or in the Superion Cloud has faced these issues, even when they are using the same software product,” the company said, adding that fully patched systems should be safe to use.
Since then, however, as noted above, there has been abundant evidence of credit card data extraction. And multiple cities have reported fraudulent transactions using card data that had been used on Click2Gov.
Security firm FireEye reported in September that its researchers had found malware capable of collecting payment card information within Click2Gov—malware with a “very low detection rate” by antivirus solutions.
Another firm, Risk Based Security, agreed in part with Superion, reporting this past September that only locally based installations appear to be at risk, and that “only one-time payments are at risk. Data for customers with auto-pay enabled has not been exposed.”
And Jesse Victors, security consultant with Synopsys, said it appears that Superion “did a lot of things right,” but that as FireEye noted, “this malware seems very sneaky and quite hard to detect. This is clearly targeted by a highly skilled attacker who is well-versed in Click2Gov.”
CentralSquare did not respond to a request for comment, but Gemini said the company had acknowledged that “despite broad patch deployment the system remains vulnerable for an unknown reason … [I]t appears that the attackers uncovered another undetected vulnerability, which has yet to be patched.”
Indeed, Gemini’s Stas Alforov, who wrote the summary of the report, said that Lakeworth, Fla., reported that its Click2Gov portal had been breached twice this year. “This would lead me to believe there is a new vulnerability in the system,” he said.
Alforov said it is also likely that some of the local breaches are due to municipalities failing to install all available patches. But either way, with estimates that there are anywhere from 600 to thousands of installations of Click2Gov in the U.S. and Canada, it is obvious that others remain at risk.
What should the company and its customers be doing?
The obvious goal for Superion/CentralSquare is to find and patch the vulnerability—something that should be possible with numerous sophisticated software analysis tools now available.
Victors said unknown unknowns, better known as “zero-day” vulnerabilities in software, “are very difficult to defend against. The best approach is security-in-depth. High-risk software should always be regularly updated to patch any new vulnerabilities. The software should be restricted to only necessary users using a firewall and/or strong authentication, which limits the ability for an attacker to gain access.”
For customers, FireEye recommended that, besides a patch management program, organizations should “consider implementing a file integrity monitoring solution to monitor the static content and code that generates dynamic content on e-commerce webservers for unexpected modifications.”
“Another best practice is to ensure any web service accounts run at least privilege,” the company said.
To that, Victors added that municipalities should deploy the software “inside access control mechanisms, such as SELinux, AppArmor or Grsecurity. These limit the functions that the software is allowed to do, which can restrict an exploit from gaining additional access.”
And Alforov said given that the breaches appear not to have affected cloud-based systems, municipalities should make the move to the cloud if they can.
To which Victors offered a caveat. “Cloud-based solutions may have other security and data privacy trade-offs,” he said. “In general, critical financial software should be deployed according to its documentation, best security practices, and regularly updated.”