NCR, manufacturer of ATMs and points of sale, suffers an advanced malware infection

Through a report from its security team, NCR Corporation, manufacturer of ATMs, points of sale and other payment processing solutions, revealed that some computer equipments on their network were infected with a dangerous malware variant. On its alert the company mentions that its IT team managed to isolate the infection, so its customers’ information was not compromised.

In exclusive statements to SC Media, a security firm representative stated that the virus detected on NCR networks is a dangerous Trojan, so the company should try to implement additional security mechanisms to prevent any new incidents.

Karim Hijazi, director of security firm Prevailion, mentions that the detected Trojan is known as Lethic, a malware first detected in 2008. Initially used for spam distribution, this malware received multiple updates to include remote access, side-movement attacks, and add-on download for subsequent attacks.

“We have detected a noticeable increase in the frequency of these attacks,” says Hijazi, noting that Prevailion has collaborated extensively in the active detection of these incidents. In its report, Prevailon claims that considerable command and control traffic from NCR networks was detected. 

Through an official statement, NCR Corporation defied some details about Prevailion’s report: “We have no evidence that there is actual command and control traffic coming out of our networks.”

Although the security firm traced the malicious activity to an IP address associated with the company, NCR security expert Bob Varnadoe mentions: “The IP addresses associated with the company are registered under the NCR name as the corporate headquarters address”. This would explain Prevailion’s finding. The company’s message goes on to mention that all of its systems and operations are maintained normally, emphasizing that the infection did not reach systems that store information from its customers and partners.    

In its statement NCR did not confirm whether the affected computers were infected with the Lethic Trojan or what type of information is compromised, merely mentioning that the investigation is still ongoing. Finally, Prevailion mentioned that they are collaborating with NCR security teams to share their findings and successfully complete the investigation.