US feds were spotted raiding a warehouse belonging to Chinese payment terminal manufacturer PAX Technology in Jacksonville, Florida, on Tuesday, with speculation abounding that the machines contained preinstalled malware.
PAX Technology is headquartered in Shenzhen, China, and is one of the largest electronic payment providers in the world. It operates around 60 million point-of-sale (PoS) payment terminals in more than 120 countries.
Local Jacksonville news anchor Courtney Cole tweeted photos of the scene.
This is a look at the investigation FBI investigation from our @ActionNewsJax Sky Vision Drone. There are several agencies involved in this investigation @ PAX Technology Warehouse. ⬇️ We’ve seen FBI, Homeland Security + JSO here to assist. pic.twitter.com/ZY24YfDI52
— Courtney Cole (@CourtneyANJax) October 26, 2021
Local news outlet WOKV was able to obtain a statement from the Federal Bureau of Investigation (FBI) confirming they were executing a court-authorised search as part of a federal investigation. The FBI said the investigation was active and ongoing but did not provide a timeline.
Security buff Brian Krebs reported that the raid could be tied to cyberattacks on the US and EU, tipped off by a major US payment processor who noticed the technology displaying suspicious behaviour. Allegedly the machines were giving off unusual network packets whose sizes didn’t match the data they should be sending and telemetry didn’t correlate to software updates.
The PAX terminals were allegedly being used as malware droppers and command-and-control locations for staging attacks and collecting information. According to Krebs, a major financial provider in the US and in EU has already started pulling the machines and it’s not just the FBI investigating – MI5 is looking into the matter too.
With PoS machines everywhere, it’s easy to overlook that the machines are computers with points of vulnerability. However, use of the technology as a malware carrier has been going on for a long time, and is rather inevitable given the items’ wide geographical distribution and access to credit cards.
In 2014, Target lost control of up to 70 million US shopper’s data and 40 million credit and debit cards due to an attack on their payment systems.
Just who the staging and data collection is for in this case (if Krebs turns out to be right) remains uncertain. While it is possible that the threat actor is the company itself, it may be more likely the software supply chain has been poisoned. ®