Menu
Botnet brute-forces remote access to point-of-sale systems

Botnet brute-forces remote access to point-of-sale systems

A new malware threat scans the Internet for POS systems and tries to access them using common usernames and passwords

Thousands of compromised computers are actively trying to break into point-of-sale (POS) systems using brute-force techniques to guess remote administration credentials.

The computers are part of a botnet, dubbed BrutPOS by researchers from security firm FireEye, that has been active since at least February. The botnet scans attacker-specified IP (Internet Protocol) address ranges for systems that accept Remote Desktop Protocol (port 3389) connections.

When an RDP service is identified, the BrutPOS malware attempts to log in with user names and passwords from a predefined list.

"Some of the usernames and passwords indicate that the attackers are looking for specific brands of POS systems such as Micros," the FireEye researchers said Wednesday in a blog post.

Micros Systems is based in Columbia, Maryland, and provides software applications, services and hardware systems, including POS terminals, to the hospitality and retail industries.

If the BrutPOS malware successfully guesses the remote access credentials of an RDP-enabled system it sends the information back to a command-and-control server. Attackers then use the information to determine whether the system is a POS terminal and if it is, to install a malware program that's designed to extract payment card details from the memory of applications running on it.

This kind of memory monitoring program is known as a RAM scraper and has increasingly been used in attacks against POS systems over the past year. A data breach last year at Target that led to the compromise of 40 million payment cards resulted from the retailer's POS terminals being infected RAM scraping malware.

Researchers from cyberthreat intelligence firm IntelCrawler have also monitored the BrutPOS malware, which they believe appeared in the cybercriminal underground in May as a project called @-Brt. According to them, it doesn't only target RDP, but other remote administration protocols like VNC and PCAnywhere as well.

FireEye has identified a total of five BrutPOS command-and-control servers, two of which are still online. The two remaining servers are located in Russia and were set up in late May and early June respectively.

Data collected from these servers suggests that the botnet is made up of 5,622 compromised computers from 119 countries. The researchers identified 60 RDP-enabled systems -- most likely POS terminals -- that have been compromised, 51 of which are based in the U.S.

"The most common username was 'administrator' (36) and the most common passwords were 'pos' (12) and 'Password1' (12)," the FireEye researchers said.

According to IntelCrawler's data, other remote access passwords frequently used on the compromised systems were aloha12345, micros, pos12345, posadmin and javapos.

"While there is insufficient information to determine attribution, there is some information which indicates that the attackers are in Eastern Europe, probably Russia or Ukraine," the FireEye researchers said.

In recent years POS systems have become a significant target for cybercriminals. Security firm Trustwave recently reported that over a third of data breaches the company investigated last year involved intrusions into POS terminals. Weak passwords, especially those for VPNs (virtual private networks), SSH (Secure Shell) and remote desktop connections remained a leading cause of breaches, the company said.

Brute-forced remote access connections and stolen credentials were the primary vectors for POS intrusions in 2013, Verizon said in its own data breach investigations report in April.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags intrusiontrustwaveIntelCrawlersecurityverizonAccess control and authenticationFireEyemalwarefraud

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments