Sunday 13 July, 2014
Written by: Anonymous Singer
A new botnet campaign, known as BrutPOS, aims to steal payment card information from the POS systems. They are capable to do it because of poorly secured Microsoft Remote Desktop Protocol (RDP) servers and simple passwords.
“Cyber criminals are infecting thousands of computers around the world with malware and are utilizing those compromised machines to break into Point-of-Sale (PoS) terminals usingbrute-force techniques, and the attackers have already compromised 60 PoS terminals bybrute-force attacks against poorly-secured connections to guess remote administration credentials,” researchers from FireEye said.
The Point-of-Sale (PoS) machine is used worldwide and it can be easily set-up. It has a better track inventory and accuracy of records. But, Point-of-Sale (PoS) systems are critical components in any retail environment and the users are not aware of the emerging threats it can cause in near future.
There are 51 out of 60 RDPs located in the United States, according to three researchers from FireEye, named Nart Villeneuve, Joshua Homan and Kyle Wilhoit.
“It is really shameful that the most common username used by the breached servers was
“administrator” and the most common passwords were “pos” and “Password1”.”
Five BrutPOS command-and-control (CnC)two are active and both based in Russia, researchers at FireEye uncovered.
servers, three of which are now offline and were set up in late May and early June,
The campaign has been active since at least February this year. According to the latest count, cyber criminals are running 5,622 bots in 119 countries. The majority of them appeared to be located in Eastern Europe, most likely from Ukraine or Russia.
“The infected system begins to make connections to port 3389; if the port is open it adds the IP to a list of servers to be brute forced with the supplied credentials,” FireEye researchers Nart Villeneuve, Josh Homan and Kyle Wilhoit wrote in a blog post. “If the infected system is able to successfully brute force an RDP server, it reports back with credentials.“
So once the BrutPOS malware successfully guesses the remote access credentials of anRDP-enabled system, the attacker is able to install a malware program on the infected system and extract payment card information from the memory of applications running on it.
The malware also attempted to obtain debug permissions, plausibly to identify POS configurations, and if it succeeds in getting those permissions, it becomes an executable program. But once it fails, it copies itself to %WINDIR%\lsass.exe and installs itself as a service.
The FireEye researchers have built a honey pot to try to understand the attacker’s intentions. The honey pot had a fake POS software and some fake credit card details on the desktop, allowing hackers to compromise it. The researchers issued signals mimicking infection and watched as attackers stole the RDP login and attempted to open the box’s installed PoS software before formatting the drive to erase evidence trails.
At last, over the years we have seen many massive data breaches targeting POS machines such as TARGET data breach, which is the third-largest U.S. retailer and whereof over 40 million Credit & Debit cards were stolen.