Botnet Compromises insecure RDP Servers at POS systems


Sunday 13 July, 2014

Written by: Anonymous Singer

A new botnet campaign, known as BrutPOS, aims to steal payment card information from the POS systems. They are capable to do it because of poorly secured Microsoft Remote Desktop Protocol (RDP) servers and simple passwords.

“Cyber criminals are infecting thousands of computers around the world with malware and are utilizing those compromised machines to break into Point-of-Sale (PoS) terminals usingbrute-force techniques, and the attackers have already compromised 60 PoS terminals bybrute-force attacks against poorly-secured connections to guess remote administration credentials,” researchers from FireEye said.

The Point-of-Sale (PoS) machine is used worldwide and it can be easily set-up. It has a better track inventory and accuracy of records. But, Point-of-Sale (PoS) systems are critical components in any retail environment and the users are not aware of the emerging threats it can cause in near future.

There are 51 out of 60 RDPs located in the United States, according to three researchers from FireEye, named Nart Villeneuve, Joshua Homan and Kyle Wilhoit.

It is really shameful that the most common username used by the breached servers was

“administrator” and the most common passwords were “pos” and “Password1”.”

Five BrutPOS command-and-control (CnC)two are active and both based in Russia, researchers at FireEye uncovered.

servers, three of which are now offline and were set up in late May and early June,

The campaign has been active since at least February this year. According to the latest count, cyber criminals are running 5,622 bots in 119 countries. The majority of them appeared to be located in Eastern Europe, most likely from Ukraine or Russia.

The infected system begins to make connections to port 3389; if the port is open it adds the IP to a list of servers to be brute forced with the supplied credentials,” FireEye researchers Nart Villeneuve, Josh Homan and Kyle Wilhoit wrote in a blog post. “If the infected system is able to successfully brute force an RDP server, it reports back with credentials.

So once the BrutPOS malware successfully guesses the remote access credentials of anRDP-enabled system, the attacker is able to install a malware program on the infected system and extract payment card information from the memory of applications running on it.

The malware also attempted to obtain debug permissions, plausibly to identify POS configurations, and if it succeeds in getting those permissions, it becomes an executable program. But once it fails, it copies itself to %WINDIR%\lsass.exe and installs itself as a service.

The FireEye researchers have built a honey pot to try to understand the attacker’s intentions. The honey pot had a fake POS software and some fake credit card details on the desktop, allowing hackers to compromise it. The researchers issued signals mimicking infection and watched as attackers stole the RDP login and attempted to open the box’s installed PoS software before formatting the drive to erase evidence trails.

At last, over the years we have seen many massive data breaches targeting POS machines such as TARGET data breach, which is the third-largest U.S. retailer and whereof over 40 million Credit & Debit cards were stolen.

Links: Surf anonymously, protect yourself from hackers and hide yourself from NSA


Get Your Anonymous T-Shirt / Sweatshirt / Hoodie / Tanktop, Smartphone or Tablet Cover or Mug In Our Spreadshirt Shop! Click Here



  1. Rpvanish is a dodgy subscription service where they use auto billing if you forget to cancel… THE VERY WORST KIND OF RIP OFF!! ANON!!!

  2. The roof…the roof….the roof is on fire…we dont need no water let the mother Fuuucker burn….BURN MOTHER FUUUUUCKER BURN!!!!

  3. Do you need any blog posts affiliated with this particular one?
    I’d personally wish to investigate more information on this particular area of interest!
    Anyways, I really love your blog posts, however I have to significantly
    more info relating to supplements canada. Thanks alot :

  4. It’s truly a great and helpful piece of information. I am glad that you simply shared this helpful information with us. Please keep us up to date like this. Thanks for sharing.

  5. I think that what you published made a llot of sense.
    But, think about this, what if you wrote a catchier
    title? I mean, I don’t wish too tell you how to run your blog, howeverr suppose you
    added a post title that grabbed people’s attention? I mean Botnet Compromises insecure
    RDP Servers at POS systems AnonHQ is a little plain.
    You could glance at Yahoo’s front page and see how they write article headlines
    to grab viewers to open the links. You mifht try adding a vieo or
    a pic or two to grab readers excited about what you’ve got to say.
    In my opinion, it could make your blog a little livelier.

  6. My partner and I absolutely love your blog and find nearly all of
    your post’s to be exactly what I’m looking for. Do you
    offer guest writers to write content for yourself?
    I wouldn’t mind writing a post or elaborating on many of the subjects you write
    regarding here. Again, awesome web log!


Please enter your comment!
Please enter your name here