Attacks/Breaches
7/9/2014
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

BrutPOS Botnet Targets Retail's Low-Hanging Fruit

FireEye discovers a botnet that's going after point-of-sale systems showing bad passwords and other basic security no-nos.

In the midst of so many advanced persistent threats that seem impossible to prevent, there is a new threat out there that's still going after the low-hanging fruit. FireEye has discovered a new botnet, BrutPOS, that is being used to find point-of-sale systems' remote administration software and brute force its way into the ones with weak passwords.

Attackers are manipulating poor password practices and lax remote desktop protocol (RDP) implementations to lift payment card information from active processes within POS terminals and other places where payment data is stored.

FireEye has discovered five BrutPOS command-and-control servers, three of which are now inactive; the two active servers, both based in Russia, were set up in late May and early June. FireEye says that the operators of BrutPOS are based in Eastern Europe, most likely Ukraine or Russia.

The botnet has been active since February. At latest count, BrutPOS consisted of 5,622 bots in 119 countries -- many of them in Russia (15.67%), India (13.45%), Vietnam (7.51%), Iran (6.07%), and Taiwan (4.13%). Only a small fraction of the bots are active at any given time.

The bots scan ranges of IP addresses looking for poorly locked-down POS remote admin software.

"What's really interesting here is that the way the malware is propagating is not from some proprietary malware. It's using remote desktop protocol," says Joshua Goldfarb, chief security officer of the enterprise forensics group at FireEye. "It's misusing or abusing a legitimate protocol."

Over the course of two weeks, the attackers gained access to 60 POS systems; 51 of those were in the United States.

The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

The attackers use their admin access to install other executables that extract payment card information -- from POS terminals and elsewhere -- and exfiltrate it back to the C&C server.

Goldfarb says that the BrutPOS attackers are exploiting the fact that some organizations are still not following the basic security best-practices that have been recommended for 10 to 20 years.

"Essentially, the theme here is hackers can be lazy because [companies] allow them to be," he says. "They're only as fancy as they need to be."

Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dadsu
100%
0%
dadsu,
User Rank: Apprentice
7/16/2014 | 1:07:28 PM
Re: So what is the statistical significance
Yes, and for some reason I thought a security standard was to disable guest accounts and rename "administrator" accounts to something besides administrator or admin....
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 6:25:02 PM
Re: So what is the statistical significance
@Marilyn   "You would think that the retail industry could do better than allowing these User Ids and passwords these days."  You would, but one thing Joshua Goldfarb pointed out to me was the fact that sometimes these very big retailers have so many POS terminals that it's awfully hard to get every single one right. That said, the password "pos" meets almost NONE of your basic requirements -- only three characters, no numbers, no special characters, no mix of caps and lowercase. It's pitiful.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 12:52:15 PM
Re: So what is the statistical significance
The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

You would think that the retail industry could do better than allowing these User Ids and passwords these days. 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 9:46:16 AM
Re: So what is the statistical significance
@progman2000  The attackers were scanning 57 IP address ranges, 32 of which are located in the U.S. So it still looks like the US's were easier to break into than other countries'. But Goldfarb was hesitant to speculate on why that is, because they didn't have more information. It's possible that most of the usernames/passwords used for brute-forcing were in English, or simply that American companies still struggle with bad passwords and bad password management.
progman2000
50%
50%
progman2000,
User Rank: Apprentice
7/9/2014 | 9:21:12 PM
So what is the statistical significance
of 51 of the 60 compromised systems being in the US?  Are these things primarily scanning US addresses?  Are they equally scanning other countries but US has more electronic POS?  More vulnerable POS?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio