Attacks/Breaches
7/9/2014
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

BrutPOS Botnet Targets Retail's Low-Hanging Fruit

FireEye discovers a botnet that's going after point-of-sale systems showing bad passwords and other basic security no-nos.

In the midst of so many advanced persistent threats that seem impossible to prevent, there is a new threat out there that's still going after the low-hanging fruit. FireEye has discovered a new botnet, BrutPOS, that is being used to find point-of-sale systems' remote administration software and brute force its way into the ones with weak passwords.

Attackers are manipulating poor password practices and lax remote desktop protocol (RDP) implementations to lift payment card information from active processes within POS terminals and other places where payment data is stored.

FireEye has discovered five BrutPOS command-and-control servers, three of which are now inactive; the two active servers, both based in Russia, were set up in late May and early June. FireEye says that the operators of BrutPOS are based in Eastern Europe, most likely Ukraine or Russia.

The botnet has been active since February. At latest count, BrutPOS consisted of 5,622 bots in 119 countries -- many of them in Russia (15.67%), India (13.45%), Vietnam (7.51%), Iran (6.07%), and Taiwan (4.13%). Only a small fraction of the bots are active at any given time.

The bots scan ranges of IP addresses looking for poorly locked-down POS remote admin software.

"What's really interesting here is that the way the malware is propagating is not from some proprietary malware. It's using remote desktop protocol," says Joshua Goldfarb, chief security officer of the enterprise forensics group at FireEye. "It's misusing or abusing a legitimate protocol."

Over the course of two weeks, the attackers gained access to 60 POS systems; 51 of those were in the United States.

The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

The attackers use their admin access to install other executables that extract payment card information -- from POS terminals and elsewhere -- and exfiltrate it back to the C&C server.

Goldfarb says that the BrutPOS attackers are exploiting the fact that some organizations are still not following the basic security best-practices that have been recommended for 10 to 20 years.

"Essentially, the theme here is hackers can be lazy because [companies] allow them to be," he says. "They're only as fancy as they need to be."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dadsu
100%
0%
dadsu,
User Rank: Apprentice
7/16/2014 | 1:07:28 PM
Re: So what is the statistical significance
Yes, and for some reason I thought a security standard was to disable guest accounts and rename "administrator" accounts to something besides administrator or admin....
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 6:25:02 PM
Re: So what is the statistical significance
@Marilyn   "You would think that the retail industry could do better than allowing these User Ids and passwords these days."  You would, but one thing Joshua Goldfarb pointed out to me was the fact that sometimes these very big retailers have so many POS terminals that it's awfully hard to get every single one right. That said, the password "pos" meets almost NONE of your basic requirements -- only three characters, no numbers, no special characters, no mix of caps and lowercase. It's pitiful.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 12:52:15 PM
Re: So what is the statistical significance
The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

You would think that the retail industry could do better than allowing these User Ids and passwords these days. 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 9:46:16 AM
Re: So what is the statistical significance
@progman2000  The attackers were scanning 57 IP address ranges, 32 of which are located in the U.S. So it still looks like the US's were easier to break into than other countries'. But Goldfarb was hesitant to speculate on why that is, because they didn't have more information. It's possible that most of the usernames/passwords used for brute-forcing were in English, or simply that American companies still struggle with bad passwords and bad password management.
progman2000
50%
50%
progman2000,
User Rank: Apprentice
7/9/2014 | 9:21:12 PM
So what is the statistical significance
of 51 of the 60 compromised systems being in the US?  Are these things primarily scanning US addresses?  Are they equally scanning other countries but US has more electronic POS?  More vulnerable POS?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2184
Published: 2015-03-27
Movable Type before 5.2.6 does not properly use the Storable::thaw function, which allows remote attackers to execute arbitrary code via the comment_state parameter.

CVE-2014-3619
Published: 2015-03-27
The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header.

CVE-2014-8121
Published: 2015-03-27
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up while the database is iterated over...

CVE-2014-9712
Published: 2015-03-27
Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allows remote administrators to read arbitrary files and obtain passwords via a crafted path.

CVE-2015-0658
Published: 2015-03-27
The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary commands as root by sending crafted response packets on the local network, aka Bug ID CSCur14589.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.