Attacks/Breaches
7/9/2014
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

BrutPOS Botnet Targets Retail's Low-Hanging Fruit

FireEye discovers a botnet that's going after point-of-sale systems showing bad passwords and other basic security no-nos.

In the midst of so many advanced persistent threats that seem impossible to prevent, there is a new threat out there that's still going after the low-hanging fruit. FireEye has discovered a new botnet, BrutPOS, that is being used to find point-of-sale systems' remote administration software and brute force its way into the ones with weak passwords.

Attackers are manipulating poor password practices and lax remote desktop protocol (RDP) implementations to lift payment card information from active processes within POS terminals and other places where payment data is stored.

FireEye has discovered five BrutPOS command-and-control servers, three of which are now inactive; the two active servers, both based in Russia, were set up in late May and early June. FireEye says that the operators of BrutPOS are based in Eastern Europe, most likely Ukraine or Russia.

The botnet has been active since February. At latest count, BrutPOS consisted of 5,622 bots in 119 countries -- many of them in Russia (15.67%), India (13.45%), Vietnam (7.51%), Iran (6.07%), and Taiwan (4.13%). Only a small fraction of the bots are active at any given time.

The bots scan ranges of IP addresses looking for poorly locked-down POS remote admin software.

"What's really interesting here is that the way the malware is propagating is not from some proprietary malware. It's using remote desktop protocol," says Joshua Goldfarb, chief security officer of the enterprise forensics group at FireEye. "It's misusing or abusing a legitimate protocol."

Over the course of two weeks, the attackers gained access to 60 POS systems; 51 of those were in the United States.

The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

The attackers use their admin access to install other executables that extract payment card information -- from POS terminals and elsewhere -- and exfiltrate it back to the C&C server.

Goldfarb says that the BrutPOS attackers are exploiting the fact that some organizations are still not following the basic security best-practices that have been recommended for 10 to 20 years.

"Essentially, the theme here is hackers can be lazy because [companies] allow them to be," he says. "They're only as fancy as they need to be."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dadsu
100%
0%
dadsu,
User Rank: Apprentice
7/16/2014 | 1:07:28 PM
Re: So what is the statistical significance
Yes, and for some reason I thought a security standard was to disable guest accounts and rename "administrator" accounts to something besides administrator or admin....
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 6:25:02 PM
Re: So what is the statistical significance
@Marilyn   "You would think that the retail industry could do better than allowing these User Ids and passwords these days."  You would, but one thing Joshua Goldfarb pointed out to me was the fact that sometimes these very big retailers have so many POS terminals that it's awfully hard to get every single one right. That said, the password "pos" meets almost NONE of your basic requirements -- only three characters, no numbers, no special characters, no mix of caps and lowercase. It's pitiful.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 12:52:15 PM
Re: So what is the statistical significance
The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

You would think that the retail industry could do better than allowing these User Ids and passwords these days. 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 9:46:16 AM
Re: So what is the statistical significance
@progman2000  The attackers were scanning 57 IP address ranges, 32 of which are located in the U.S. So it still looks like the US's were easier to break into than other countries'. But Goldfarb was hesitant to speculate on why that is, because they didn't have more information. It's possible that most of the usernames/passwords used for brute-forcing were in English, or simply that American companies still struggle with bad passwords and bad password management.
progman2000
50%
50%
progman2000,
User Rank: Apprentice
7/9/2014 | 9:21:12 PM
So what is the statistical significance
of 51 of the 60 compromised systems being in the US?  Are these things primarily scanning US addresses?  Are they equally scanning other countries but US has more electronic POS?  More vulnerable POS?
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.