Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/9/2014
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

BrutPOS Botnet Targets Retail's Low-Hanging Fruit

FireEye discovers a botnet that's going after point-of-sale systems showing bad passwords and other basic security no-nos.

In the midst of so many advanced persistent threats that seem impossible to prevent, there is a new threat out there that's still going after the low-hanging fruit. FireEye has discovered a new botnet, BrutPOS, that is being used to find point-of-sale systems' remote administration software and brute force its way into the ones with weak passwords.

Attackers are manipulating poor password practices and lax remote desktop protocol (RDP) implementations to lift payment card information from active processes within POS terminals and other places where payment data is stored.

FireEye has discovered five BrutPOS command-and-control servers, three of which are now inactive; the two active servers, both based in Russia, were set up in late May and early June. FireEye says that the operators of BrutPOS are based in Eastern Europe, most likely Ukraine or Russia.

The botnet has been active since February. At latest count, BrutPOS consisted of 5,622 bots in 119 countries -- many of them in Russia (15.67%), India (13.45%), Vietnam (7.51%), Iran (6.07%), and Taiwan (4.13%). Only a small fraction of the bots are active at any given time.

The bots scan ranges of IP addresses looking for poorly locked-down POS remote admin software.

"What's really interesting here is that the way the malware is propagating is not from some proprietary malware. It's using remote desktop protocol," says Joshua Goldfarb, chief security officer of the enterprise forensics group at FireEye. "It's misusing or abusing a legitimate protocol."

Over the course of two weeks, the attackers gained access to 60 POS systems; 51 of those were in the United States.

The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

The attackers use their admin access to install other executables that extract payment card information -- from POS terminals and elsewhere -- and exfiltrate it back to the C&C server.

Goldfarb says that the BrutPOS attackers are exploiting the fact that some organizations are still not following the basic security best-practices that have been recommended for 10 to 20 years.

"Essentially, the theme here is hackers can be lazy because [companies] allow them to be," he says. "They're only as fancy as they need to be."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
progman2000
50%
50%
progman2000,
User Rank: Apprentice
7/9/2014 | 9:21:12 PM
So what is the statistical significance
of 51 of the 60 compromised systems being in the US?  Are these things primarily scanning US addresses?  Are they equally scanning other countries but US has more electronic POS?  More vulnerable POS?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 9:46:16 AM
Re: So what is the statistical significance
@progman2000  The attackers were scanning 57 IP address ranges, 32 of which are located in the U.S. So it still looks like the US's were easier to break into than other countries'. But Goldfarb was hesitant to speculate on why that is, because they didn't have more information. It's possible that most of the usernames/passwords used for brute-forcing were in English, or simply that American companies still struggle with bad passwords and bad password management.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/10/2014 | 12:52:15 PM
Re: So what is the statistical significance
The most common username used by the breached systems was "administrator." The most common passwords were "pos" and "Password1."

You would think that the retail industry could do better than allowing these User Ids and passwords these days. 

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
7/10/2014 | 6:25:02 PM
Re: So what is the statistical significance
@Marilyn   "You would think that the retail industry could do better than allowing these User Ids and passwords these days."  You would, but one thing Joshua Goldfarb pointed out to me was the fact that sometimes these very big retailers have so many POS terminals that it's awfully hard to get every single one right. That said, the password "pos" meets almost NONE of your basic requirements -- only three characters, no numbers, no special characters, no mix of caps and lowercase. It's pitiful.
dadsu
100%
0%
dadsu,
User Rank: Apprentice
7/16/2014 | 1:07:28 PM
Re: So what is the statistical significance
Yes, and for some reason I thought a security standard was to disable guest accounts and rename "administrator" accounts to something besides administrator or admin....
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23836
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The...
CVE-2021-23837
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A time-based blind SQL injection was identified in the selected_folder HTTP request body parameter for the acp interface. The affected parameter (which retrieves the file contents of the specified folder) was found to be accepting malicious...
CVE-2021-23838
PUBLISHED: 2021-01-15
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user...
CVE-2020-35581
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.
CVE-2020-35582
PUBLISHED: 2021-01-15
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/post.php request with the post_title parameter.