The new botnet campaign, dubbed as BrutPOS, aims to steal payment card information from the POS systems and and other places where payment data is stored, by targeting Microsoft Remote Desktop Protocol (RDP) servers that were disgracefully using poorly secured and simple passwords.
Due to the better track inventory and accuracy of records, the Point-of-sale (POS) machine is used worldwide and it can be easily set-up, depending on the nature of the business. But, Point-of-sale (POS) systems are critical components in any retail environment and the users are not aware of the emerging threats it poses in near future.
A group of three researchers from FireEye, named Nart Villeneuve, Joshua Homan and Kyle Wilhoit, found 51 out of 60 Remote Desktop Protocol (RDP) servers located in the United States. It is really shamefull that the most common username used by the breached servers was "administrator" and the most common passwords were "pos" and "Password1".
Researchers at FireEye has uncovered five BrutPOS command-and-control (CnC) servers, three of which are now offline and two are active, both based in Russia, which were set up in late May and early June. Only a small fraction of the bots are active at any given time.
The campaign has been active since at least February this year. According to the latest count, cyber criminals are running 5,622 bots in 119 countries, majority of them appeared to be located in Eastern Europe given the language used in interfaces and logs, most likely Ukraine or Russia.
"The infected system begins to make connections to port 3389; if the port is open it adds the IP to a list of servers to be brute forced with the supplied credentials," FireEye researchers Nart Villeneuve, Josh Homan and Kyle Wilhoit wrote in a blog post. "If the infected system is able to successfully brute force an RDP server, it reports back with credentials."
Once the BrutPOS malware successfully guesses the remote access credentials of an RDP-enabled system, the attacker uses that information to install a malware program on the infected system and then extracts payment card information from the memory of applications running on it.
The malware also attempted to obtain debug permissions likely to identify POS configurations and if it succeeds in getting those permissions, it runs an executable. But if it failed, it copies itself to %WINDIR%\lsass.exe and installed itself as a service.
The FireEye researchers built a honeypot in an effort to understand the attacker's intentions. They set-up a fake POS software and left some fake credit card details on the desktop, and allow hackers to compromise it. They issued signals mimicking infection and watched as attackers popped its RDP login and crawled around the box attempting to open its installed PoS software before formatting the drive to erase evidence trails.
In past, we have seen many massive data breaches targeting POS machines such as TARGET data breach, the third-largest U.S. Retailer in which over 40 million Credit & Debit cards were stolen, and multiple retailers including Neiman Marcus, Michaels Store involving the heist of possibly 110 million Credit-Debit cards, and personal information.
