BrutPOS Botnet Compromises insecure RDP Servers at Point-of-Sale Systems


Cyber criminals are infecting thousands of computers around the world with malware and are utilizing those compromised machines to break into Point-of-Sale (PoS) terminals using brute-force techniques, and the attackers have already compromised 60 PoS terminals by brute-force attacks against poorly-secured connections to guess remote administration credentials, says researchers from FireEye.

The new botnet campaign, dubbed as BrutPOS, aims to steal payment card information from the POS systems and and other places where payment data is stored, by targeting Microsoft Remote Desktop Protocol (RDP) servers that were disgracefully using poorly secured and simple passwords.

Due to the better track inventory and accuracy of records, the Point-of-sale (POS) machine is used worldwide and it can be easily set-up, depending on the nature of the business. But, Point-of-sale (POS) systems are critical components in any retail environment and the users are not aware of the emerging threats it poses in near future.

A group of three researchers from FireEye, named Nart Villeneuve, Joshua Homan and Kyle Wilhoit, found 51 out of 60 Remote Desktop Protocol (RDP) servers located in the United States. It is really shamefull that the most common username used by the breached servers was “administrator” and the most common passwords were “pos” and “Password1”.

Researchers at FireEye has uncovered five BrutPOS command-and-control (CnC) servers, three of which are now offline and two are active, both based in Russia, which were set up in late May and early June. Only a small fraction of the bots are active at any given time.

The campaign has been active since at least February this year. According to the latest count, cyber criminals are running 5,622 bots in 119 countries, majority of them appeared to be located in Eastern Europe given the language used in interfaces and logs, most likely Ukraine or Russia.

The infected system begins to make connections to port 3389; if the port is open it adds the IP to a list of servers to be brute forced with the supplied credentials,” FireEye researchers Nart Villeneuve, Josh Homan and Kyle Wilhoit wrote in a blog post. “If the infected system is able to successfully brute force an RDP server, it reports back with credentials.

Once the BrutPOS malware successfully guesses the remote access credentials of an RDP-enabled system, the attacker uses that information to install a malware program on the infected system and then extracts payment card information from the memory of applications running on it.