Attackers brute-force POS systems utilizing RDP in global botnet operation
After successfully brute-forcing the POS devices, attackers install RAM-scraping malware to steal data.
As part of a global botnet operation dating back to May, attackers are infecting thousands of computers around the world with malware and are using the compromised machines to identify and brute-force point-of-sale (POS) systems utilizing remote desktop protocols (RDP).
The project name is referred to as the “@-brt,” Andrew Komarov, CEO of cyber intelligence company IntelCrawler, told SCMagazine.com in a Wednesday email correspondence, pointing to a Tuesday post that includes a geographical breakdown of identified bots.
“[The malware] automates brute-forcing of POS systems using remote administrative channels,” Komarov said. “Right after the user is infected, [the attackers] start to use the army of bots to scan [IPs for] POS systems and to brute-force them using a prepared dictionary.”
The attackers – believed to be from Eastern Europe, Ukraine, or Russia and responsible for previous POS attacks – then use the acquired credentials to gain access to the POS terminals and install RAM-scraping malware used to steal information, including payment card data, Komarov said.
IntelCrawler compiled a list of the most common passwords used on compromised POS devices – 13 percent of terminals used ‘aloha12345,' 10 percent used ‘micros,' eight percent used ‘pos12345,' seven percent used ‘posadmin,' and ‘javapos' was the password more than six percent of the time.
The findings are a testament to poor password usage, Komarov said, adding that it also sheds light on the brands of POS software – Aloha and Micros are two examples – being impacted in the “@-brt” operation.
To date, IntelCrawler has identified more than 450 compromised POS devices, 37 percent of which were operated by small businesses and retailers in the U.S., Komarov said, adding that locations in EU and Asia were also impacted.
So, how are the bots getting infected in the first place?
“Through hacked websites and placed exploit-kits,” Komarov said. “The bad actors use very cheap methods of infection. They don't need specific machines; they just need firepower to speed up their criminal activities.”
In a Wednesday post highlighting a similar operation, FireEye identified the malware as “BrutPOS.”
“It is the same malware,” Nart Villeneuve, senior threat intelligence researcher with FireEye, told SCMagazine.com on Wednesday. “IntelCrawler didn't mention the C2's, so it may be a separate group of cybercriminals using the same malware or a previous command and control by the same group; we won't know without further information.”
FireEye researchers identified more than 5,500 infected systems across nearly 120 countries, with the majority of infections being in Russia and India, according to the post.