Over a two-week time span earlier this year, a botnet composed of thousands of computers actively sought out and broke into exposed point of sale (POS) systems that used poor or default passwords.
The botnet, dug up and dubbed BrutPOS by security firm FireEye, leveraged more than 5,000 machines and managed to weasel its way into about 60 systems at one point.
The botnet particularly targeted poorly implemented remote desktop protocol setups that were storing payment card information, the bulk of them located in the U.S., the firm acknowledged.
A trio of researchers, Nart Villeneuve, Joshua Homan and Kyle Wilhoit, discussed their findings in a blog post yesterday.
The researchers aren’t entirely certain how the malware is being propagated but claim it appears to have been circulated along with a boatload of other malware by one particular site.
Once executed the malware tweaks the Windows Registry and runs after reboot. From there it touches base with the command and control server and gets to work, scanning a list of usernames, passwords and IP addresses. If the malware finds a susceptible RDP connection, it brute forces it open, using a combination of prescribed credentials and makes a note of it.
“When an infected system reports back a successful RDP login, the attackers store the username/password and IP address of the RDP server as well as the IP address of the infected system that successfully brute forced it,” the researchers wrote.
The preset credentials it tries to use are basic default phrases: “admin,” “administrator,” and “backup” for usernames, and variations on “admin” and password” for the passwords. In what probably shouldn’t come as a surprise, “administrator” was the most common username the botnet was able to use, while the most popular passwords it used on POS systems were simply “pos” and “Password1”
The attackers are able to control the botnet via a web admin panel that lets them monitor infected systems, IP addresses and whether brute force attempts are successful. The panel also drops an executable that the researchers believe is intended to extract payment card information.
BrutPOS appears to have originated on servers in Russia and Iran, but the researchers note that only two of the five servers – two Russian ones, started in late May and early June, are still currently active. Evidence of the botnet being active spans back to February, but in the early going the “full scope of the botnet was still unknown,” FireEye said.
As the web panel is in Cyrillic and several of the IP addresses of attackers that used it came from Ukraine, researchers believe the botnet’s creators hail from Eastern Europe.
At its peak, the botnet ensnared 5,622 machines but only a fraction of the infected computers, 179 when last checked, were active; 51 of the 60 RDP servers deemed as “good” targets were in the U.S., while the remaining servers were located in Canada, Hong Kong, India, Taiwan and the U.K.
The botnet, meanwhile, also covered a large swathe of the globe; its systems were spread out across 119 countries, including Vietnam, India, Turkey, Mexico and Serbia, as well as the countries where its servers were located, Russia and Iran.
The research is yet another reminder of the insecurities that are associated with using shoddy, default passwords.
At the beginning of the year, as details about 2013’s massive Target breach began to come to light, journalist Brian Krebs pointed out that a hardcoded username and a default password may have been the company’s Achilles heel.
At the time Target would only say the attackers used access credentials that were hardcoded into a product used by the retailer. Krebs’ report suggested that the attackers may have used credentials from Performance Assurance for Microsoft Servers, system management software manufactured by BMC Software. BMC went on the defensive and claimed the default password was “not a BMC-generated password,” but that Krebs went on to say the company’s statement don’t necessarily rule out the idea that user accounts by BMC didn’t help the attackers.
Similar to how BrutPOS sounds like it worked, once they were in, the Target hackers rigged a command server and steal credit card numbers and personal information from infected POS systems.