Poor admin passwords allow global botnet attack

BrutPos or @-Brt attacks have infiltrated POS systems with botnets largely thanks to weak admin passwords.

Poor admin passwords
Poor admin passwords

Poor passwords used by IT professionals - who should know better - are being blamed for the success of a global botnet campaign that has infected thousands of computers and compromised hundreds of retailer point-of-sale terminals in recent weeks.

The so-called ‘BrutPOS' or ‘@-Brt' attacks have been uncovered by researchers at FireEye and IntelCrawler, who said they have infiltrated the POS systems of mainly US-based retailers in a bid to steal credit card data.

In a 9 July blog, a FireEye team led by senior threat intelligence researcher Nart Villeneuve said the BrutPOS criminals had hijacked 5,622 systems spread across 119 countries. In just two weeks from 28 May to 12 June, they used this botnet to launch ‘brute force' attacks that involved them scanning specified IP ranges in order to infiltrate 60 remote desktop protocol (RDP) systems that had weak passwords, and through them plant malware in POS terminals.

Meanwhile, in a 8 July announcement, IntelCrawler tracked a lookalike botnet campaign, which it called @-Brt, and which used the same malware to infect and steal login credentials more than 450 POS devices, as reported by SC US.

IntelCrawler said that in the last two months, criminals have been increasingly using an “underground bot army of thousands of peaceful and unsuspecting infected users to successfully slide under the radar of both the end-user and the targeted merchants and so increase their chances of finding another gold-mine like Target”.

Microsoft's RDP is used by many businesses for remote login to Windows systems, enabling administrators to remotely update the software, for example.

But damningly, these breaches all came via weak or default passwords in this admin software.

IntelCrawler said "admin12345” was one of the most commonly used passwords extracted. FireEye said the most common user name exploited in the 60 attacks it found was “administrator” (36) and the most common passwords were “pos” (12) and “Password1” (12).

FireEye's Nart Villeneuve told SCMagazineUK.com via email: “We believe that the attackers are targeting POS systems that are using default or weak RDP passwords. These accounts are probably used by systems administrators or outsourced IT support.”

FireEye said in its blog: “While advanced exploits generate a lot of interest, sometimes it's defending the simple attacks that can keep your company from the headlines.”

Page 1 of 2