Poor admin passwords allow global botnet attack

News by Tim Ring

BrutPos or @-Brt attacks have infiltrated POS systems with botnets largely thanks to weak admin passwords.

Poor passwords used by IT professionals - who should know better - are being blamed for the success of a global botnet campaign that has infected thousands of computers and compromised hundreds of retailer point-of-sale terminals in recent weeks.

The so-called ‘BrutPOS' or ‘@-Brt' attacks have been uncovered by researchers at FireEye and IntelCrawler, who said they have infiltrated the POS systems of mainly US-based retailers in a bid to steal credit card data.

In a 9 July blog, a FireEye team led by senior threat intelligence researcher Nart Villeneuve said the BrutPOS criminals had hijacked 5,622 systems spread across 119 countries. In just two weeks from 28 May to 12 June, they used this botnet to launch ‘brute force' attacks that involved them scanning specified IP ranges in order to infiltrate 60 remote desktop protocol (RDP) systems that had weak passwords, and through them plant malware in POS terminals.

Meanwhile, in a 8 July announcement, IntelCrawler tracked a lookalike botnet campaign, which it called @-Brt, and which used the same malware to infect and steal login credentials more than 450 POS devices, as reported by SC US.

IntelCrawler said that in the last two months, criminals have been increasingly using an “underground bot army of thousands of peaceful and unsuspecting infected users to successfully slide under the radar of both the end-user and the targeted merchants and so increase their chances of finding another gold-mine like Target”.

Microsoft's RDP is used by many businesses for remote login to Windows systems, enabling administrators to remotely update the software, for example.

But damningly, these breaches all came via weak or default passwords in this admin software.

IntelCrawler said "admin12345” was one of the most commonly used passwords extracted. FireEye said the most common user name exploited in the 60 attacks it found was “administrator” (36) and the most common passwords were “pos” (12) and “Password1” (12).

FireEye's Nart Villeneuve told SCMagazineUK.com via email: “We believe that the attackers are targeting POS systems that are using default or weak RDP passwords. These accounts are probably used by systems administrators or outsourced IT support.”

FireEye said in its blog: “While advanced exploits generate a lot of interest, sometimes it's defending the simple attacks that can keep your company from the headlines.”

FireEye said the attacks it found likely came from Eastern Europe, “probably Russia or Ukraine”. It identified five command and control (C2) servers being used, three on the same network in Russia, one in Iran and one in Germany. Only two of the servers remain active.

Explaining the similarities between this campaign and the one tracked by IntelCrawler, Villeneuve told SC: “Whilst it is the same malware, IntelCrawler didn't mention the C2 servers, so it may be a separate group of cyber criminals using the same malware or a previous C2 by the same group. We are unable to confirm without further information.”

Analysing the attacks, industry expert Keith Bird, UK MD of Check Point, said the criminals' use of bots was both innovative and effective. He told SC via email: “What's new in this attack is the use of bots to automate brute-force attempts against devices where passwords may not have been changed - and it shows just how stealthy and effective bot infections can be.”

Bird said a 2014 Check Point report found that 77 percent of bots are active for more than four weeks, “which gives them plenty of time to harvest data. Organisations should scan their networks for bot activity as well as changing passwords for devices like POS terminals from default.”

Another industry watcher, Paco Hope, Cigital principal consultant, said the campaigns highlighted the fact that POS terminals are still vulnerable.

He told SC: “For a long time, complex systems like point-of-sales, ATMs, medical devices and more have been built using mass-market software and frameworks. This POS exploit is just the relentless enlargement of the scope of such common vulnerabilities. There will be much more of this before there will be less.”

FireEye said the bots it found were located mainly in Russia and India, followed by Vietnam, Iran and Taiwan.

The retailers' IP addresses targeted and the computers successfully brute-forced were nearly all in the US, with one in the UK.

Nart Villeneuve advised: “There are some simple steps an organisation can take to improve its defences against threats such as BrutPOS, including but not limited to: not allowing administrative access to systems, with the exception of special administrative accounts for administrators; locking out accounts after N number of incorrect login attempts; not allowing RDP login by default on systems, but rather granting it on an as-needed basis; limiting or eliminating the use of shared or group accounts; and monitoring authentication logs for repetitive failed login attempts to one system or multiple systems”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews