Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BrutPOS Botnet Targets POS Systems With Brute-Force Attacks

Cybercriminals are using thousands of compromised computers to target point-of-sale (PoS) systems from which they can steal payment card information, FireEye reported on Wednesday.

Cybercriminals are using thousands of compromised computers to target point-of-sale (PoS) systems from which they can steal payment card information, FireEye reported on Wednesday.

The malware used in these attacks, dubbed BrutPOS by FireEye, was first spotted in February and was later analyzed in March by AlienVault, but the full scope of the operation wasn’t known at the time. For the time being, researchers don’t know exactly how the malware is distributed, but they have found a website that serves the threat, and they believe the attackers might have used specialized distribution services provided by other cybercriminals.

According to FireEye, once the malware infects a computer, it connects to a command and control (C&C) server from which it receives a list of usernames, passwords and IP addresses. This information is used to access Remote Desktop Protocol (RDP) servers and compromise PoS systems.

The malware connects to port 3389, which is the default port for RDP servers, and if the port is open, it uses the credentials supplied by the C&C to carry out a brute-force attack. According to FireEye, if the RDP server is successfully breached, the credentials used to access it and its IP address are sent back to the attackers.

The list of usernames includes “backupexec,” “datacard,” “manager,” “pos,” “micros” and “microssvc,” which indicates that the cybercriminals are targeting specific systems, FireEye said.

So far, FireEye has identified five C&C servers in Russia, Germany and Iran, though three of them are currently inactive. By accessing the control panel from which the attackers control the BrutPOS botnet, security researchers determined that a total of over 5,600 devices have been compromised, but only some of them are active at any given time.

Advertisement. Scroll to continue reading.

The infected devices are spread out across 119 countries, but most infections were spotted in Russia, India, Vietnam, Iran, Taiwan, Ukraine, Turkey, Serbia, Egypt and Mexico.

As far as the targeted RDP servers are concerned, most of them are located in the United States. In fact, of the total of 60 systems compromised by the attackers over a two-week period, 51 are in the United States, the security firm said.

Furthermore, a honeypot set up by FireEye has shown that the attackers connect to compromised servers from which they attempt to take credit card information. Once they’re done with a system, the cybercriminals format (wipe) its hard drive to cover their tracks. Researchers have also uncovered an executable that extracts payment card data from running processes.

Based on the Russian language interface of the BrutPOS administration panel and the IP addresses used to connect to it, FireEye believes that the individuals behind this operation are most likely located in Russia or Ukraine.

“POS systems remain a high priority target for cybercriminals,” FireEye researchers noted in a blog post. “While new malware and more advanced attacks are taking place, standard attacks against weak passwords for remote administration tools presents a significant threat.”

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.