BrutPOS Botnet Uses Brute Force to Break Into POS Systems

FireEye uncovers a botnet that is brute-forcing its way into point-of-sale systems to steal payment credentials.

data breach

In a new twist on retail payment security, researchers at security firm FireEye have uncovered a botnet that is specifically trying to brute-force its way into point-of-sale (POS) systems. FireEye has named the botnet BrutPOS because it uses a brute-force technique to gain access to POS systems.

In a brute-force attack, the attacker tries to enter a system by trying out a series of username/password combinations to gain access. BrutPOS leverages its botnet of compromised machines, scanning for POS servers and then brute-forcing its way in.

"POS malware is something that has been around for a while," Kyle Wilhoit, threat intelligence analyst at FireEye, told eWEEK. "However, POS malware that is utilizing brute-forcing techniques is new."

The FireEye investigation found that the BrutPOS botnet had in its network a total of 5,622 compromised computers, which report into command and control (C2) servers. In total, there are five C2 servers for BrutPOS, though FireEye notes that only two are currently active.

"The other servers in question were taken down, likely by the actors perpetuating the attacks," Wilhoit said.

The risk of retail POS data breaches has been top of mind for many in 2014 due to a number of high-profile incidents. U.S retailer Target publicly admitted on Dec. 19, 2013, that it was breached, leaving 70 million customers at risk. More recently, restaurant chain P.F. Chang's admitted on June 12 that it too was the victim of a data breach, likely the result of POS insecurity.

In its report, FireEye is not claiming BrutPOS is related to any publicly disclosed data breach. That said, FireEye's investigation found that BrutPOS targeted 57 IP address ranges, 32 of which are located in the United States.

From a remediation perspective, there a number of things retailers and POS operators can do to protect themselves. In a brute-force attack, the first round of attack typically goes after default username/password combinations. As such, one thing that should be done by POS administrators is to change the default password.

"Changing default passwords is important to ensure low-hanging fruit is not easily exposed," Wilhoit said.

Going a step further, Wilhoit suggests that RDP (Remote Desktop Protocol), which runs over server Port 3389, should be locked down to trusted sources. The BrutPOS attack targets RDP specifically as a means to gain access.

"Not allowing 3389 access to POS terminals from the outside world is extremely important," Wilhoit said. "Likewise, in internal networks, this access should be heavily restricted."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.