Botnet Targets Point-of-Sale Systems


July 9th, 2014, 15:35 GMT · By Ionut Ilascu
List of weak passwords detected by IntelCrawler

A new botnet has been discovered by security researchers, who observed that it uses the infected machines to scan for the presence of point-of-sale systems and gain access to the information through brute-force attacks.

Los Angeles-based cyber threat intelligence firm IntelCrawler says that the name of the botnet project was released on the underground forums in May 2014.

According to the company, the malware it uses “collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment.”

Some technical documentation provides the default credentials for initial access to the systems, and has been added to the dictionary used by the cybercriminals for the brute-force attacks.

Because of the botnet distribution, the operators behind it are capable of scanning multiple IPv4 network ranges of certain TCP ports, as well as using the brute-force technique to determine the log-in credentials for remote administration services like VNC, Microsoft RDP, and PCAnywhere.

In a recent incident that affected a reseller of POS systems, the crooks used stolen credentials for the LogMeIn account to gain unauthorized access to information related to POS transactions.

IntelCrawler says that in the case of “@-Brt,” the malicious software includes multi-threading support, a feature that permits running through the dictionary database at a much faster pace.

The company detected that several prominent merchants have been affected by the malware and scanning of IPv4 ranges of large ISPs (Internet Service Providers), AT&T Internet Services, Sonic.net and SoftLayer Technologies being among them.

Multiple variants of the malicious software exist, with modifications that may aim at increased optimization and could have been written by different authors.

A list of commonly used passwords for the compromised POS terminals includes simple and easy to crack text strings, such as “posrn,” “terminal,” “admin12345,” “manager,” “hotel,” “operator,” “posadmin,” and “pos12345.”

It appears that administrators used numerous variants of “aloha” as the access restriction password, the “aloha12345” passcode being used in 13% of the cases, followed by “micros” (10%), “pos12345” (8%), “posadmin” (7%), and “javapos” with 6.30%. All of these are extremely weak passwords that can be cracked in a matter of minutes, depending on the specifications of the machine used.

As far as the geographical spread of the botnet is concerned, the security company provides a chart showing infected computers in USA,Germany, Japan, Mexico, Bulgaria, India, Jordan, Hong Kong, Antilles, Philippines, and Korea.

Plug for WatchGuard (Firewall of Choice)
Advanced threats, including APTs (advanced persistent threats) and zero day malware, once plagued governments and large enterprises exclusively. Now the target has shifted, with mid-size and small businesses under increasing attack from polymorphic threats that are particularly difficult to detect and extremely dangerous. The service integrates with WatchGuard Dimension™, the big-data style visibility tool that is included with every WatchGuard solution. Dimension distills oceans of log data into actionable security intelligence, providing an instant, single view of advanced threats. You’ll see which files are blocked and why, along with other top trends, applications and threats covered by WatchGuard security technologies.

Advanced Protection
Takes over where AV protection leaves off, going after zero day threats for which there are no signatures.

Available for All WatchGuard Appliances

Roy Miehe | MspPortal.net | Ceo/President
GFI Max Distributor
Where Service and Technical Skills Count

Tags: , , , , , , , , , , , , ,

Comments are closed.

%d bloggers like this: