This new campaign, identified as BrutPOS, specifically focuses on harvesting payment card data from PoS systems and any associated storage locations by exploiting Microsoft Remote Desktop Protocol (RDP) servers. These servers are often configured with weak passwords, making them prime targets for exploitation.
While PoS machines are widely used for their ability to streamline inventory management and enhance record accuracy, they also represent critical components in the retail ecosystem. Unfortunately, many users remain unaware of the inherent security risks associated with these systems.
A team of three FireEye researchers—Nart Villeneuve, Joshua Homan, and Kyle Wilhoit—detected that among the compromised RDP servers, 51 out of 60 were located in the United States. Alarmingly, the most frequently used username among these breaches was “administrator,” and common passwords included “pos” and “Password1,” highlighting a troubling lack of security awareness.
FireEye’s investigation revealed five command-and-control (CnC) servers linked to the BrutPOS campaign, with three of these now offline while two remain active, both based in Russia. This campaign has been underway since at least February, with a current estimate of 5,622 bots operating in 119 countries, primarily within Eastern Europe, suggesting a substantial presence in Ukraine or Russia.
As articulated by the researchers, the infected systems initiate connections to port 3389, adding discovered IPs to a list of potential targets for brute-forcing with previously supplied credentials. Successful compromises lead to the reporting of valid credentials back to the attackers.
Once attackers have gained access to an RDP-enabled system, they install malware designed to extract sensitive payment card information from apps running on the machine. Furthermore, the malware seeks to attain debug permissions to discern the configurations of PoS systems. If unsuccessful, it can insert itself into system processes by copying to %WINDIR%\lsass.exe and establishing itself as a service.
To further understand the attackers’ motives and methods, FireEye researchers constructed a honeypot, deploying a simulated PoS software environment filled with fake credit card data. The ensuing activity revealed attackers compromising the system via RDP, accessing the software, and even attempting to erase any traces of their intrusion.
Historically, significant data breaches targeting PoS machines have occurred, such as the infamously large TARGET data breach, which led to the theft of over 40 million credit and debit cards. Other notable incidents include breaches at Neiman Marcus and Michaels Store, which together compromised an estimated 110 million credit and debit cards along with personal information.
In light of these recent developments, business owners are urged to review their security protocols, particularly concerning RDP configurations and password management, in order to mitigate the risks posed by campaigns like BrutPOS. Utilizing frameworks like the MITRE ATT&CK Matrix can offer insights into potential adversary tactics and techniques, including initial access, privilege escalation, and persistence, that are critical in understanding the evolving landscape of cybersecurity threats.