Cyber Armies Brute Force POS Systems

Los Angeles, California - July 8, 2014

IntelCrawler, a cyber threat intelligence firm from Los Angeles, has identified a malicious automated network that targets Point-of-Sale software using infected computers from around the world.  The underground bot army, using the project name “@-Brt”, is using thousands of peaceful and unsuspecting infected users to brute force Point-of-Sales systems in an attempt to steal login credentials. 

This increased trend during the past two months has been in a stealth mode since the bot activities have successfully slide under the radar of both the end user and the targeted merchants. Previous threat intelligence notifications by IntelCrawler confirmed that the interest of cybercriminals to offline and online (cloud-based / SaaS) Point-of-Sales has increased significantly of late as the use of automation and bots increases their chances of finding another gold mine like Target.  

Pic.1 – Administrative Interface of “@-Brt” project

Pic.2 – The bad actor defines his own list of credentials and subnets for POS scanning

The “@-Brt” project was released in May 2014 in the underground as a specific type of malware for brute forcing the Point-of-Sale credentials, using collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment, as conveniently described in the official technical documentation from particular vendors. 

Pic.3 – Listing of successfully compromised POS terminals located in the US

The bad actors distribution of the “@-Brt” botnet allows for active scanning of multiple IPv4 network ranges of specific TCP ports and parallel brute forcing of available remote administration protocols such as VNC, Microsoft RDP and PCAnywhere. The identified malware supports multithreading, which allows to speed-up the process of gaining unauthorized access to merchants for further data theft. IntelCrawler has also detected within the bot the concentration of some compromised merchants and the massive IPv4 scanning in network ranges of famous US Internet Service Providers such as AT&T Internet Services, Sonic.net and SoftLayer Technologies. There are several modifications of the “@-Brt” project, supported by several cybercriminals, using a bit different approaches to parallelism, potentially written by different authors for speed and timeouts optimization. After monitoring and infiltrating the bot network, IntelCrawler’s analysts have figured out the most commonly used passwords for compromised Point-of-Sale terminals and geographical distribution of the infected hosts for cyberattacks.

Passwords distribution showed leaders with very low entropy – “aloha12345” (13%), “micros” (10%), pos12345 (8%), “posadmin” (7%) and “javapos” (6.30%). IntelCrawler recommends to strengthen passwords used for POS terminals, as well as to monitor suspicious incoming network traffic from the following countries:  

About IntelCrawler 

IntelCrawler is a cyber threat intelligence firm from Los Angeles, California, which helps connect the dots between verified cyber intelligence information and emerging threats against specific enterprises using aggregated and analyzed large volumes of Big Data, context-aware cyber intelligence technologies and operative human intelligence (HUMINT).

News archive