BrutPOS Botnet Targets Retails Low-Hanging Fruit

FireEye discovers a botnet thats going after point-of-sale systems showing bad passwords and other basic security no-nos.

In the midst of so many advanced persistent threats that seem impossible to prevent, there is a new threat out there thats still going after the low-hanging fruit.
FireEye has discovered
a new botnet, BrutPOS, that is being used to find point-of-sale systems remote administration software and brute force its way into the ones with weak passwords.
Attackers are manipulating poor password practices and lax remote desktop protocol (RDP) implementations to lift payment card information from active processes within POS terminals and other places where payment data is stored.
FireEye has discovered five BrutPOS command-and-control servers, three of which are now inactive; the two active servers, both based in Russia, were set up in late May and early June. FireEye says that the operators of BrutPOS are based in Eastern Europe, most likely Ukraine or Russia.
The botnet has been active since February. At latest count, BrutPOS consisted of 5,622 bots in 119 countries -- many of them in Russia (15.67%), India (13.45%), Vietnam (7.51%), Iran (6.07%), and Taiwan (4.13%). Only a small fraction of the bots are active at any given time.
The bots scan ranges of IP addresses looking for poorly locked-down POS remote admin software.
Whats really interesting here is that the way the malware is propagating is not from some proprietary malware. Its using remote desktop protocol, says Joshua Goldfarb, chief security officer of the enterprise forensics group at FireEye. Its misusing or abusing a legitimate protocol.
Over the course of two weeks, the attackers gained access to 60 POS systems; 51 of those were in the United States.
The most common username used by the breached systems was administrator. The most common passwords were pos and Password1.
The attackers use their admin access to install other executables that extract payment card information -- from POS terminals and elsewhere -- and exfiltrate it back to the C&C server.
Goldfarb says that the BrutPOS attackers are exploiting the fact that some organizations are still not following the basic security best-practices that have been recommended for 10 to 20 years.
Essentially, the theme here is hackers can be lazy because [companies] allow them to be, he says. Theyre only as fancy as they need to be.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
BrutPOS Botnet Targets Retails Low-Hanging Fruit