In case the coverage of last year’s Target breach did not drive this point home: Criminals are very interested in retailers’ Point of Sale (PoS) machines. Because so many credit card numbers pass through these systems, and they are often insufficiently guarded, criminals find them a very low-hanging fruit for theft. Recently, a new type of malware has been found that specifically tries to break into PoS machines. ESET detects this threat as Win32/BrutPOS.A.
The idea behind BrutPOS is that it tries to brute-force its way into PoS machines by trying a variety of (overused) passwords in order to log in via Remote Desktop Protocol (RDP). It is unclear at this time how this malware is being spread, but it is likely just one component of an attacker’s toolkit – that is to say, it is probably being used in concert with other malware, possibly depending on the defenses (or lack thereof) on the machines being attacked. Once the machine has been breached, the trojan installs a “RAM Scraper” which collects credit card numbers from the memory of the PoS machine and sends them back to the attackers via FTP. Many of the systems on which this malware has been found belong to small businesses, which are particularly desirable targets for such theft.
If you have a PoS machine, there are a few quick things you can do to help protect these systems from this particular type of attack:
Use a strong password
Much has been written on the importance (and tactics) of choosing a strong password, and yet here we have malware that is successfully breaching machines because they have such poor passwords. It is important to note that in this case, many of the passwords used on the breached machines were the default passwords or were simple variations on the name of the PoS vendor. For instance: the top three most common passwords were “aloha12345”, “micros” and “pos12345”. It is best to use a passphrase rather than a simple password, as a passphrase can be easy to remember yet very time-consuming to crack due to its length. and now is a good time to consider supplementing passwords with two factor authentication (2FA) on any machines that can touch your PoS systems.
Limit login attempts
Once you have a strong password in place, make it count: Limit attempts to log in to machines to just a few. Locking people out after 3-5 incorrect attempts is a common range. This will dramatically decrease the effectiveness of brute forcing attacks, as the attackers will be prevented from trying large numbers of incorrect passwords until they get to the right one.
We talk a lot here about the Principle of Least Privilege and the dangers of enabling RDP. This is far from being the first malware to take advantage of poor passwords or of the power of RDP. The long and short of it is, limit access wherever you can. For instance: If you do not need to remotely access the machine, do not enable RDP. If you do need to enable RDP, make sure you do so securely. This article from University of California Berkeley has some great tips to help. Likewise, limiting FTP access may hamper attackers’ ability to exfiltrate credit card data.
There are a variety of other things you can do to help protect your PoS machines, which are much the same measures as you would take to protect any other machine on the Internet; including regularly updating software and using security software. This post by the US-CERT goes into more details, specific to administering PoS systems.
This is a good reminder that any machine that connects to the Internet can and should be protected, and that the techniques for doing so are basically the same, regardless of operating system. Once you learn good security hygiene, you can use the same basic principles on any system you administer.
Author Lysa Myers, ESET