Thousands of Amazon AWS Instances Host C&C Servers for POS Malware

Malware has turned into a booming industry for cybercriminals over the past few years. In fact, there are so many types of malware in circulation that no hardware or software is safe from harm right now. Point-of-sale (POS) terminals are of particular interest to criminals, although a lot of these efforts are not overly successful. New research by the Kromtech Security Center shows how ElasticSearch servers are some of the main culprits when it comes to hosting PoS malware.

Point-of-sale Malware is a big Problem

Anyone who owns or works at a physical store will have come in contact with point-of-sale devices. These terminals allow retailers to accept different payment methods including debit, credit, and bank cards. A point-of-sale terminal is greatly valuable to any business owner. After all, one can barely afford to run a business without accepting card payments with a PoS terminal these days.

Unfortunately – though perhaps not unexpectedly – these machines have become targets for cybercriminals. Rather than physically modifying a point-of-sale terminal, criminals are now using different types of malware to remotely control information processed by the device. In most cases, such malware is used to collect payment card information, which is then used for nefarious purposes or sold to other criminals on the darknet.

There are currently two PoS malware strains that are particularly concerning. AlinaPOS and JackPOS are two very serious threats to anyone who owns a point-of-sale terminal. As most of these devices are connected to the Internet in one way or another, they are effectively prone to infection by these malware strains. Both of these strains have seen a major increase in their distribution of late, which is rather troublesome.

It turns out one of the distribution methods for both AlinaPOS and JackPOS comes in the form of ElasticSearch servers. Over 15,000 of these servers are accessible through the Internet without requiring any form of authentication whatsoever. Over 4,000 unsecured servers are used to host files related to AlinaPOS and JackPOS’s command & control infrastructure. That is a big problem which should be addressed sooner rather than later.

This information hints at how ElasticSearch servers are often used to host POS malware command & control servers. What is more, 99% of all POS malware-infected servers are hosted on Amazon’s AWS service. That is not surprising by any means, as AWS allows users to get a free instance with up to 10gb of disk space. The t2 micro EC2 instance can only be set up with ElasticSearch versions 1.5.2 and 2.3.2. It makes perfect sense for criminals to use these free tools to host POS malware C&C infrastructure.

Thankfully, Amazon and other affected companies have been notified about this problem. So far, no one has issued a response or attempted to address this problem in the first place, which is not a good sign. While POS malware is often considered a niche threat, one has to wonder why there are over 4,000 command & control servers in existence today. Both AlinaPOS and JackPOS have caused a lot of damage over the past few years and they are still actively used to this day. Perhaps this is not such a niche market as originally assumed.