A guest post by Kyle Pagelow from Tetra Defense
In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.
Our investigation led us to discover and report CVE-2021-3122. While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.
According to the vendor, CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client using Aloha POS to ensure that the server is properly configured and cannot be exploited in the way described in this post.
While we acknowledge NCR’s position, it is also worth pointing out that this “misconfiguration” is widely deployed and known to be actively exploited. Therefore, we urge all NCR Aloha POS users to ensure their Aloha POS configuration follows NCR’s guidelines and to confirm that their POS network has not been compromised in the manner we discuss in detail below.
Point of Ingress | The Threat Actor’s Initial Compromise
NCR’s Aloha POS software is an end to end point of sale system application primarily used by restaurants to take orders, accept credit card payments and manage other sensitive business functions. As is standard practice, our client was running Aloha POS on an isolated private network, with a number of terminals utilizing this network. The only outward bound communication from any endpoint on the network was to the Aloha Back of House (BOH) server.
The Aloha BOH server provides administrative functions for each of the POS terminals and is responsible for all external communications. Primarily, external traffic consists of communication between the BOH server and NCR’s own servers for the purpose of receiving various administrative commands, performing maintenance and updating the POS terminals when required.
Prior to our IR investigation team being brought in, the client’s network appears to have first been compromised in February 2017. BlackPOS, rtPOS, GratefulPOS and PWNPOS were observed on the client’s systems, along with BTCamant ransomware, shortly after the client had installed an MSP provider. While some of the malware infections avoided C2 communications and wrote files out locally to disk, by December 2018 RampagePOS was observed communicating with a C2 at support[.]nesinoder[.]com. This domain was later seen to be associated with Maze ransomware.
In September 2019, the threat actor began utilizing a commercial remote monitoring and management tool (RMM) called screenconnect. The threat actors configured the RMM tool to report to their own C2s and cleverly disguised the DNS to blend in with legitimate traffic to NCR by using the address support-ncr-aloha[.]net.
The threat actor’s next step was to begin installing credit card stealing malware on both the BOH server and terminal endpoints on January 9th, 2020. At this time, malware was pushed to the terminals using a batch script to update the hosts file on each terminal with an entry labelled ‘back’ and the IP address of the BOH server. Since the terminals had no ability to communicate externally, the malware was configured to send encrypted, scraped credit card data to the BOH server over port 1888.
Discovering the BOH RCE Attack Vector
While it’s not surprising that the terminals could have their hosts files manipulated by the BOH server, the attack’s real menace comes from the exploitation of an hitherto unknown vulnerability in the support[.]ncr-aloha[.]net
As attack methods, motives, and consequences change daily, our IR investigation team uses SentinelOne Singularity as our constant ongoing endpoint protection and alert method. We deployed SentinelOne on the client’s terminals and BOH servers as part of our emergency incident response effort. This allowed us not only to get full visibility into the threat actor’s TTPs but also alerts at each stage of the ongoing infection. Via the SentinelOne agents and management console, we were able to identify connections from external IP addresses to the Aloha Command Center Agent occurring over port 8089.
Having rebuilt the entire Aloha POS network, now with SentinelOne installed, we were able to observe how the actor then re-compromised the system. It quickly became apparent that the threat actor was able to connect to the cmcAgent.exe externally and run commands with SYSTEM level privileges.
The SentinelOne agent alerted us as the threat actor dropped an instance of the DoublePulsar backdoor on the BOH server and wrote malware to the screenconnect directory in c:windowstemp. The threat actor used the Eternal Champion exploit from FUZZBUNCH to install the malware.
In addition, we observed the threat actor utilizing other LOLBins such as certutil to download files, the net command to mount shares to public IP addresses, and netsh to open ports on the Windows firewall and expose services such as RDP.
We leveraged the management console’s Deep Visibility feature and found that the malware was using msiexec for the screenconnect MSI to reach out to the attacker’s C2 at support[.]ncr-aloha[.]net.
At this point, we leveraged the SentinelOne remote shell feature to kill off screenconnect and quarantine the cmcAgent.exe. We ran further Deep Visibility queries to prevent the threat actor from further exploitation of the network.
Discovering CVE-2021-3122 and Creating a POC Exploit
Having secured the client’s network, our next task was to understand what vulnerability the threat actor was leveraging to access the Aloha BOH server. Our investigation found that a flaw exists within the NCR Command Center Agent (cmcAgent.exe). Systems that are configured with an internet-facing Command Center Agent display a banner with the hostname of the server and are discoverable through network scanning and banner grabbing. Simple searches can also be conducted through the use of tools such as shodan.io.
The cmcAgent’s RUNCommand function allows for a parameter to be supplied in a specially crafted XML request that can be executed remotely if the server is configured to listen on TCP port 8089 for incoming connections. Passing such a command allows the attacker to execute that command as SYSTEM.
In our POC, we executed a custom command remotely against a virtual machine that had the cmcAgent running. We created several requests and executed cmd.exe, powershell.exe and calc.exe. All processes spawned under the ‘SYSTEM’ user and were running in the background.
Additionally, when connecting to the port, the server will return a response with the hostname of the system as well as other information indicating the system is running Aloha software. This means it is a simple matter to conduct a shodan search for the banner and see which NCR customers have the Command Center Agent publicly exposed.
Responsible Disclosure and Vendor Response
In June of 2020, Tetra contacted the vendor NCR, creators of the Aloha platform in order to responsibly disclose the vulnerability. NCR had indicated the vulnerability is only exploitable if customers are misconfigured and have the CMCagent’s listening port exposed. NCR updated their documentation for the CMCAgent, and added a requirement not to have the CMCAgent internet-facing. Tetra contacted CISA and disclosed the vulnerability in December of 2020. MITRE rated the vulnerability with a CVS of 9.8.
Recommendations and Mitigation
NCR customers are urged to ensure they have updated to the latest available version.
Users running the Aloha POS system in their environment are strongly urged to review their system configuration and prohibit unauthorized hosts from connecting to vulnerable systems.
Users should run an up-to-date security solution such as SentinelOne Singularity across their environment and review security alerts.
Indicators of Compromise
alohaterm.exe RAMPAGEPOS 9b8cc45f061565f00f9aab34e6fbcec6fae4633f alohaterm.exe RAMPAGEPOS 7c7c8ef5877f01011438410a4075e92731c7c51a ttfmgr.exe GratefulPOS 2d9b601d09bc1e49c94b316263f96d6ee6e57c54 ALOHAPROXY.EXE PWNPOS 7899092e973b38988aa472dabf20314f00399233 wnhelp.exe PWNPOS b1983db46e0cb4687e4c55b64c4d8d53551877fa alohas.exe BlackPOS 1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc alohae.exe rtPOS a3c81c9e3d92c5007ac2ef75451fe007721189c6 IECache11.dll RAMPAGEPOS bf6291d67a21c6cef919c8cc3e485b93daf8d71f IECache32.dll RAMPAGEPOS 3688ab0e31a2f2a8a2adeb934c1a10738ec0f2d6 RUBTBGBB.EXE Trojan/Downloader 0894872f398e19051f5a6be1a50c44943e9635e8 d.exe Double Pulsar dc11a846e090094fc82d0cc6ca8914d09113658e e.exe Eternal Champion 4c5cc3ec6866a2054eb47820b35ad8a7d8982cd2 UCL.DLL Double Pulsar 4dfde37e5ff0a4b189f0c644b19b20fa63c41fe1 QOXJPZPX.EXE Downloader 0894872f398e19051f5a6be1a50c44943e9635e8 TASKENG.EXE Bitcoin Miner 282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4 SystemIISSec.exe Bitcoin Miner 835c84dba74fdd2564806daf68958d22feaa2225 g.exe Bitcoin Miner a067833f67d829241703c9f488d5834c84b096fe Chromes.exe Bitcoin Miner cfe8c611e1a475a60f181005606d4094d1dad8e3 wslog_tblog6.tmp Bitcoin Miner eea0c3febedd84a0c2d69dfb1fb5a077ca8d320b wslog_tblog3.tmp Bitcoin Miner cfe8c611e1a475a60f181005606d4094d1dad8e3 audlodg.exe Bitcoin Miner cb3550ca012a39fbf48ad26f3b2bb1d4f8657b2e TASKENG.EXE Bitcoin Miner 282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4 TOMORROW.EXE Miner installer 43299c2cdc2a0290de05b01ec6d04160bfcef99f ncr-aloha[.]net C&C URL support.ncr-aloha[.]net C&C URL nesinoder[.]com C&C URL Support.nesinoder[.]com C&C URL data-wire[.]net 185.41.65[.]211 C&C IP 5.34.183[.]20 C&C IP 130.0.237[.]133 C&C IP 47.90.58[.]130 Bitcoin Miner IP 185.56.80[.]118 IP used in RDP 62.20.60[.]242 IP used in RDP 78.465.89[.]74 IP used in RDP
