CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day

A guest post by Kyle Pagelow from Tetra Defense

In this post, we describe how our Incident Response team discovered and thwarted a threat actor stealing credit card data by exploiting a zero day RCE (remote code execution) vulnerability in NCR’s Aloha Point of Sale software, widely used in the catering and restaurant industries.

Our investigation led us to discover and report CVE-2021-3122. While Tetra Defense successfully defended the client’s business, removing the threat actor’s access from the client’s network and mitigating the entire infection chain, a large number of other potential victims are readily discoverable, many of whom could be actively exploited today.

According to the vendor, CVE-2021-3122 is a client misconfiguration, and it appears that it is up to each client using Aloha POS to ensure that the server is properly configured and cannot be exploited in the way described in this post.

While we acknowledge NCR’s position, it is also worth pointing out that this “misconfiguration” is widely deployed and known to be actively exploited. Therefore, we urge all NCR Aloha POS users to ensure their Aloha POS configuration follows NCR’s guidelines and to confirm that their POS network has not been compromised in the manner we discuss in detail below.

Point of Ingress | The Threat Actor’s Initial Compromise

NCR’s Aloha POS software is an end to end point of sale system application primarily used by restaurants to take orders, accept credit card payments and manage other sensitive business functions. As is standard practice, our client was running Aloha POS on an isolated private network, with a number of terminals utilizing this network. The only outward bound communication from any endpoint on the network was to the Aloha Back of House (BOH) server.

The Aloha BOH server provides administrative functions for each of the POS terminals and is responsible for all external communications. Primarily, external traffic consists of communication between the BOH server and NCR’s own servers for the purpose of receiving various administrative commands, performing maintenance and updating the POS terminals when required.

Prior to our IR investigation team being brought in, the client’s network appears to have first been compromised in February 2017. BlackPOS, rtPOS, GratefulPOS and PWNPOS were observed on the client’s systems, along with BTCamant ransomware, shortly after the client had installed an MSP provider. While some of the malware infections avoided C2 communications and wrote files out locally to disk, by December 2018 RampagePOS was observed communicating with a C2 at support[.]nesinoder[.]com. This domain was later seen to be associated with Maze ransomware.

In September 2019, the threat actor began utilizing a commercial remote monitoring and management tool (RMM) called screenconnect. The threat actors configured the RMM tool to report to their own C2s and cleverly disguised the DNS to blend in with legitimate traffic to NCR by using the address support-ncr-aloha[.]net.

The threat actor’s next step was to begin installing credit card stealing malware on both the BOH server and terminal endpoints on January 9th, 2020. At this time, malware was pushed to the terminals using a batch script to update the hosts file on each terminal with an entry labelled ‘back’ and the IP address of the BOH server. Since the terminals had no ability to communicate externally, the malware was configured to send encrypted, scraped credit card data to the BOH server over port 1888.

Discovering the BOH RCE Attack Vector

While it’s not surprising that the terminals could have their hosts files manipulated by the BOH server, the attack’s real menace comes from the exploitation of an hitherto unknown vulnerability in the support[.]ncr-aloha[.]net running on the BOH server. While NCR has been at pains to point out that the exploit requires an unsupported configuration, our investigation found that there are hundreds of Aloha BOH servers currently configured in this way and, therefore, vulnerable to attack.

As attack methods, motives, and consequences change daily, our IR investigation team uses SentinelOne Singularity as our constant ongoing endpoint protection and alert method. We deployed SentinelOne on the client’s terminals and BOH servers as part of our emergency incident response effort. This allowed us not only to get full visibility into the threat actor’s TTPs but also alerts at each stage of the ongoing infection. Via the SentinelOne agents and management console, we were able to identify connections from external IP addresses to the Aloha Command Center Agent occurring over port 8089.

SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful analytics, and automated response across your complete technology stack.

Having rebuilt the entire Aloha POS network, now with SentinelOne installed, we were able to observe how the actor then re-compromised the system. It quickly became apparent that the threat actor was able to connect to the cmcAgent.exe externally and run commands with SYSTEM level privileges.

The SentinelOne agent alerted us as the threat actor dropped an instance of the DoublePulsar backdoor on the BOH server and wrote malware to the screenconnect directory in c:windowstemp. The threat actor used the Eternal Champion exploit from FUZZBUNCH to install the malware.

In addition, we observed the threat actor utilizing other LOLBins such as certutil to download files, the net command to mount shares to public IP addresses, and netsh to open ports on the Windows firewall and expose services such as RDP.

We leveraged the management console’s Deep Visibility feature and found that the malware was using msiexec for the screenconnect MSI to reach out to the attacker’s C2 at support[.]ncr-aloha[.]net.

At this point, we leveraged the SentinelOne remote shell feature to kill off screenconnect and quarantine the cmcAgent.exe. We ran further Deep Visibility queries to prevent the threat actor from further exploitation of the network.

Discovering CVE-2021-3122 and Creating a POC Exploit

Having secured the client’s network, our next task was to understand what vulnerability the threat actor was leveraging to access the Aloha BOH server. Our investigation found that a flaw exists within the NCR Command Center Agent (cmcAgent.exe). Systems that are configured with an internet-facing Command Center Agent display a banner with the hostname of the server and are discoverable through network scanning and banner grabbing. Simple searches can also be conducted through the use of tools such as shodan.io.

The cmcAgent’s RUNCommand function allows for a parameter to be supplied in a specially crafted XML request that can be executed remotely if the server is configured to listen on TCP port 8089 for incoming connections. Passing such a command allows the attacker to execute that command as SYSTEM.

In our POC, we executed a custom command remotely against a virtual machine that had the cmcAgent running. We created several requests and executed cmd.exe, powershell.exe and calc.exe. All processes spawned under the ‘SYSTEM’ user and were running in the background.

Additionally, when connecting to the port, the server will return a response with the hostname of the system as well as other information indicating the system is running Aloha software. This means it is a simple matter to conduct a shodan search for the banner and see which NCR customers have the Command Center Agent publicly exposed.

Responsible Disclosure and Vendor Response

In June of 2020, Tetra contacted the vendor NCR, creators of the Aloha platform in order to responsibly disclose the vulnerability. NCR had indicated the vulnerability is only exploitable if customers are misconfigured and have the CMCagent’s listening port exposed. NCR updated their documentation for the CMCAgent, and added a requirement not to have the CMCAgent internet-facing. Tetra contacted CISA and disclosed the vulnerability in December of 2020. MITRE rated the vulnerability with a CVS of 9.8.

Recommendations and Mitigation

NCR customers are urged to ensure they have updated to the latest available version.

Users running the Aloha POS system in their environment are strongly urged to review their system configuration and prohibit unauthorized hosts from connecting to vulnerable systems.

Users should run an up-to-date security solution such as SentinelOne Singularity across their environment and review security alerts.

Indicators of Compromise

alohaterm.exe    RAMPAGEPOS         9b8cc45f061565f00f9aab34e6fbcec6fae4633f
alohaterm.exe    RAMPAGEPOS         7c7c8ef5877f01011438410a4075e92731c7c51a
ttfmgr.exe       GratefulPOS        2d9b601d09bc1e49c94b316263f96d6ee6e57c54
ALOHAPROXY.EXE   PWNPOS             7899092e973b38988aa472dabf20314f00399233
wnhelp.exe       PWNPOS             b1983db46e0cb4687e4c55b64c4d8d53551877fa
alohas.exe       BlackPOS           1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc
alohae.exe       rtPOS              a3c81c9e3d92c5007ac2ef75451fe007721189c6
IECache11.dll    RAMPAGEPOS         bf6291d67a21c6cef919c8cc3e485b93daf8d71f
IECache32.dll    RAMPAGEPOS         3688ab0e31a2f2a8a2adeb934c1a10738ec0f2d6
RUBTBGBB.EXE     Trojan/Downloader  0894872f398e19051f5a6be1a50c44943e9635e8
d.exe            Double Pulsar      dc11a846e090094fc82d0cc6ca8914d09113658e
e.exe            Eternal Champion   4c5cc3ec6866a2054eb47820b35ad8a7d8982cd2
UCL.DLL          Double Pulsar      4dfde37e5ff0a4b189f0c644b19b20fa63c41fe1
QOXJPZPX.EXE     Downloader         0894872f398e19051f5a6be1a50c44943e9635e8
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
SystemIISSec.exe Bitcoin Miner      835c84dba74fdd2564806daf68958d22feaa2225
g.exe            Bitcoin Miner      a067833f67d829241703c9f488d5834c84b096fe
Chromes.exe      Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
wslog_tblog6.tmp Bitcoin Miner      eea0c3febedd84a0c2d69dfb1fb5a077ca8d320b
wslog_tblog3.tmp Bitcoin Miner      cfe8c611e1a475a60f181005606d4094d1dad8e3
audlodg.exe      Bitcoin Miner      cb3550ca012a39fbf48ad26f3b2bb1d4f8657b2e
TASKENG.EXE      Bitcoin Miner      282239c7d8e8606c88b15f7f2c7f30b5ec1b7fd4
TOMORROW.EXE     Miner installer    43299c2cdc2a0290de05b01ec6d04160bfcef99f

ncr-aloha[.]net         C&C URL
support.ncr-aloha[.]net C&C URL
nesinoder[.]com         C&C URL
Support.nesinoder[.]com C&C URL
data-wire[.]net
185.41.65[.]211         C&C IP
5.34.183[.]20           C&C IP
130.0.237[.]133         C&C IP
47.90.58[.]130          Bitcoin Miner IP
185.56.80[.]118         IP used in RDP
62.20.60[.]242          IP used in RDP
78.465.89[.]74          IP used in RDP