Active Exploit: A Remote Command Execution (RCE) Vulnerability for NCR Aloha Point of Sale

A Remote Command Execution (RCE) vulnerability in NCR Aloha Point of Sale (POS) systems is being actively exploited within the Command Center Agent (“cmcAgent.exe”) to install POS Malware specifically targeting Aloha Systems.

Vulnerability

Aloha POS, owned by NCR Corporation, is an end-to-end point of sale system application primarily used by restaurants to take orders, manage their business, and accept credit card payments.  NCR’s Aloha systems contain a remote management and security agent that is vulnerable to unauthenticated remote command execution. The vulnerability can be used to gain unauthorized access to the POS environment and deploy POS malware.

A flaw exists within NCR Command Center Agent which is configured to listen on TCP port 8089 for incoming connections. Systems that are configured to allow local LAN or internet access to the CMCAgent are susceptible to this attack. CMCAgent documentation states that terminals and BOH servers should restrict LAN and WAN access to this port by utilizing access controls on a firewall to prohibit WAN or local LAN access from systems that are not part of the Aloha platform. During its investigation, Tetra Defense determined that despite these configuration requirements, many systems are configured to allow both internet and local LAN access.

When connecting to an Aloha system, a banner is displayed with the hostname of the server. Systems that are configured with an internet facing CMCAgent are discoverable through network scanning and banner grabbing. Simple searches can also be conducted through the use of tools such as shodan.io. Hundreds of devices running the NCR platform are discoverable on the public internet and are potentially vulnerable and/or already exploited by the Threat Actors exploiting this vulnerability. The CMCAgent’s RUNCommand function allows for a parameter to be supplied in a specially crafted XML request to be executed remotely on the Aloha POS system.

Proof of Concept

In June of 2020, Tetra Defense created a proof of concept exploit and provided the exploit code to NCR in hopes of remediating the issues. Tetra Defense has observed this exploit being used in the wild to install POS malware on Aloha terminals. The Threat Actor attempts to blend in the POS malware by installing the malware in Aloha directories. The malware is often named with an Aloha naming convention. The observed malware contains methods for capturing credit card Track 1 and Track 2 data, and exfiltrating the data to domains disguised to be related to NCR.

The POS malware observed is capable of exfiltrating credit card data through restricted networks by creating a host file entry referencing the AlohaBOH server. AlohaBOH servers handle much of the upstream credit card processing and are often able to communicate to the internet and subsequently to the Threat Actor-controlled command and control servers. Much of the Threat Actor-controlled infrastructure is geographically located in Russia, Ukraine and Finland.

Users who are running the Aloha POS system in their environment are strongly urged to review their systems’ configuration and prohibit unauthorized hosts from connecting to these systems.  Users are also urged to run an up-to-date antivirus product on their systems and review security alerts or use an Endpoint Detection and Response (EDR) tool for deeper visibility.

  • alohas.exe
  • alohae.exe
  • alohaterm.exe
  • alohaterm.exe
  • ncr-aloha.net
  • support.ncr-aloha.net
  • nesinoder.com
  • Support.nesinoder.com
  • 1df323c48c8ce95a80d1e3b9c368c7d7eaf395fc
  • a3c81c9e3d92c5007ac2ef75451fe007721189c6
  • 9b8cc45f061565f00f9aab34e6fbcec6fae4633f
  • 7c7c8ef5877f01011438410a4075e92731c7c51a
  • C&C URL
  • C&C URL
  • C&C URL
  • C&C URL

Check out some related content on our blog: