Brinztech Alert: Unauthorized Access to Polaris POS Machines on Sale

Dark Web News Analysis

A critical threat to the retail and hospitality sectors has been identified on a cybercrime forum. A threat actor is advertising the sale of unauthorized administrative access to a number of Point-of-Sale (POS) machines located in the United States and the United Kingdom. According to the seller, access is provided through the admin panels of Remote Monitoring and Management (RMM) software. The compromised machines are running on Windows operating systems and are specifically using Polaris POS software.

This type of access sale is exceptionally dangerous as it provides a direct pathway for criminals to steal sensitive payment card data. POS terminals are the primary target for specialized malware, such as RAM scrapers, which are designed to capture credit and debit card data (Track 1 and Track 2 information) from a device’s memory during a transaction. This stolen “card-present” data is highly valuable and is sold in bulk on dark web marketplaces for use in fraudulent transactions. The use of RMM software as the access vector is particularly alarming, as it is a legitimate tool that provides high-level privileges and whose traffic is often trusted within a network, allowing attackers to operate stealthily.

Key Cybersecurity Insights

This access-for-sale incident presents several immediate and severe threats:

• High Risk of Payment Card Data Theft: A compromise of POS machines is one of the most direct methods for stealing payment card information. Attackers with administrative access will almost certainly deploy POS malware to capture and exfiltrate card numbers, expiration dates, and cardholder names as transactions are processed, leading to widespread financial fraud and costly chargebacks.
• Weaponization of Remote Management (RMM) Software: The attack leverages the abuse of RMM software, a legitimate IT tool for remote administration. This is a highly effective tactic for attackers because RMM tools provide deep, privileged access to systems, and their network traffic is often whitelisted, allowing them to bypass traditional firewalls and security monitoring tools.
• Targeted Campaign Against Polaris POS Software Users: The specific mention of Polaris POS software suggests a focused campaign. The attacker may have discovered a vulnerability specific to this software, its common configurations, or is targeting Managed Service Providers (MSPs) who support businesses using this particular POS solution.

Mitigation Strategies

In response to this critical threat, businesses using RMM to manage their POS environments must take immediate and comprehensive action:

• Immediately Audit and Harden All RMM Software Access: All organizations using RMM to manage POS systems must conduct an urgent security audit. This includes mandating Multi-Factor Authentication (MFA) for all RMM users without exception, implementing strict IP whitelisting to only allow connections from trusted locations, and reviewing all accounts to ensure the principle of least privilege is strictly enforced.
• Deploy Application Whitelisting and Enhanced Endpoint Security: POS terminals should be treated as critical, single-purpose devices. Application whitelisting is a crucial control that should be deployed to prevent any unauthorized executable, such as malware, from running on the system. Enhanced endpoint security with specific anti-tampering and behavioral detection capabilities is also essential.
• Implement Strict Network Segmentation for POS Environments: The network segment containing the POS terminals must be rigorously isolated from all other corporate and guest networks. This is a fundamental requirement of PCI DSS compliance and a critical security control. Proper segmentation ensures that even if another part of the business network is compromised, the attacker cannot easily pivot to the highly sensitive payment processing environment.

Secure Your Organization with Brinztech As a cybersecurity provider, we can protect your business from the threats discussed here. Contact us to learn more about our services.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For new inquiries or to report this post, please email us: contact@brinztech.com