Finding PAX point-of-sale devices
PAX Technologies, a China-based company that manufactures a LOT of point-of-sale (POS) terminal devices, has been in the news this week following an FBI raid of a PAX Florida facility. While the FBI didn’t officially confirm much beyond serving a court-authorized search, a Krebs on Security post surfaces some serious security concerns around PAX device use in cybercrime attack operations. Specifically, that some PAX devices are being used in command-and-control (C2) operations during attacks and for hosting malware files. PAX has denied any knowledge of or involvement related to criminal activities involving its products (and point-of-sale devices and systems are well-known to be common targets for cybercriminals). Regardless, some large payment processors, such as Worldpay, started replacing their PAX point-of-sale terminals earlier this month after receiving inadequate explanation from PAX around traffic originating from their devices to websites that were not listed in PAX documentation.
PAX Technologies has not yet released any security advisories or other guidance related to these security concerns involving their point-of-sale terminals.
Finding PAX point-of-sale devices with Rumble
Most PAX point-of-sale devices don’t offer up any open UDP or TCP ports, which limits the datapoints we have for fingerprinting or identifying those assets. However, we can leverage the MAC address OUI (organizationally unique identifier) to identify PAX-manufactured devices. From the Asset Inventory, use the following pre-built query to locate PAX point-of-sale assets in your network:
mac_vendor:"PAX Computer Technology"

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding PAX assets in your inventory?
Get started
Similar Content
February 15, 2023
Finding OpenSSH servers
The OpenSSH team surfaced a security issue earlier this month that specifically affects OpenSSH server version 9.1p1 (a.k.a. version 9.1). This version contains a memory double-free vulnerability (tracked as CVE-2023-25136) that can be reached pre-authentication by a remote …
Read MoreFebruary 8, 2023
Finding VMware ESXi assets
This Rapid Response post covers ESXiArgs, a new strain of ransomware that is targeting VMware ESXi servers. Learn how you can find potentially affected servers on your network.
February 3, 2023
Finding Lexmark printer assets
Printer manufacturer Lexmark recently published details on a vulnerability that affects over 100 of their printer models. Learn how runZero can help you find potentially affected assets.