Security Experts:

MICROS Hackers Targeted Five Other PoS Vendors

The cybercrime gang that breached the systems of Oracle-owned point-of-sale vendor MICROS has reportedly also targeted several other similar companies.

Oracle admitted last week that it had detected malicious code on certain legacy MICROS systems and advised customers to change their passwords for support accounts and accounts used by MICROS representatives to remotely access their on-premise systems.

Oracle has assured customers that other services are not impacted and that payment card data is encrypted in customer environments hosted by MICROS.

Experts involved in the investigation told security blogger Brian Krebs that the breached support portal communicated with a server associated with Carbanak, the threat actor believed to have stolen as much as one billion dollars between 2013 and 2015 from more than 100 banks worldwide. A security alert issued by Visa following the MICROS breach includes indicators of compromise (IoC), which also show a link to Carbanak.

It appears that Oracle’s MICROS was not the only PoS vendor targeted by the group. Cybercrime monitoring company Hold Security told Forbes that the same hackers also claimed to have penetrated the systems of five other PoS system vendors, including ECRS, Cin7, PAR Technology, Navy Zebra and Uniwell.

ECRS confirmed to Forbes that malicious code had been found on one of its web portals, but claimed that the attackers might have stolen only employee, vendor and customer contact information – payment card processing systems were allegedly not impacted.

Navy Zebra is still investigating the possible breach, but its website is offline at the time of writing for scheduled maintenance and upgrades. Cin7, PAR Technology and Uniwell have confirmed finding hacked servers, but they claim no sensitive information has been compromised.

“These security breaches are yet another reminder of the vulnerabilities associated with point-of-sale (POS) systems. Businesses need to regularly update POS systems for legitimate business reasons. But the same access tools that facilitate this update process are the weak points that criminals exploit,” George Rice, senior director at HPE Security-Data Security, told SecurityWeek.

“Once they gain access, thieves may exfiltrate sensitive cardholder data by embedding data-stealing malware into the merchant POS. More often than not, malware will reside in insecure systems for months before being detected, which can expose large quantities of sensitive data records to data thieves,” Rice added.

“To combat these vulnerabilities, businesses must remove all unprotected sensitive data from insecure systems like a merchant POS. Format-preserving security approaches have proven to be the best way to do this while avoiding disruption to business operations,” the expert said. “With format-preservation data security tools, businesses may encrypt and tokenize sensitive data values so that the protected value has the same formats as the original. Then insecure systems like POS, store servers and payment switches can properly perform the payment authorization process using protected data that it useless to criminal malware.”

Related Reading: PoS Trojan Bypasses Account Control Posing as Microsoft App

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.