Fresh off the revelation that hackers compromised the customer support portal for Oracle’s MICROS point-of-sale systems, the retail and hospitality industry was rocked again by reports that at least five more POS vendors were similarly breached by the same hackers.
A report published yesterday by Forbes.com, citing founder and CISO of Hold Security Alex Holden, states that the hackers responsible for the MICROS plot also infiltrated the servers of POS and cash register providers Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. Collectively, these companies supply at least one million POS systems to retailers, restaurants, hotels and other enterprises around the world.
However, in an interview with SCMagazine.com today, Holden noted that he publicly named only those vendors that have actively responded to his firm’s disclosure of the threat. “From our perspective, the list is larger,” he cautioned.
According to a report from Brian Krebs, two security experts said that the MICROS’ compromised support portal was communicating with a server linked to the Carbanak Gang, a Russian cybercrime syndicate. By infecting and secretly communicating with a POS vendor’s network, adversaries can lie in wait for said vendor’s business customers to log in, and then steal their passwords in order to gain access to their POS systems and implant malware that steals customer payment data.
According to Holden, many hackers no longer want to directly target specific retailers’ POS infrastructures, instead preferring to infiltrate the POS vendor itself. “They want to go to the source, the want to abuse [POS systems] in mass quantities,” he explained, noting that by compromising a POS vendor’s network, an adversary can opportunistically attack bevy of merchants in one fell swoop, not just one at a time.
This “new wave” of POS attacks could potentially cause breach incidents to spread like “wildfire,” he warned, when asked if he anticipated a surge in incident disclosures.
“Businesses need to regularly update POS systems for legitimate business reasons. But the same access tools that facilitate this update process are the weak points that criminals exploit,” said George Rice, senior director at HPE Security – Data Security. “Once they gain access, thieves may exfiltrate sensitive cardholder data by embedding data-stealing malware into the merchant POS. More often than not, malware will reside in insecure systems for months before being detected, which can expose large quantities of sensitive data records to data thieves.”
Holden said that in the wake MICROS report, his firm conducted an historical data analysis that appeared to link the black-market activity of one particular hacker – “on our radar since 2013” – to multiple POS vendor compromises, thus revealing the plot.
“I am personally surprised by the ease with which hackers were accessing these victims,” said Holden. These were not advanced exploits of zero-day vulnerabilities, but rather simple intrusions that should have been quickly detected and mitigated, he added. “It’s not [showing] how good the hackers are, but it is showing how bad the security of… these sites is.”
SCMagazine.com has reached out to the five named POS vendors for comment. Navy Zebra provided SCMagazine.com with a statement acknowledging that its website, NavyZebra.com, was attacked on Aug. 11 by hackers who are possibly connected with a recent breach experienced by the company. The statement did not elaborate on the breach itself, however. Navy Zebra, a division of Bankcard Services, also noted that the affected webserver was not used to store merchant or sales data.
UPDATE 8/16: The story was updated to include a statement from Navy Zebra.