Threat Management, Malware

Research firm finds MICROS hackers infected more POS vendors

Fresh off the revelation that hackers compromised the customer support portal for Oracle's MICROS point-of-sale systems, the retail and hospitality industry was rocked again by reports that at least five more POS vendors were similarly breached by the same hackers.

A report published yesterday by Forbes.com, citing founder and CISO of Hold Security Alex Holden, states that the hackers responsible for the MICROS plot also infiltrated the servers of POS and cash register providers Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. Collectively, these companies supply at least one million POS systems to retailers, restaurants, hotels and other enterprises around the world.

However, in an interview with SCMagazine.com today, Holden noted that he publicly named only those vendors that have actively responded to his firm's disclosure of the threat. "From our perspective, the list is larger," he cautioned.

According to a report from Brian Krebs, two security experts said that the MICROS' compromised support portal was communicating with a server linked to the Carbanak Gang, a Russian cybercrime syndicate. By infecting and secretly communicating with a POS vendor's network, adversaries can lie in wait for said vendor's business customers to log in, and then steal their passwords in order to gain access to their POS systems and implant malware that steals customer payment data.

According to Holden, many hackers no longer want to directly target specific retailers' POS infrastructures, instead preferring to infiltrate the POS vendor itself. "They want to go to the source, the want to abuse [POS systems] in mass quantities," he explained, noting that by compromising a POS vendor's network, an adversary can opportunistically attack bevy of merchants in one fell swoop, not just one at a time.

This "new wave" of POS attacks could potentially cause breach incidents to spread like "wildfire," he warned, when asked if he anticipated a surge in incident disclosures.

“Businesses need to regularly update POS systems for legitimate business reasons. But the same access tools that facilitate this update process are the weak points that criminals exploit," said George Rice, senior director at HPE Security - Data Security. "Once they gain access, thieves may exfiltrate sensitive cardholder data by embedding data-stealing malware into the merchant POS. More often than not, malware will reside in insecure systems for months before being detected, which can expose large quantities of sensitive data records to data thieves."

Holden said that in the wake MICROS report, his firm conducted an historical data analysis that appeared to link the black-market activity of one particular hacker – "on our radar since 2013" – to multiple POS vendor compromises, thus revealing the plot.

"I am personally surprised by the ease with which hackers were accessing these victims," said Holden. These were not advanced exploits of zero-day vulnerabilities, but rather simple intrusions that should have been quickly detected and mitigated, he added. "It's not [showing] how good the hackers are, but it is showing how bad the security of... these sites is."

SCMagazine.com has reached out to the five named POS vendors for comment. Navy Zebra provided SCMagazine.com with a statement acknowledging that its website, NavyZebra.com, was attacked on Aug. 11 by hackers who are possibly connected with a recent breach experienced by the company. The statement did not elaborate on the breach itself, however. Navy Zebra, a division of Bankcard Services, also noted that the affected webserver was not used to store merchant or sales data.

UPDATE 8/16: The story was updated to include a statement from Navy Zebra.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.