4Hoteliers
SEARCH
ITB 2024 Special Reporting
SHARE THIS PAGE
NEWSLETTERS
CONTACT US
SUBMIT CONTENT
ADVERTISING
Data breach at Oracle's MICROS Point-of-Sale division.
Tuesday, 9th August 2016
Source : Brian Krebs - KrebsOnSecurity.com

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp, more alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.

KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us.  In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.

Many well-known retail, hotel and food & beverage brands use MICROS.

A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.

Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.

Oracle declined to answer direct questions about the breach, saying only that Oracle’s corporate network and Oracle’s other cloud and service offerings were not impacted. The company also sought to downplay the impact of the incident, emphasizing that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

In a statement that Oracle is apparently in the process of sending to MICROS customers, Oracle said it was forcing a password reset for all support accounts on the MICROS portal. Oracle added: “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

ANALYSIS
This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.

Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer " and, more importantly, to upload card-stealing malware to " some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.

Avivah Litan, a fraud analyst at Gartner Inc., says Oracle seems to be saying its systems are encrypted, but that it’s the customer’s on-premise devices where the real danger lies as a result of this breach.

“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan said. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

The breach comes at a pivotal time for Oracle, which has been struggling to compete with other software giants like Amazon and Google in cloud-based services. Last month, Oracleannounced it would pay $9 billion to acquire NetSuite Inc., one of the first cloud-services companies.

Brian Krebs worked as a reporter for The Washington Post from 1995 to 2009, authoring more than 1,300 blog posts for the Security Fix blog, as well as hundreds of stories for washingtonpost.com and The Washington Post newspaper, including eight front-page stories in the dead-tree edition and a Post Magazine cover piece on botnet operators. He was recently profiled in Business Week and by Poynter.org.

www.krebsonsecurity.com

 Latest News  (Click title to read article)




 Latest Articles  (Click title to read)




 Most Read Articles  (Click title to read)




~ Important Notice ~
Articles appearing on 4Hoteliers contain copyright material. They are meant for your personal use and may not be reproduced or redistributed. While 4Hoteliers makes every effort to ensure accuracy, we can not be held responsible for the content nor the views expressed, which may not necessarily be those of either the original author or 4Hoteliers or its agents.
© Copyright 4Hoteliers 2001-2024 ~ unless stated otherwise, all rights reserved.
You can read more about 4Hoteliers and our company here
Use of this web site is subject to our
terms & conditions of service and privacy policy