Data Breach At Oracle’s MICROS Point-of-Sale Division

[rmstock]

Data Breach At Oracle's MICROS Point-of-Sale Division
08 Aug 16
http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/

  "A Russian organized cybercrime group known for hacking into banks and
   retailers appears to have breached hundreds of computer systems at
   software giant Oracle Corp., KrebsOnSecurity has learned. More
   alarmingly, the attackers have compromised a customer support portal
   for companies using Oracle's MICROS point-of-sale credit card payment
   systems.
   
   
   
   Asked this weekend for comment on rumors of a large data breach
   potentially affecting customers of its retail division, Oracle
   acknowledged that it had "detected and addressed malicious code in
   certain legacy MICROS systems." It also said that it is asking all
   MICROS customers to reset their passwords for the MICROS online support
   portal.
   
   MICROS is among the top three point-of-sale vendors globally. Oracle's
   MICROS division sells point-of-sale systems used at more than 330,000
   cash registers worldwide. When Oracle bought MICROS in 2014, the
   company said MICROS's systems were deployed at some 200,000+ food and
   beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
   
   The size and scope of the break-in is still being investigated, and it
   remains unclear when the attackers first gained access to Oracle's
   systems. Sources close to the investigation say Oracle first considered
   the breach to be limited to a small number of computers and servers at
   the company's retail division. That source said that soon after Oracle
   pushed new security tools to systems in the affected network
   investigators realized the intrusion impacted more than 700 infected
   systems.
   
   KrebsOnSecurity first began investigating this incident on July 25,
   2016 after receiving an email from an Oracle MICROS customer and reader
   who reported hearing about a potentially large breach at Oracle's
   retail division.
   
   "I do not know to what extent other than they discovered it last week,"
   said the reader, who agreed to be quoted here in exchange for
   anonymity. "Out of abundance of caution they informed us and seem to
   have indicated the incident was isolated to Oracle staff members and
   not customers like us.  In addition, this notice was to serve to
   customers the reason for any delays in customer support and service as
   they were refreshing/re-imaging employees' computers."
   
   Two security experts briefed on the breach investigation and who asked
   to remain anonymous because they did not have permission from their
   employer to speak on the record said Oracle's MICROS customer support
   portal was seen communicating with a server known to be used by the
   Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that
   is suspected of stealing more than $1 billion from banks, retailers and
   hospitality firms over the past several years.
   
   
   Many well-known retail, hotel and food & beverage brands use MICROS.
   
   A source briefed on the investigation says the breach likely started
   with a single infected system inside of Oracle's network that was then
   used to compromise additional systems. Among those was a customer
   "ticketing portal" that Oracle uses to help MICROS customers remotely
   troubleshoot problems with their point-of-sale systems.
   
   Those sources further stated that the intruders placed malicious code
   on the MICROS support portal, and that the malware allowed the
   attackers to steal MICROS customer usernames and passwords when
   customers logged in the support Web site.
   
   Oracle declined to answer direct questions about the breach, saying
   only that Oracle's corporate network and Oracle's other cloud and
   service offerings were not impacted. The company also sought to
   downplay the impact of the incident, emphasizing that "payment card
   data is encrypted both at rest and in transit in the MICROS hosted
   customer environments."
   
   In a statement that Oracle is apparently in the process of sending to
   MICROS customers, Oracle said it was forcing a password reset for all
   support accounts on the MICROS portal. Oracle added: "We also recommend
   that you change the password for any account that was used by a MICROS
   representative to access your on-premises systems."
   
   ANALYSIS
   
   This breach could be little more than a nasty malware outbreak at
   Oracle. However, the Carbanak Gang's apparent involvement makes it
   unlikely the attackers somehow failed to grasp the enormity of access
   and power that control over the MICROS support portal would grant them.
   
   Indeed, Oracle's own statement seems to suggest the company is
   concerned that compromised credentials for customer accounts at the
   MICROS support portal could be used to remotely administer — and, more
   importantly, to upload card-stealing malware to — some customer
   point-of-sale systems. The term "on-premise" refers to POS devices that
   are physically connected to cash registers at MICROS customer stores.
   
   Avivah Litan, a fraud analyst at Gartner Inc., says Oracle seems to be
   saying its systems are encrypted, but that it's the customer's
   on-premise devices where the real danger lies as a result of this
   breach.
   
   
   "This [incident] could explain a lot about the source of some of these
   retail and merchant point-of-sale hacks that nobody has been able to
   definitively tie to any one point-of-sale services provider," Litan
   said.
   
   
   "This [incident] could explain a lot about the source of some of these
   retail and merchant point-of-sale hacks that nobody has been able to
   definitively tie to any one point-of-sale services provider," Litan
   said. "I'd say there's a big chance that the hackers in this case found
   a way to get remote access" to MICROS customers' on-premises
   point-of-sale devices.
   
   Point-of-sale based malware has driven most of the credit card breaches
   over the past two years, including intrusions at Target and Home Depot,
   as well as breaches at a slew of point-of-sale vendors. The malware
   usually is installed via hacked remote administration tools. Once the
   attackers have their malware loaded onto the point-of-sale devices,
   they can remotely capture data from each card swiped at that cash
   register.
   
   Thieves can then sell the data to crooks who specialize in encoding the
   stolen data onto any card with a magnetic stripe, and using the cards
   to buy gift cards and high-priced goods from big-box stores like Target
   and Best Buy.
   
   The breach comes at a pivotal time for Oracle, which has been
   struggling to compete with other software giants like Amazon and Google
   in cloud-based services. Last month, Oracle announced it would pay $9
   billion to acquire NetSuite Inc., one of the first cloud-services
   companies.
     
   Tags: Carbanak Gang, micros breach, Oracle breach
   
   This entry was posted on Monday, August 8th, 2016 at 11:33 am and is
   filed under A Little Sunshine, Data Breaches. You can follow any
   comments to this entry through the RSS 2.0 feed. You can skip to the
   end and leave a comment. Pinging is currently not allowed
   
   

See also :


Russian cyber crime gang wipes the smile off of Larry's face
Oracle source code and more than 700 systems compromised in Russian attack
Firm admits it was hit by notorious Carbanak cyber crime gang
Security
Graeme Burton @graemeburton 09 August 2016
http://www.theinquirer.net/inquirer/news/2467383/oracle-source-code-and-more-than-700-systems-compromised-in-attack-by-cyber-attack-russia-s-carbanak-gang