The apparent breach of a system support portal used by Oracle to remotely access and service MICROS point-of-sale systems raised alarms earlier this week, after Oracle warned customers in a letter that it "has detected and addressed malicious code in certain legacy MICROS systems."
To date, however, Oracle has remained quiet about just how bad the breach might be. That's concerning, since MICROS Systems - acquired by Oracle in 2014 - builds point-of-sale software and hardware which it says gets used across 330,000 customer sites in 180 countries. Furthermore, security blogger Brian Krebs reports that the attack appears to be linked to the Russian crime ring behind Carbanak, which is banking malware that's been tied to numerous past attacks against retailers and banks.
"This sort of complicated, layered attack is exactly why we tell everyone to vary their usernames and passwords across all systems."
The Carbanak connection, if true, is very concerning. Security firm Kaspersky Lab links the gang behind Carbanak to a diverse string of attacks against ATMs, money-transfer services and retail POS systems. From 2012 to 2014, the gang also stole an estimated $1 billion from as many as 100 banks in up to 30 countries, including the United States (see New Details About $1 Billion Crime Ring). And security and threat-intelligence firms Group-IB and Fox-IT, which refer to the gang as Anunak, say the group's core hackers appear to have been the developers behind the Carberp banking Trojan (see Russian Ring Blamed for Retail Breaches).
Carbanak malware made a resurgence in the fall of 2015 (see Sophisticated Carbanak Banking Malware Returns, With Upgrades.
In theory, the revelation of an attack against MICROS would have resulted in Oracle releasing extensive details about the breach and its long-term impact. To date, however, no new details have been released.
In fact, things have been eerily quiet on the Oracle front, which raises more questions about what actually happened, when it happened, who was impacted, what data - if any - was comprised and who launched the attack.
Oracle Confirms Breach
Oracle's letter to MICROS customers notes that it "detected and addressed malicious code in certain legacy MICROS systems." The company adds that its corporate network and other service offerings, including its cloud services, were not affected, and that payment card data is encrypted "at rest and in transit in the MICROS-hosted environment."
Still, Oracle says it is requiring MICROS customers to change their passwords for all MICROS accounts, and "recommends" that passwords for any accounts used by MICROS representatives to remotely access POS systems also be changed.
"To prevent a recurrence, Oracle implemented additional security measures for the legacy MICROS systems," the letter adds.
Still Seeking Answers
But Oracle has left a lot of questions unanswered, such as:
- When was the malware detected?
- When did the malware start infecting systems?
- How many MICROS customers were likely impacted?
- Is the attack linked to Carbanak?
Oracle also makes no mention of a breach of its customer service portal, but alludes to it in its recommendation to change any passwords for accounts that get remotely accessed by MICROS representatives.
To date, Oracle has declined to comment further, beyond what it stated in its customer letter. But experts such as Gartner analyst Avivah Litan say the breach at MICROS could be to blame for a number of the retail breaches we've seen over the past two years. "This could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider," Litan tells Krebs. "I'd say there's a big chance that the hackers in this case found a way to get remote access," to MICROS customers' POS devices.
As noted, Oracle says MICROS POS systems used at more than 330,000 locations across 180 countries. "MICROS offers a range of software, hardware and related services along with rapidly growing cloud solutions to manage hotels, food and beverage facilities, and retailers," the company says.
Depending on how many of those customers use legacy systems, the impact of this breach could be far-reaching, says John Buzzard, a fraud specialist at CO-OP Financial Services, a credit union network that provides ATM, card payment and mobile services.
"I think it almost goes without saying, but this sort of complicated, layered attack is exactly why we tell everyone to vary their usernames and passwords across all systems," Buzzard says. "A ticketing system (like MICROS POS) is capturing a user ID and password that link to a professional persona that many of us are guilty of replicating over and over for ease of use. What gets you logged into one system may very well work in other systems, too."
Service Providers: A Growing Vulnerability
One big takeaway from the MICROS breach is that there are growing concerns over the risks that remote access poses to retailers and payments processors, says Al Pascual, head of fraud and security at Javelin.
"Over the past few years there has been an increased level of concern over risks inherent to third-party providers, which has led to action by various regulatory bodies," Pascual says. "PCI was inspired to release updated guidance by the compromise of terminal manufacturers and platforms that were cited in several large-scale, distributed breaches of smaller merchants. And the OCC [Office of the Comptroller of the Currency] began calling out these risks after large processors were breached, which subsequently led to action by the FFIEC [Federal Financial Institutions Examination Council]. At the end of the day, though, many of the breaches that inspired these regulatory responses were facilitated by remote access and the misuse of default or compromised credentials. It is a bit ridiculous that we keep having the same conversation around the need for strong authentication, especially in environments that protect payment data."
And Tom Kellermann, CEO of technology investment firm Strategic Cyber Ventures, says in an Aug. 9 blog post post that third-party service providers are increasingly being targeted by cybercriminals, because they have been "slow to adopt intrusion suppression technologies and, thus, have become the weak links."
Indeed, many of the retail breaches that come to light now appear to be tied to POS system vulnerabilities that can be exploited via remote access (see POS Remote Access: A Worry for Merchants).
That's why, in the coming weeks, Oracle needs to begin releasing more details about which of its customers were affected, and when, by the malicious code that it found in MICROS. Without a timeline, it's hard to know just how concerned any of us should be.
And while definitive attribution of this attack to the so-called Carbanak gang isn't likely, this gang's possible connection seems logical, and could spell big trouble for the state of POS attacks to come.