Recent POS Attacks: Are They Linked?MICROS, Hotel Breaches Illustrate Why Vendors Remain 'Weakest Links'
Just days after POS systems and services provider Oracle MICROS revealed a breach impacting its legacy POS systems, Visa issued an alert warning merchants to be on the lookout for malware attacks linked to MICROS.
Visa's alert, which was provided to Information Security Media Group by a third-party source under the condition that it not be posted, notes that merchants should be scanning their networks for indicators of compromise related to two specific malware strains - Carbanak and MalumPOS. The alert also suggests a correlation between the group behind Carbanak and the breach at MICROS.
But Alex Holden, CISO at security and forensics firm Hold Security, says 10 POS vendors, in addition to MICROS, have been attacked in recent weeks. And he contends there is no definitive link to MICROS or the gang behind Carbanak.
Meanwhile, hotel management company HEI Hotels & Resorts last weekend reported a POS-related breach at 20 properties, including several Marriott, Sheraton and Westin hotels. The breach likely exposed cardholder names, card numbers, expiration dates and verification codes used between March 2015 and June 2016, the company says. The number of cards exposed is not known.
Oversight of Vendors
While security experts can't say whether the latest hotel breaches are linked to the breach at MICROS - which has POS systems deployed at more than 330,000 locations, including hotels, across 180 countries - they do say that recent developments point to the need for more stringent oversight of POS vendors and other suppliers.
"Hackers no longer seem to be focused on a single merchant," Holden says. "They are focused on doing mass-production attacks across multiple merchants, which makes it difficult to pinpoint the point of breach. That's extremely concerning to me, because this changes the game. It's not just individual merchants that have to protect themselves; it's also the support infrastructure, the POS systems and services providers - and they are typically not as secure as the merchants."
And John Buzzard, fraud specialist at CO-OP Financial Services, a credit union network that provides ATM, card payment and mobile services, says these incidents should serve as a reminder of just how easy it continues to be for hackers to exploit poorly monitored security at vendors.
"We have seen vendors as the weakest link before, as with the Target breach," Buzzard says. "Organizations need to consider one-time access credentials that expire quickly and require reissuance for vendors to avoid the classic case of backdoor vulnerabilities via login credentials. Does your vendor really need 365-day access to your system? Ninety-day password expiration may simply not be adequate in some circumstances, as an example."
In addition to a possible connection to Carbanak, Visa's alert also notes a potential connection between the MICROS breach and MalumPOS, a malware strain discovered in 2015 by Trend Micro that is "still actively used by cybercriminals."
Visa recommends that retailers scan their networks for the presence of MalumPOS, and that "all" retailers, even those that don't use MICROS systems, as well as financial institutions, scan their networks for the presence of Carbanak.
Visa's alert offers no dates of possible compromise surrounding the MICROS breach, and MICROS has repeatedly declined to offer additional information beyond what it reported in its recent letter to customers.
Other POS Vendors Targeted?
Days after security blogger Brian Krebs on Aug. 8 broke news of the MICROS breach, noting a possible link to the Russian cybercrime gang behind Carbanak, Hold Security began scanning the web and customer systems for suspicious activity, Holden says (see MICROS Breach: What Happened?).
The firm quickly identified 10 other POS suppliers that also had been compromised, he says.
"We looked through our monitoring system and identified the way the hackers broke into MICROS and 10 other organizations," he says. But Holden would only name five of those additional POS providers - Cin7, ECRS, NavyZebra, PAR Technology and Uniwell - saying that it was not yet known whether the other five had addressed their vulnerabilities.
Holden contends the attacks against the POS vendors do not appear to be linked to the Carbanak gang.
After reviewing communications and chat logs in underground forums exchanged between the attackers, he says, researchers at Hold Security concluded those responsible are "a Russian actor and an actor from West Africa who speaks with a definitive dialect in English. We know this because it is not the type of dialect you would see in Chinese or a hacker from some other country. The Russian is breaking into the systems and the English-speaking actor is more like a broker, trying to sell the back-end data. ... This is not how the Carbanak gang operates; they typically do not sell data or work with hackers outside of Russia."
Multiple groups, including the gang behind Carbanak, however, could have simultaneously targeted MICROS, Holden acknowledges. But Hold Security could not find a connection between MICROS and Carbanak, he says.
Holden says the attacks his firm identified date back to July 15 or 16, with the exposure window lasting about two or three weeks. And huge amounts of data - anywhere from 14 gigabytes to 16 gigabytes - was exfiltrated by hackers from most of the 10 identified POS providers.
"It's very difficult to tie the actors we've seen to the malware strains identified by Visa," Holden says. "But I can tell you from experience that when hackers download that amount of data, they are trying to understand the infrastructure of the POS network."
Hotel Breaches Raise New Questions
Similarly, it is difficult to link any of these POS vendor attacks to the breach of hotel management firm HEI, which manages properties for Starwood Hotels and Resorts, Marriott, Hilton, Hyatt and InterContinental Hotels Group, Holden adds.
"It's technically possible they are linked to HEI, but we can't say for sure," he explains.
Whether any of those attacks are linked to the MICROS breach is unclear. HEI has not revealed whether MICROS devices and systems are used by any of its properties.
"Without being involved in the actual forensics investigation, it's pure speculation whether these attacks are related or not," says Christopher Budd, a global threat communications manager at Trend Micro. "However, there is one key difference between the MICROS attack and some of the other retail point-of-sale attacks: The MICROS attack appears to focus on the POS maker/vendor, where previous attacks have focused on compromising the endpoint POS devices on the target's premises."