A Russian cyber-gang, the Oracle MICROS hack, and five more POS makers in crims' sights
Who, what, when, why, how?
When hackers, believed to be a Russian crime gang, broke into Oracle-owned payment terminal biz MICROS, it was assumed the crooks were snooping around other register makers, too.
Well, assume no more: here's five other companies poked and prodded by the crew, with wildly varying degrees of success.
Days after word broke that MICROS had been infiltrated by miscreants, Hold Security tipped off Forbes that POS vendors ECRS, Navy Zebra, PAR Technology, Cin7, and Uniwell were also targeted by the same group.
Alex Holden, CISO for Hold Security, told El Reg that the network breaches all look to have taken place over a two-week period between July 16 and 29 when members of a Russian hacking group infiltrated company web servers and attempted to access customer databases.
"In our investigation after learning about the MICROS breach, we identified a number of victims to the same group," Holden said. "Besides learning about how MICROS was compromised, we saw the hackers target and successfully attack a number of other POS software providers."
Holden said his team witnessed stolen data and backdoor passwords being exchanged in underground forums, with the hackers selling information obtained from MICROS for $10,000.
"Hackers use standard attack tools to install backdoors into web servers of the victims," explained Holden. "Once successful, they would try to gain access to SQL databases and retrieve or download data."
It appears, however, that the attempts at infiltrating the networks of those other companies were by and large far less successful than the ransacking of MICROS.
It was feared that, by compromising the POS vendors, the criminals would be able to remotely access payment terminals in potentially thousands of stores, hotels and restaurants, and snoop on people's bank card details.
However, so far, it appears the main victims were poorly secured web and documentation servers, and no sensitive personal information was directly obtained. It is, of course, possible that any internal documentation or passwords grabbed by the hackers could be leveraged to attack further systems and networks.
Cin7 claims it wasn't hit at all. A spokesperson for the software biz told The Register, "we have not suffered any type of breach in the system," and gave us a copy of the notice founder Danny Ing sent to his customers:
We wanted to let you know that Cin7 has been the target of an unsuccessful cyberattack, which was detected as part of our normal security auditing process. As a further precautionary measure, our protocol in these situations is to recommend you reset your Cin7 password.
We want to reassure you that, as our terms and conditions indicate, Cin7 does not store any credit card information for your business or your customers. We greatly value our business relationship with you, and look forward to many more years of our continued partnership.
Yet Ing apparently told Forbes earlier this week that "malicious code designed to get passwords from the database or operating system" was found on one of its servers. It may have been that the infection was detected and stopped immediately.
Meanwhile, in an email seen by The Register to resellers, Uniwell said: "Recently, a web server which contains public domain information on Uniwell products such as operating and service manuals, installation documents and brochures was breached. There is absolutely no connection between this web server breach and the security of our POS systems."
Uniwell's director of technology Gilmer Pinto told us shops and hotels' Uniwell terminals are not connected to its website's systems, therefore there was no way the hackers could tunnel their way into sales registers and lift card information. "Our ROM-based proprietary POS systems do not fall into a category as other PC-based POS systems that use servers and keep customers' data. Our POS Systems are simply not designed that way," said Pinto.
The biz plans to shut down the compromised uniwell-americas.com server, though, and use other systems to distribute information and manuals.
ECRS was quoted by Forbes as saying the hackers were able to insert malicious code into one of its web portals and may have had access to customer contact information, but "the affected system was segregated from the systems that ECRS uses to facilitate remote access to merchant systems, and the affected system was not used to store sensitive information pertaining to credit card processing."
PAR Technologies, meanwhile, said it was treating the incident "as a non-material event" and that no production data was accessed.
NavyZebra and its parent company BankCard Services said it is investigating the claims, stressing that it does not store any payment card details.
So, as you would expect, the miscreants behind the MICROS hit are indeed probing and infiltrating other sales terminal vendors. Investigative reporter Brian Krebs estimates that the crew, known as the Carbanak Gang, has swiped more than $1bn from banks, shops, hotels, and so on, over the years by hacking payment systems.
Let's hope POS makers are all taking notes. And that their card readers are more secure than their websites. ®