Krebs: Russian Hackers Compromise Hundreds of Oracle PoS Systems Globally

Krebs: Russian Hackers Compromise Hundreds of Oracle PoS Systems Globally

Oracle Corp. has become the apparent victim of an attack by the Carbanak Gang, which a security researcher said has potentially affected hundreds of point-of-sale systems around the world.

The Carbanak Gang is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years. Brian Krebs at KrebsOnSecurity said that the group looks to be behind a compromise of a customer support portal for companies using Oracle’s MICROS PoS credit card payment systems.

Krebs laid out the scope of the potential problem in a blog: “MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels,” he said.

Krebs, who first learned of the breach on July 25th, said that sources inside Oracle told him that the malware started on one device, and subsequently spread to 700+ machines.

For its part, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It’s also asking all MICROS customers to reset their passwords for the MICROS online support portal.

One of the MICROS users reached out to Krebs about the issue: “I do not know to what extent other than they discovered it last week,” said the customer. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us.  In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

The size and scope of the actual impact of the break-in is still being investigated, but Oracle said that its corporate network and Oracle’s other cloud and service offerings were not impacted. The company also emphasized that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

“This breach could be little more than a nasty malware outbreak at Oracle,” Krebs said. “However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.” Sources inside Oracle told him that Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang.

Avivah Litan, a fraud analyst at Gartner, struck a concerned note: “This could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider. I’d say there’s a big chance that the hackers in this case found a way to get remote access to MICROS customers’ on-premises point-of-sale devices.”

Photo © Ken Wolter/

Source: Information Security Magazine