By Natasja Bolton, Senior Acquirer Support QSA
On August 8th, 2016 Oracle issued a letter informing their MICROS customers that malicious code had been detected in certain legacy systems and advising on the actions their customers should take. Oracle’s letter and subsequent FAQs did not give details of the root cause of the MICROS breach nor any guidance on the suspicious activities potentially exposed businesses should look out for.
In response, Visa Inc issued a Security Alert to help MICROS customers better protect their business. The Security Alert provides information on known Indicators of Compromise (IOCs) associated with cybercrime threats that have previously targeted Oracle systems.
If businesses identify the presence of these IOCs on their network, it may signify that their business network or point of sale system has been compromised.
What do we know about the breach?
Oracle Security notified MICROS customers on August 8th, 2016. Breach investigations are ongoing but the compromise details provided so far are:
- Oracle Security detected and addressed malicious code in certain legacy systems
- The Oracle Corporate network and other Oracle cloud and service offerings were not impacted
- Payment card data was not exposed due to its encryption both at rest and in transit in the MICROS hosted environment
- Additional security measures have been implemented for legacy systems to prevent recurrence.
‘Computing’ reports that specialist security company ERPScan considers the breach to be “a phenomenal targeted attack“. ERPScan further speculates that as the hacker attacked the vendor (Oracle), gaining access to the MICROS support portal, they may have been able inject malicious code and, thereby, breach thousands of retail networks.
We do not yet know what vulnerabilities were exploited by the hackers, how long the malicious code was present on the “legacy MICROS systems” for, nor exactly what Oracle means by “legacy MICROS systems“.
However, we do know that in April 2016, Oracle released security patches for vulnerabilities in some MICROS POS applications that could not be exploited over a network without the need for a username and password.
Given Oracle Security’s recommended customer response actions, it could well be that the attackers were seeking valid MICROS credentials in order to be able to remotely exploit known MICROS POS security vulnerabilities.
Analysis and insider knowledge published by Krebs on Security, appears to support that hypothesis. Krebs on Security’s sources indicated intruders had “placed malicious code on the MICROS support portal” allowing the attackers to “steal MICROS customer usernames and passwords when customers logged in the support Web site”.
One indicator of the MICROS customer support portal’s compromise was that it was seen “communicating with a server known to be used by the Carbanak Gang”. (Carbanak is part of a Russian cybercrime syndicate, suspected of stealing more than $1 billion over the past several years, and for whom Visa has previously issued a Security Alert).
Of potentially more concern, is the possibility that Oracle’s customer “ticketing portal”, used to remotely troubleshoot MICROS customers’ problems with their point-of-sale systems, was also compromised.
Who might be affected?
MICROS Systems, Inc. is a solutions vendor and hosting provider to the retail, hospitality, food & beverage, leisure and entertainment industries. As of 2014, when they were acquired by Oracle, MICROS point-of-sale systems, on-premise and cloud-based solutions were in use in 180 countries.
MICROS systems are in use across a huge range of industry sectors and business types from international hotel chains, retail stores, stadiums, theme parks, restaurants and catering companies to universities, travel agents and cruise companies.
A 2014 acquisition presentation gave deployment figures: 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
Oracle’s notification letter suggests that the company is concerned about more than just the compromise of credentials for customer accounts on the MICROS support portal. Their recommended customer response actions appears to suggest that Oracle believe accounts used to access both MICROS hosted and remote on-premise MICROS systems have also been exposed to the hackers.
As Krebs on Security speculates, compromise of these credentials could give attackers remote access to MICROS’ customers’ point-of-sale systems and the ability to “upload card-stealing malware”.
A Gartner Analyst speaking to Fortune, has speculated that this breach may “explain why so many shops, hotels, and retail outlets have been suffered breaches at their point of sale systems in the past months”. The same Analyst told Krebs on Security that, “there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.
What should businesses using MICROS systems do in response to this breach?
Oracle guidance: Change Passwords
Oracle Security’s recommendations have been limited to requiring MICROS customers to change their passwords:
- Change passwords for all MICROS accounts
- Change passwords for any accounts used by MICROS representatives to access the customer’s on-premises systems
Oracle says it will force a password change in hosted MICROS systems, where possible. Therefore, businesses using MICROS hosted or cloud solutions should also change the passwords for their accounts on any MICROS hosted systems too.
Full details of how to change these passwords has been published on My Oracle Support (Doc ID 2165744.1).
Visa Guidance: Scan for Malicious Code and Network Traffic
Visa Inc’s Security Alert includes the following additional actions to determine whether malicious code is already present on the business network or point of sale systems:
- Scan the business’ network for files and systems services known to be indicators of compromise
- Scan the business’ network for known IOCs associated with Carbanak
- Scan the business’ network for known IOCs associated with MalumPOS
The Visa Security Alert lists the specific files and services that should be scanned for (the Indicators of Compromise). The list includes suspect Internet IP addresses, domain names, filenames, services and processes linked to known cyber attackers and POS malware.
Detection of any of the Internet IP addresses and domain names from the Carbanak list could show a connection between the business and a known cyber attacker, strongly suggesting the business’ point-of-sale systems have already been compromised.
Visa Guidance: Educate and Update
The Visa Security Alert also recommends that businesses using MICROS solutions take additional actions to minimise the risk. These are focussed on reducing exposure and addressing zero day vulnerabilities and threats.
- Educate and inform: Remind employees how to avoid phishing scams and protect themselves from malware. Make sure they know not to click on links, download files or open attachments in emails unless they are expecting them and know what they contain.
- Patch and update systems and software: Monitor for the release of new security vulnerabilities and deploy updates for all software and patches to address security vulnerabilities as soon as possible.
- Make use of the behavioural analysis features of anti-malware software: Behavioural analysis (or heuristics) can detect previously unknown malware and malicious code. If available, turn on this feature as it can help to detect zero day attacks that would not be identified by signature-based anti-malware.
A bigger problem?
It also appears that Oracle MICROS may not be the only POS vendor being targeted by hackers. Forbes has reported, that it now appears at least five POS vendors’ systems have been attacked: Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell; allegedly by the same Russian cybercrime gang. According to Forbes: “Together, they supply as many as, if not more than, 1 million point-of-sale systems globally”. It seems that the recommendations and guidance given above is applicable to all businesses using POS solutions.
If you are a merchant that requires technical or PCI DSS help, please click here