Oracle’s Cash Register System may have fallen victim to a hack conducted by a cybercriminal group. This news made headlines two weeks ago. Although we got used to such buzz in the media, this breach is not another cybersecurity horror story in the steady stream.
Renowned blogger Brian Krebs reported the breach on 8, August. He started his investigation of the incident after receiving an email about a potentially large breach at Oracle’s retail division.
KrebsOnSecurity’s analysis revealed that the MICROS customer portal was breached indeed. Potentially, the intrusion was conducted by a Russian hacker group Carbanak Gang.
The attack vector is worrying. The cybergang compromised the MICROS customer support portal by injecting malicious code. The malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged into the support website, thus, in theory, intruders gained remote access to PoS systems and can steal credit card data. Taking into account that most PoS in the USA still accepts cards without a chip, the attackers possibly got unlimited control over credit cards.
We cannot say how exactly the hackers have breached into the system. However, it’s worth mentioning that in July 2016 the vendor released several patches for vulnerabilities in other Oracle retail applications. In April, Oracle fixed a number of vulnerabilities in MICROS PoS (CVE-2016-0684, CVE-2016-3429, CVE-2016-0469). Of course, nobody knows how many vulnerabilities in MICROS POS are still undiscovered. Anyway, the fact that MICROS Systems was purchased by Oracle just in 2014 can also affect the code quality of the product.
Oracle reports in its official statement to customers the malware was detected and all payment card data were encrypted. So, we cannot say for sure what data was compromised. In a worst-case scenario, the attack scale can be rather large. Just to give you an insight, MICROS is one of the big three point-of-sale systems vendors worldwide. According to a 2014 Oracle’s statement, MICROS is used by 33000 cash registers across 180 countries, including 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels. The most remarkable companies are as follow:
- Hoteling(Hyatt, Marriott, Hilton)
- Food and beverages: (Yum, Starbucks, Burger King)
- Retail: (IKEA, BJ’s, Adidas)
Why this breach is dangerous
Why can this attack could go down in history as one the most notorious? This is a phenomenal targeted breach. The most interesting feature is that the group attacked the vendor itself (Oracle) and with the gained access to the MICROS support portal they are able to infect all devices, for example, via vulnerabilities in them, thereby breaching into thousands of retail networks.
Obviously, a number of Oracle customers who use MICROS PoS was compromised. However, one might wonder: why limited your actions by compromising MICROS customer portal only, when you are already into the Oracle corporate network?
If we talk about threats to the vendor, it should be noted that the attackers may have stolen the source code of Oracle’s application or even some trade secrets (at least, they were able to do so). Developers usually try to keep silent about these incidents in an attempt to mitigate an attack impact. In this case, Oracle took the correct actions. Although we do not know the full scale of the disaster, MICROS customers received a letter recommending that MICROS customers reset the passwords of their accounts.