Russian Hackers Hit Oracle’s MICROS POS

Russian hackers have compromised a customer support portal for Oracle’s MICROS point-of-sale (POS) systems and accessed user names and passwords, KrebsOnSecurity‘s Brian Krebs reports.

The company told Krebs that it had “detected and addressed malicious code in certain legacy MICROS systems,” and that it had reset all customers passwords for the MICROS support portal.

In a letter to MICROS customers, Oracle added, “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

MICROS point-of-sale systems, Krebs reports, are used at more than 330,000 locations worldwide, including food and beverage outlets, retailers and hotels. It’s not yet clear how many customers may be impacted by the breach.

Two security experts told Krebs that the MICROS portal was found to be communicating with a server used by the Russian Carbanak gang, which is suspected of having stolen more than $1 billion over the past few years.

Another source told Krebs that the breach likely started with a single infected system inside Oracle’s network, which was then used to compromise other systems.

Console CEO and founder Al Burgio told eSecurity Planet by email that the breach highlights the need for POS systems provider to reevaluate not only their endpoints, but also the channels on which they’re handling customer data. “If they are connecting to their customers, partners and cloud providers via the public Internet, they are always at some degree of risk of a security breach or connectivity disruption,” he said.

“The use of private dedicated networks for financial data is not new, as high frequency traders have been utilizing dedicated, private low latency links for years,” Burgio added. “POS systems providers, like any organization that deals with sensitive data, need to ensure they have secure and reliable connections to handle that data and prevent breaches and breakdowns such as the one experienced by Oracle MICROS.”

And RiskVision CEO Joe Fantuzzi said by email that the breach serves as a perfect example of the long tail of risk. “Vulnerabilities embedded in enterprise networks not only have the potential to damage the parent organization if exploited, but can be detrimental for customers, technology partners and third party vendors who will often be blindsided by the sudden and unexpected impact of an attack,” he said.

“In light of these far reaching consequences, it’s imperative that organizations find a way to comprehensively assess and analyze the entirety of their risk posture, which includes the potential impact that vulnerabilities have on any and all third parties they deal with,” Fantuzzi added. “Without that kind of insight, organizations will continue to operate with huge blind spots that will eventually cripple them in the event of a cyberattack.”

Imperva director of security research Itsik Mantin said the breach should also serve as a reminder that organizations don’t just have to try to avoid a breach — they also have to have plans in place to detect and contain breaches when they happen. “It’s not enough to rely on password policies, which are of no use when the credentials are stolen, to prevent attacks,” he said.

“Those in charge of Web applications should be mindful to take specific detection measures to validate the authenticity of login to the system, treating with caution login from unexpected countries or anonymous networks, or logins from a Web bot and rate limiting login attempts, in particular, those using credentials known to be stolen,” Mantin added.

A recent eSecurity Planet article offered advice on securing corporate data in a post-perimeter world.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles