Oracle fails to predict, prevent POS breach
F ollowing a punishing wave of attacks against POS systems, forensic experts are working with merchants and technology companies to patch vulnerabilities and reach out to millions of potentially affected business owners and consumers. Security analysts have stated that Oracle Corp.'s Micros POS systems, among others, may have become central access points for cybercriminals in these attacks.
The first sign of trouble surfaced Aug. 8, 2016, when Micros, the POS division of Oracle, revealed a malware attack that may have compromised 300,000 Micros payment terminals. Security analyst and investigative reporter Brian Krebs initially reported the incident, attributing the hack to a Russian group, alternatively known as the Carbanak Gang and Anunak. The criminals allegedly exploited a vulnerability in Oracle's customer support portal, where they stole customers' login credentials to gain entry to a large population of Micros POS terminals.
Cybercriminals armed with login credentials can exploit a range of banking, credit card and personal accounts. This approach has been successfully deployed against Micros and five other prominent POS brands. New revelations surfaced Aug. 11 that Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell have reportedly found anomalies in their internal systems and backend technology.
Too little, too late
"Oracle is no stranger to cybersecurity issues," said John Wethington, Vice President of America's at Ground Labs Pte. Ltd., an international security company with offices in Austin, Texas; Dublin; and Singapore. "[The Micros hack] blows the doors open to what we've said all along: It only takes one POS entry point for an entire system to be compromised."
Wethington noted that many malware tools, readily available on the Dark Web, are designed to scrape payment card data. "Cybercriminals establish a footprint within POS systems they've exploited; they can use the login credentials as a pivot point to attack customers internally, because they're on the other side of the firewall," he said. "Now they can leap off the POS platform to dig into untold terabytes of data."
Oracle advised all its customers to change their passwords, a move Wethington and others compare to closing the barn door after the cows get out. "Oracle took two days before acknowledging the hack," he said. "Originally, they thought it was just the support team that was compromised. But criminals used Oracle as a doorway into 300,000 businesses, putting millions of end points at risk."
Lessons learned, actions taken
In its statement to the press, Oracle confirmed that credit card data in its systems is encrypted during transmittal and at rest. While this was somewhat reassuring to potentially affected merchants, analysts are advising everyone to be especially vigilant in the coming months for spikes in credit card volumes and signs of fraudulent activity. Following are additional recommendations from security experts:
- Scan and audit: "Run a full security audit and make sure your environment is up to date and not storing sensitive data," Wethington said. "Use a data discovery tool to search through email, notes and attachments, because all systems are now put at risk. Even Oracle can't take responsibility for systems outside of their control."
- Think beyond passwords: "It's not enough to rely on password policies, which are of no use when the credentials are stolen," said Itsik Mantin, Director of Security Research at Imperva Inc. "Those in charge of web applications should be mindful to take specific detection measures to validate the authenticity of login to the system, treating with caution login from unexpected countries or anonymous networks, or logins from a web bot and rate limiting login attempts, in particular, those using credentials known to be stolen."
- Securely store encryption keys: "It's crucial to secure encryption keys and firewalls," Wethington said. "Failure to do so is equivalent to locking the house and leaving the keys in the front door."
Bracing for impact
Gartner Inc. analyst Avivah Litan speculated that the Micros data breach may be connected to recent cybersecurity attacks in retail and hospitality sectors. While no one has tied these hacks to any one service provider, Litan said, "There's a big chance that the hackers in this case found a way to get remote access," thereby initiating the recent string of high-profile data breaches.
Oracle emphasized that none of its corporate networks, cloud services or ancillary networks have been compromised. However, many of the details of the incident, including when the attack was initiated, have yet to be revealed. Much of the software used for breaking and entering also contains remote administrative access tool kits with "call home" features that link malware to remote command centers, subjecting it to further commands and downloads, Wethington noted.
View prior breaking news