A massive hack has taken place at Oracle Corp. Cyber criminals have successfully broken into hundreds of computer systems at Oracle Corp. What is known till now is that the hack has completely compromised the online support portal for MICROS customers. MICROS is a leading global seller of point-of-sale systems and was bought by Oracle in 2014. Since its takeover, Oracle maintains an online support portal for MICROS customers.
After the cyber criminals successfully breached many of Oracle’s retail division servers and had installed malicious code in the MICROS online support portal, they seem to have stolen the representative account credentials (login credentials) that are used by the support personnel to access the POS units for providing support. And whenever customers logged into their account on the MICROS support website, the malware stole the customer usernames and passwords. Having got valid credentials, the cybercriminals logged into the device/systems at customer/ retail outlets through Remote Access Tools (RAT) and installed POS malware in them.
When Oracle was questioned about the extent of the breach they are downplaying the issue and replied with a pretty lame response: “Oracle has detected and addressed malicious code in certain legacy MICROS systems.”
In its alert, Oracle has also asked customers to change the password of MICROS representative accounts that was being used for accessing the POS systems. This alert confirms that the hackers had breached Oracle’s servers and then used the representative account credentials to access the device/systems and install POS malware in them.
In this case, even if the customer had efficient POS security products to block any malware attacks, their device/systems would still have got infiltrated. The hackers had bypassed POS security and any other security measure that the customer may have put in place.
VISA, a financial and payment cards company, has issued a warning alerting enterprises, issuers, acquirers, processors and merchants using the Oracle MICROS units to check for POS malware. They have also advised users to change the passwords of the device/systems as a precautionary measure. Cyber security experts suspect that this breach could possibly be linked to some of the still unexplained malware attacks on Point of Sale systems that have occurred earlier.
Analysis of the cyber attacks reveals that the attack is linked to the organized Russian hacker group – the Carbanak Gang. VISA has in its warning published indicators of compromise (IOCs) that link some of the IP addresses to the Carbanak Gang.
In this attack, the cybercriminals had impregnated a POS malware known as MalumPOS. Analysis of this malware code revealed that it contained customized code for collecting data only from POS systems that were running on Oracle’s MICROS platform. The extent of the systems infected and the amount of payment card data that had been stolen from POS systems is not yet known.
Cyber security experts suspect that many of the recent data breaches in the hospitality industry could be due to this malware as many of the compromised POS systems are believed to be running on Oracle’s MICROS platform.
In this case, unless the IT security administrators of the hospitality outlets or retail outlets had observed any suspicious activity they would not have suspected this data breach. The VISA advisory recommends that IT security administrators must check if the IP addresses in the list of IOCs that it has published are on their system. And if they are, then their POS security has been bypassed and the system has been compromised.
By now, the repercussions of MICROS support portal malware attack on POS systems is somewhat known. However, what other entities of Oracle have been compromised, or what other types of data loss has taken place is not yet known. Maybe Oracle knows and is not divulging, or it doesn’t know yet.
