August 8, 2016

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

ocAsked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.

KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us.  In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.

Many well-known retail, hotel and food & beverage brands use MICROS.

Many well-known retail, hotel and food & beverage brands use MICROS.

A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.

Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.

Oracle declined to answer direct questions about the breach, saying only that Oracle’s corporate network and Oracle’s other cloud and service offerings were not impacted. The company also sought to downplay the impact of the incident, emphasizing that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

In a statement that Oracle is apparently in the process of sending to MICROS customers, Oracle said it was forcing a password reset for all support accounts on the MICROS portal. Oracle added: “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.”

ANALYSIS

This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them.

Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer — and, more importantly, to upload card-stealing malware to — some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.

Avivah Litan, a fraud analyst at Gartner Inc., says Oracle seems to be saying its systems are encrypted, but that it’s the customer’s on-premise devices where the real danger lies as a result of this breach.

“This [incident] could explain a lot about the source of some of these retail and merchant point-of-sale hacks that nobody has been able to definitively tie to any one point-of-sale services provider,” Litan said. “I’d say there’s a big chance that the hackers in this case found a way to get remote access” to MICROS customers’ on-premises point-of-sale devices.

Point-of-sale based malware has driven most of the credit card breaches over the past two years, including intrusions at Target and Home Depot, as well as breaches at a slew of point-of-sale vendors. The malware usually is installed via hacked remote administration tools. Once the attackers have their malware loaded onto the point-of-sale devices, they can remotely capture data from each card swiped at that cash register.

Thieves can then sell the data to crooks who specialize in encoding the stolen data onto any card with a magnetic stripe, and using the cards to buy gift cards and high-priced goods from big-box stores like Target and Best Buy.

The breach comes at a pivotal time for Oracle, which has been struggling to compete with other software giants like Amazon and Google in cloud-based services. Last month, Oracle announced it would pay $9 billion to acquire NetSuite Inc., one of the first cloud-services companies.


112 thoughts on “Data Breach At Oracle’s MICROS Point-of-Sale Division

  1. J Snow

    If they hacked Micros, did they also get the source code? I would hate to think they did.

  2. Kevin

    How long do you think it would take Oracle to determine if any abnormal activity in employee logs had occurred?

    For those that could remote in to POS terminals, their credentials would have been used to install the malware in off hours I assume?

  3. wombat94

    I have said this before in comments here, but after having a credit card used for fraudulent charges twice in the last ten years and at least a half-dozen more times where I’ve had a card replaced with a new account number when I had used it at a retailer that had been breached, my wife and I settled on the following strategy for our payment card usage:

    1. Never use a debit card linked to our checking or savings accounts at a retail point-of-sale terminal, gas pump, or non-bank-owned or stand alone ATM. Basically, we forget about the Visa/MC logo on our ATM card and only use it to get cash like the old days when it was a pure debit card.

    2. We use one (or sometimes two) credit cards for ALL of our retail purchases… and those cards are not used for any recurring billing relationships.

    3. We have one card that is used for ALL recurring billing arrangements (whether with utility companies or subscription websites)… and is used for nothing else.

    This arrangement allows us to have a minimum of disruption when the inevitable fraudulent charges or use at a breached merchant occurs.

    The two times we’ve had fraudulent charges, a quick two minute phone call to the card issuer got the charged reversed (actually one of those times they called US because of suspicious activity and when we said that the charges were not ours they reversed the charges and issued a new card immediately).

    The far, far bigger hassle for use was changing all of the recurring billing arrangements when cards were being replaced due to card breaches. Since we went to this arrangement two years ago, we have not had to redo the recurring billing. (It has the somewhat coincidental added benefit of allowing us to schedule a once-a-month automated payment to that credit card and budget those fixed, recurring expenses more simply.)

    I carry very little cash. I use credit cards everywhere I can – and now favor merchants that have NFC/Apple Pay readers to take advantage of the additional security – but there is no reason to stop using credit cards if you can take some precautions in HOW you use them.

    1. Patrick

      Very smart arrangement! Good practices that others should follow.

    2. somguy

      BTW, you can request your bank send you a pure ATM card (without the debit or visa/mastercard logo capability). Then it will be impossible to use anywhere except ATM. Granted it’s less flexible that way, but it’s safer than debit.
      Or link it debit card a secondary bank account so if it’s hit it can’t drain everything until it’s recovered.

      1. Jay

        Be aware that some banks charge a fee for ATM-only cards. Our bank (PNC) does that. There’s a way around it, though: Get a regular debit card, and have the bank set a low daily purchase limit (like $10) on it.

        1. vb

          Chase bank does not charge for a pure ATM card. That’s what I use for security reasons. No debt card for me.

    3. PeteMc

      Most banks actually still have ATM only cards, you just need to ask for one. (Sometimes more than once because not everyone knows they have them.)

      And as you pointed out… You really don’t want to use a card that’s directly connected to an account. If for some reason you MUST do it, open a second, non linked, account and have the Debit card connected to that account.

    4. timeless

      That’s the right strategy. Thanks for posting it. Hopefully others will adopt it too.

    5. MikeB

      So, let me get this right: the reason that you keep recurring payments on a separate card from one off payments is that you feel that the one-off card is more likely to get fraudulently charged? Am I right in thinking that you adopt this arrangement because it saves you the hassle of setting up the recurring charges on a new card?

  4. Piere

    As with always, it is blame Russians. Russia is not only country with cyber criminals. Is never blame Mexico, is never blame France, is always blame Russia. Perhaps Brian Krebson is agent of American government spreading lies of Russia.

    1. TErickson

      It wasn’t a blind blame Russia, it was likely due to:

      >>Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks..

    2. me

      He didn’t blame all Russians. He just pointed out that Oracle’s system was communicating with the Carbanak.gang…who is mainly in Russia.

    3. Sean

      Russians are not the victims here.

      Russians always get blamed for majority of the cyber crime that happens in the world, and for good reason.

      Russian Cyber criminals were also behind the following:

      -Target Data Breach

      -Carbanak Bank Heist

      -Hacking of French Television channels
      (PawnStorm)

      -AlphaBay Black Market Creation

      -Evolution Market Exit Scam

      -Data Breaches at TJX, Citibank-branded 7-Eleven ATM’s, HeartLand Payment System, and Hannaford Brothers along side Albert Gonzalez.

      -Russian Goverment backed hackers in the DNC data breach

      The list above is just a FEW high profile cases where Russian Cyber Criminals have been involved. There are plenty of other smaller cases involving Russians.

      Russians and Chinesse hackers in particular are notorious for Cyber Crime. That’s it.

      1. Blanche Dubois

        … but we Sov…er…Russians is glorious world lider in pharmaceutical assistance programs. We # 1 !!!

    4. Pavel

      Overheard at conference in Europe:

      American Businessman: “Yes, we have hired a lot of Russian programmers. Those guys really know what they are doing!”

      Russian Businessman: “You know why Russians are best programmers? Because we are best hackers.”

  5. D Hammond

    I have not seen a MICROS terminal capable if reading the new single transaction chipped credit cards. They are still using the mag strip readers. Shows you how far behind the curve Oracle is.

    1. Pat Suwalski

      One of the logos in the customer list is the SAQ, exclusively in Quebec, Canada. There is no way they don’t have chip cards at their stores.

      1. RobM

        SAQ use EMV enabled terminals. If the Micros installation is semi-integrated, the POS is not involved in the authorization as Whitney points out. The POS is a command and control device that prepares the terminal for accepting a payment and waits for a acknowledgement back. The POS doesn’t see the transaction data, and being EMV it is encrypted at the terminal.

    2. Whitney

      Modern POS systems, including MICROS’ Xstore system are seperated from the payment processing system. The POS hands off the amount, the PINPad collects the data, gets the auth, and tells the POS yes or no. POS doesn’t care about how.

  6. David

    Is this related to the Kimpton Hotels breach from a few weeks back?

    1. BrianKrebs Post author

      Some people I spoke with thought so, but I couldn’t draw a clear connection and the Kimpton people didn’t reply to my request for comment.

  7. GR

    Guess its a good thing that Oracle’s support has been ridiculously awful since they bought out MICROS. They’ve never remotely connected to our system to help us with anything since they’ve taken it over….so we might actually be safe.

  8. Slick Rick

    What is the URL to the Micro’s support portal that was hacked? I can only find a Bomgar support portal. If Bomgar was hacked then this issue is bigger than Oracle.

  9. StynxNhere

    Do you thing the gap between security vulnerability research and best coding practices are to blame.?.

  10. Dale

    I called Oracle support because I needed access to the customer portal to review documents my Account Manager told me were stored there regarding how to respond to this breach…

    The support rep didn’t know there was a breach.

    Probably the most typical Oracle support call ever.

    What’s unfortunate is that Oracle probably won’t provide more details about the breach… meaning remediation efforts for their clients will likely not be known.

  11. Atwood

    Glad to see them finding this. Any updates as to how long it was there?

  12. Michael

    I’d say that this is the portal:
    https://usc.micros.com/selfservice/logon.asp

    It’s obviously not available anymore.

    Oracle now owns Micros, but Micros still require very old versions of Java for their sites and applications to run properly

    For example 6.17 6.22 6.27

    Their applications do not work with the latest versions of Java

  13. Bruce Sharp

    Windows has not updated. Here is what I am seeing
    Updates are available.

    • Cumulative Update for Windows 10 Version 1511 for x64-based Systems (KB3176493).
    • Security Update for Windows 10 Version 1511 for x64-based Systems (KB3172729).
    • Feature update to Windows 10, version 1607.

    Downloading updates 0%

    It has been this way for about 24 hours.

  14. Curtis Hodge

    Hi!
    I got a small retail POS system in my business, and now I want to know how I can download this Oracle’s MICROS to my software
    pos-arizona.com

  15. KevinK

    There is a pdf from Oracle downloadable from this page:
    https://www.oracle.com/industries/hospitality/index.html

    “malicious code in certain legacy MICROS systems” seems to indicate that it was at customer'(s) site(s).

    Also it says “Payment card data is encrypted…” blah blah. If they’re using a standard tokenizing hash like the one discussed at Defcon presentation titled “Oops I cracked my PANS”, this might not be much protection.

    Our legacy MICROS system batches up payments for nightly posting, but supposedly the card numbers are not stored anywhere. Mmmm…

  16. Andrew Robin

    Wish they could use database firewall.
    This is a good one from datasunrise for oracle
    datasunrise.com/oracle-firewall-security/
    Encryption won’t help because this was from inside
    The idea to separate security vendor from the database vendor, to have accountability.

  17. DK Montreal

    Oracle barfed out the same “MICROS Security Incident” alert last night. Verbatim, from What I can tell. Notification accident or recurrence of incident?

Comments are closed.