August, 2016


8
Aug 16

Data Breach At Oracle’s MICROS Point-of-Sale Division

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

ocAsked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

The size and scope of the break-in is still being investigated, and it remains unclear when the attackers first gained access to Oracle’s systems. Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company’s retail division. That source said that soon after Oracle pushed new security tools to systems in the affected network investigators realized the intrusion impacted more than 700 infected systems.

KrebsOnSecurity first began investigating this incident on July 25, 2016 after receiving an email from an Oracle MICROS customer and reader who reported hearing about a potentially large breach at Oracle’s retail division.

“I do not know to what extent other than they discovered it last week,” said the reader, who agreed to be quoted here in exchange for anonymity. “Out of abundance of caution they informed us and seem to have indicated the incident was isolated to Oracle staff members and not customers like us.  In addition, this notice was to serve to customers the reason for any delays in customer support and service as they were refreshing/re-imaging employees’ computers.”

Two security experts briefed on the breach investigation and who asked to remain anonymous because they did not have permission from their employer to speak on the record said Oracle’s MICROS customer support portal was seen communicating with a server known to be used by the Carbanak Gang. Carbanak is part of a Russian cybercrime syndicate that is suspected of stealing more than $1 billion from banks, retailers and hospitality firms over the past several years.

Many well-known retail, hotel and food & beverage brands use MICROS.

Many well-known retail, hotel and food & beverage brands use MICROS.

A source briefed on the investigation says the breach likely started with a single infected system inside of Oracle’s network that was then used to compromise additional systems. Among those was a customer “ticketing portal” that Oracle uses to help MICROS customers remotely troubleshoot problems with their point-of-sale systems.

Those sources further stated that the intruders placed malicious code on the MICROS support portal, and that the malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in the support Web site.

Oracle declined to answer direct questions about the breach, saying only that Oracle’s corporate network and Oracle’s other cloud and service offerings were not impacted. The company also sought to downplay the impact of the incident, emphasizing that “payment card data is encrypted both at rest and in transit in the MICROS hosted customer environments.”

In a statement that Oracle is apparently in the process of sending to MICROS customers, Oracle said it was forcing a password reset for all support accounts on the MICROS portal. Oracle added: “We also recommend that you change the password for any account that was used by a MICROS representative to access your on-premises systems.” Continue reading →


3
Aug 16

The Reincarnation of a Bulletproof Hoster

In April 2016, security firm Trend Micro published a damning report about a Web hosting provider referred to only as a “cyber-attack facilitator in the Netherlands.” If the Trend analysis lacked any real punch that might have been because — shortly after the report was published — names were redacted so that it was no longer immediately clear who the bad hosting provider was. This post aims to shine a bit more light on the individuals apparently behind this mysterious rogue hosting firm — a company called HostSailor[dot]com.

The Trend report observes that the unnamed, Netherlands-based virtual private sever (VPS) hosting provider appears to have few legitimate customers, and that the amount of abuse emanating from it “is so staggering that this company will remain on our watchlist in the next few months.”

hstm

What exactly is the awfulness spewing from the company that Trend takes great pains not to name as HostSailor.com? For starters, according to Trend’s data (PDF) HostSailor has long been a home for attacks tied to a Russian cyber espionage campaign dubbed “Pawn Storm.” From the report:

“Pawn Storm seems to feel quite at home. They used the VPS hosting company for at least 80 attacks since May 2015. Their attacks utilized C&C servers, exploit sites, spear-phishing campaigns, free Webmail phishing sites targeting high profile users, and very specific credential phishing sites against Government agencies of countries like Bulgaria, Greece, Malaysia, Montenegro, Poland, Qatar, Romania, Saudi Arabia, Turkey, Ukraine, and United Arab Emirates. Pawn Storm also uses the VPS provider in the Netherlands for domestic espionage in Russia regularly.”

“Apart from Pawn Storm, a less sophisticated group of threat actors called DustySky (PDF link added) is using the VPS provider. These actors target Israel, companies who do business in Israel, Egypt and some other Middle Eastern governments.”

WHO IS HOSTSAILOR?

Trend’s report on HostSailor points to a LinkedIn profile for an Alexander Freeman at HostSailor who lists his location as Dubai. HostSailor’s Web site says the company has servers in The Netherlands and in Romania, and that it is based in Dubai. The company first came online in early 2013.

Ron Guilmette, an anti-spam researcher who tipped me off to the Trend report and whose research has been featured several times on this blog, reached out to Freeman via email. Guilmette later posted at the Ripe.net mailing list the vitriolic and threatening response he said he received in reply.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

A snippet from the response that Guilmette said he received from a HostSailor employee named Alexander Freeman.

Perhaps Mr. Freeman’s ire was previously leveled at Trend Micro, which could explain their redaction of the name “HostSailor” from its report. A spokesperson for Trend Micro declined to explain why the company redacted its own report post-publication, saying only that “at the time of publication, we were following our standard disclosure protocol.”

In any case, I began to suspect that “Alexander Freeman” was just a pseudonym (Trend noted this suspicion in its report as well). In combing through the historic WHOIS registration records for the domain hostsailor.com, I noticed that the domain name changed hands sometime in late 2012. Sure enough, a simple Google search popped up this thread at Webhostingtalk.com back in Dec. 2012, which was started by a Jordan Peterson who says he’s looking to sell hostsailor.com.

Contacted by KrebsOnSecurity, Mr. Peterson said the person who responded about purchasing the domain was named Ali Al-Attiyah, and that this individual used the following email addresses:

ali.alattiyah@yahoo.com
ali.alattiyah@mail.com
hostsailor@hush.com

“I remember Ali telling me he didn’t have a paypal so a friend sent me the money for the domain, I looked up the paypal info for you and [Ali’s friend’s] name is Khalid Cook, masrawyz@yahoo.com,” Peterson told me. “The legal information for the domain transfer was given as:

152-160 City Road
London ec1v 2nx
UK”

That street address corresponds to a business named “yourvirtualofficelondon.co.uk,” which offers call answering services for companies that wish to list a prestigious London address without actually having a physical presence there.

Ali Al-Attiyah is listed as the official registrant of hostsailor.com and several other very similar domains. More interesting, however, is that email address given for Mr. Khalid Cook: masrawyz@yahoo.com. According to a “reverse WHOIS” search ordered from DomainTools.com, that Yahoo email address was used in the original registration records for exactly one domain: santrex.net.

Santrex (better known on Webhostingtalk.com as “Scamtrex“) was an extremely dodgy “bulletproof hosting” company — essentially a mini-ISP that specializes in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies. At the time, Google’s Safebrowsing database warned that almost 90 percent of the sites on Santrex’s network were attempting to foist malicious software on visitors or were hosting malware used in online attacks.

Santrex was forced out of business in early 2013, after the company’s core servers were massively hacked and the PayPal and credit card accounts it used to accept payments from customers were reportedly seized by unknown parties. In its final days as a hosting provider, Santrex’s main voice on Webhostingtalk.com — a user named “khalouda” — posted many rants that eerily echo the invective leveled at Guilmette by HostSailor’s Mr. Freeman.

Google’s take on the world’s most densely malicious networks over the past 12 months.

Google’s take on the world’s most densely malicious networks over the past 12 months.

WHO IS KHALID COOK?

Continue reading →


1
Aug 16

Social Security Administration Now Requires Two-Factor Authentication

The U.S. Social Security Administration announced last week that it will now require a cell phone number from all Americans who wish to manage their retirement benefits at ssa.gov. Unfortunately, the new security measure does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven’t yet created accounts for themselves.

ssasiteThe SSA said all new and existing ‘my Social Security’ account holders will need to provide a cell phone number. The agency said it will use the mobile numbers to send users an 8-digit code via text message that needs to be entered along with a username and password to log in to the site.

The SSA noted it was making the change to comply with an executive order for federal agencies to provide more secure authentication for their online services.

“People will not be able to access their personal my Social Security account if they do not have a cell phone or do not wish to provide the cell phone number,” the agency said. “The purpose of providing your cell phone number is that, each time you log in to your account with your username and password, we will send you a one-time security code you must also enter to log in successfully to your account. We expect to provide additional options in the future, dependent upon requirements of national guidelines currently being revised.”

Although the SSA’s policy change provides additional proof that the person signing in is the same individual who established multi-factor authentication in the the first place, it does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are.

The SSA does offer other “extra security” options, such as the sending users a special code via the U.S. Mail that has to be entered on the agency’s site to complete the signup process. If you choose to enable extra security, the SSA will then ask you for:

  • The last eight digits of your Visa, MasterCard, or Discover credit card;
  • Information from your W2 tax form;
  • Information from a 1040 Schedule SE (self-employment) tax form; or
  • Your direct deposit amount, if you receive Social Security benefits.

Sadly, it is still relatively easy for thieves to create an account in the name of Americans who have not already created one for themselves. All one would need is the target’s name, date of birth, Social Security number, residential address, and phone number. This personal data can be bought for roughly $3-$4 from a variety of cybercrime shops online.

After that, the SSA relays four multiple-guess, so-called “knowledge-based authentication” or KBA questions from credit bureau Equifax. In practice, many of these KBA questions — such as previous address, loan amounts and dates — can be successfully enumerated with random guessing.  What’s more, very often the answers to these questions can be found by consulting free online services, such as Zillow and Facebook.

In September 2013, I warned that SSA and financial institutions were tracking a rise in cases wherein identity thieves register an account at the SSA’s portal using a retiree’s personal information and have the victim’s benefits diverted to prepaid debit cards that the crooks control. Unfortunately, because the SSA’s new security features are optional, they do little to block crooks from hijacking SSA benefit payments from retirees. Continue reading →