Suspected Russian hackers, who are reportedly responsible for Oracle's Micros data breach, have also hit 5 other POS (point-of-sale) firms, including Cin7, ECRS, Navy Zebra, PAR Technology and Uniwell. The collection of malware found responsible for the breaches were previously thought to be used only by a Russia-based cybercrime syndicate called Carbanak Gang.
The companies hacked are the major providers of cash register machines to scores of American businesses and this might affect hundreds of thousands of users. POS vendors are prime targets for hackers as they store troves of data, including retailers' passwords and shoppers' credit card information. However, it is still uncertain as to whether hackers were able to get their hands on any sensitive data.
According to a report by Forbes, cybersecurity firm Hold Security's founder and CISO Alex Holden said that the hackers responsible for the multiple breaches provided him with usernames and passwords to backdoors on the companies' servers as evidence.
"There is definitely a high level of interest in PoS providers as gateways into retailers. In many cases, hackers seem to be interested in support information with a goal to get into remote systems as the highest authorized user," said Holden. "This is a new wave of mass exploitation."
Russia-based hacker group Carbanak Gang aka Anunak has been linked to the Oracle breach. However, contrary to popular belief, the Carbanak Gang does not appear to be the only team of hackers who have access to the malware used to compromise POS systems. According to CSIS Security Group founder Peter Kruse, at least one other hacker group has already combined the malware with Dridex.
"We have seen [Carbanak] dropped as a second stage payload to a random Dridex infection," Kruse said. "So it appears that at least one of the groups use Dridex as an initial infector, and then use that to pinpoint infections of interest... Clever to hide in mass infections and then using more advanced and targeted malware against those of interest."
According to Holden, a Russian hacker is breaking into POS suppliers and selling access via English-speaking middle-men. The server access to Navy Zebra, one of the five additional firms hit by the hackers, has already been sold, according to the English-speaking hackers.
Despite the clear link to Carbanak Gang, it is still uncertain the cybercrime syndicate is solely responsible for the multiple breaches.
Confirmation of the breaches
4 of the 5 companies targeted have confirmed that their systems have been hacked to varying degrees of severity, with the remaining firm claiming to currently still investigating.
A spokesperson for ECRS said, "ECRS was able to confirm that an unknown entity was able to place malicious code on this web portal. Evidence indicates that the attacker exploited a very recently discovered vulnerability in the third-party web server software that powers this portal to place this code. Furthermore, the affected system was segregated from the systems that ECRS uses to facilitate remote access to merchant systems, and the affected system was not used to store sensitive information pertaining to credit card processing,"
However, ECRS also said that it was possible that hackers may have stolen information including business addresses, telephone numbers, names and email addresses of current and former employees, vendors and clients, however this is yet to be confirmed. The company also said that password resets would soon be initiated for all its clients using myECRS.
UK-based Cin7 founder Danny Ing said that the malware that was found running on the company's servers had been removed. "The malicious code was designed to get passwords from the database or operating system. We are currently investigating the extent of the breach and we will inform customers if required. On the surface there does not seem to be any damage or loss of data. Our team will investigate further... this is an extremely serious issue and we are now determining the appropriate response."
PAR Technology, likely the biggest of all the firms targeted, confirmed that it was investigating reports of the breach. "We're looking at it as a non-material event. We deal with this stuff all the time, people looking at getting backdoors," said Kevin Jaskolka, PARTech's vice president of marketing. "We feel very good about our security standards."
Uniwell president Steve Mori also confirmed the breach, adding that the hacked server only stored "public domain" data such as information on product manuals, brochures, etc. "Moving forward, our plan is to shut down our uniwell-americas.com web server as we believe it will remain vulnerable. We will use other secure services to facilitate our customers accessing manuals and documentation," Mori said.