Hackers have breached at least five cash-register providers that supply hundreds of thousands of businesses in the United States, FORBES has been told. After investigative reporter Brian Krebs reported a compromise of
The hackers' normal modus operandi was simple: first find weaknesses in point-of-sale (PoS) system vendors' servers and hack them. (PoS systems, whether cash registers or otherwise, store and process customers' credit card data). From there, they attempted to steal passwords of retail customers either during or after they logged in. They could then try to gain remote access into the retailers' PoS computer, which would likely hold troves of shoppers' credit-card information.
So far, however, it's unclear what, if any, sensitive data was pilfered from the vendors. Nevertheless, that one group has managed to infiltrate a string of PoS providers in recent months may help explain a spate of attacks on retail and hotel chains. In the last year, significant breaches have hit Donald Trump's hotel group, Hyatt, Kimpton and 1,000 Wendy's restaurants, amongst others.
'Wave of mass exploitation'
The revelations of the latest breaches came from Alex Holden, CISO and founder of Hold Security, a cybercrime monitoring firm. Holden passed FORBES information he'd acquired from the hackers behind the breaches, who'd claimed control over servers belonging to the PoS vendors, including the Oracle property. In some cases, the hacker showed off usernames and passwords to backdoors on the servers as evidence.
When FORBES contacted the five victims, four confirmed they'd been hacked to differing degrees of severity. One said it was investigating. Oracle confirmed its breach earlier this week, claiming legacy systems were affected and telling all MICROS customers to change their passwords.
A spokesperson from ECRS, which claims thousands of customers across the U.S., confirmed a data breach occurred within myECRS, used by customers to review product documentation, download software and get technical support. "ECRS was able to confirm that an unknown entity was able to place malicious code on this web portal. Evidence indicates that the attacker exploited a very recently discovered vulnerability in the third-party web server software that powers this portal to place this code," a spokesperson said. FORBES believes the affected site ran on an Apache web server, though there's no indication what vulnerability was exploited.
The company said no software distributed from the portal had been modified by the attacker; the hackers could have caused havoc if they'd managed to spread malware further inside tainted downloads. "Furthermore, the affected system was segregated from the systems that ECRS uses to facilitate remote access to merchant systems, and the affected system was not used to store sensitive information pertaining to credit card processing," the spokesperson added.
They admitted it was possible, though not confirmed, that contact information, including business addresses, telephone numbers, names and email addresses of current and former employees, vendors, affiliates and clients of ECRS, were stolen by the attacker. Customers were advised to be cautious if contacted by people claiming to come from ECRS, as it may be the hackers hoping to scam merchants or trick them into handing over more information.
The company said it has contacted law enforcement, has removed the malware and will be releasing a new version of the portal tomorrow. It will be enforcing a password change for all merchants using myECRS.
Cin7, a young UK-based supplier that claims to have hundreds of paying customers in 51 countries including the US, confirmed malicious code was running on one of its servers. Company founder Danny Ing said the malware had now been removed.
"The malicious code was designed to get passwords from the database or operating system. We are currently investigating the extent of the breach and we will inform customers if required," Ing told FORBES.
"On the surface there does not seem to be any damage or loss of data. Our team will investigate further... this is an extremely serious issue and we are now determining the appropriate response."
Navy Zebra, a subsidiary of Bankcard Services, confirmed it was looking into the claims, but has yet to provide a formal response on its findings. A spokesperson said the company didn't store any "private data". It supplies to 26,000 businesses in the U.S. The hacker had provided evidence of two separate backdoors on Navy Zebra servers.
PAR Technology Corporation, probably the biggest of those targeted and a publicly listed company, said the hacked server was non-material and didn't include any production data. "We’re looking at it as a non-material event. We deal with this stuff all the time, people looking at getting backdoors," said Kevin Jaskolka, PARTech's vice president of marketing. "We feel very good about our security standards."
PARTech created the industry’s first standalone PoS terminal for McDonald’s in 1978. Recently-announced customers include Lenny's Subs, restaurant chain Five Guys and Ireland's biggest pub organization, The Louis Fitzgerald Group. In July, it announced $52.7 million in revenue for the second quarter of fiscal 2016.
Uniwell president Steve Mori said the hacked only contained "public domain" information, such as product manuals, installation documents and brochures. Nothing confidential was stolen he said, but noted login credentials had to be changed. "Moving forward, our plan is to shut down our uniwell-americas.com web server as we believe it will remain vulnerable. We will use other secure services to facilitate our customers accessing manuals and documentation," Mori added.
Uniwell claims to have more than 500,000 point-of-sale terminals in use worldwide. The other firms have not revealed how many point-of-sale systems they have deployed. As MICROS served 330,000 different businesses, it's likely the breached companies supply well over 1 million computerized cash registers in total. There is, therefore, understandable concern over the hackers' widespread access, possibly deep into America's retail industry.
"There is definitely a high level of interest in PoS providers as gateways into retailers. In many cases, hackers seem to be interested in support information with a goal to get into remote systems as the highest authorized user," said Holden.
"This is a new wave of mass exploitation."
Who is behind the hacks?
According to Krebs, sources indicated the Carbanak gang, also known as Anunak, was linked to the Oracle breach, as the hackers had used a server operated by the crew. To be clear, though, Carbanak is the name given by security researchers to a collection of malware, one originally thought to be operated by a single group, widely believed to be Russian and responsible for as much as $1 billion in theft.
But the Carbanak malware, FORBES understands, is used by more than one cybercrime gang. According to Peter Kruse, founder of the CSIS Security Group, at least one hacker crew has combined Carbanak with another infamous malware, Dridex. The latter would be used across targets, with the Carbanak tools used for deeper penetration of targets of interest, he told FORBES.
"We have seen [Carbanak] dropped as a second stage payload to a random Dridex infection," Kruse said. "So it appears that at least one of the groups use Dridex as an initial infector, and then use that to pinpoint infections of interest... Clever to hide in mass infections and then using more advanced and targeted malware against those of interest."
Holden believes a Russian hacker is breaking into retail suppliers before selling the access on, in recent cases through English-speaking individuals. In the case of Navy Zebra, the English-speaking hacker claimed to have already sold access to the company's server. According to Holden, the same hackers have been operating botnets and selling credit card dumps in recent years. It was only recently they started targeting PoS providers. He is unsure if they are all part of the Carbanak gang.
FORBES was previously told hackers using Carbanak tools were responsible for a 2014 hack of office supplier Staples, nabbing data on 1.16 million credit cards. Retailers Sheplers and Bebe were also said to have been hit.
For five months of last year, Carbanak disappeared, only to return in earnest this year. The group had started targeting a wider range or organizations, including businesses' budgeting and accounting departments, according to a Kaspersky Lab analysis. In one particularly outlandish hack, the gang changed the name of one victim company's ownership records, so that a money mule became a firm's executive.
Whoever is using Carbanak now is causing a significant amount of damage to US retail companies. And they're likely pilfering a large number of Americans' credit card data to boot.
