Think about it: you’re a bank—one who also happens to be a MICROS customer—and you need some help with a merchant terminal that just so happens to be running MICROS software. You go to their site for support and, voila. Malware!!
First Published 10th August 2016
PoS is an acronym for more than just Point of Sale.
4 min read | Reflare Research Team
In a letter sent this week, Oracle has informed its customers of a security breach concerning the MICROS Point of Sale system. In this briefing, we will cover the details of the breach as far as they are available and then investigate why widely deployed critical infrastructure is virtually impossible to protect.
According to information published by Oracle and reports from security researcher Brian Krebs, MICROS Point of Sale terminals have been systematically infected with malware. The attack was allegedly performed by Russian attackers albeit proof has not yet been made available.
According to the information available, an unrelated Oracle system was compromised first, allowing the attackers to then place malicious code on a support portal used by MICROS customers. This code in turn allowed the attackers to gather user credentials for further attacks. Whether these MICROS user credentials have been abused is still unclear, but the damage potential of this breach is very large.
In addition, Point of Sale systems are commonly operated by customer organizations. Therefore the level of security varies greatly between different deployments. While some customers take security very seriously and have their own teams for monitoring and incident response, others believe that all such tasks should be handled by the system vendors like Oracle.
Unfortunately, securing any system that is ultimately controlled by a customer remotely is impossible. If, for example, customers choose to write critical passwords on a piece of paper and hang them on an office wall, nothing can be done remotely to address the breach.
This attack once again highlights a common trend: Soft targets are being exploited to damage hard targets.
While a Point of Sale terminal or the servers handling the payment itself are without doubt critical infrastructure and protected accordingly, support sites are often managed by different teams and operated under lower security standards. This makes sense, as security and usability usually have to be considered a tradeoff.
However, since users tend to see the support function as part of a complete system, and since credentials are often re-used, this seemingly sensible distinction can often be treacherous as the current case exemplifies. Attackers with control of the support system could use it to infect customers' local networks with malware or re-use passwords in attempts to access the actual payment information.
Furthermore, control of any infrastructure controlled by Oracle opens customers up to extremely sophisticated phishing attacks.
This breach once again illustrates the same base principles of security that we have investigated in connection with the DNC hacks:
1) Any security system is only as strong as its weakest link
2) Soft targets can often be leveraged to directly attack or otherwise cause damage to hardened targets.
Organizations are advised to take these effects into account when designing their critical infrastructure. System security can not be left to vendors alone and soft targets are usually the way attackers breach a hardened organization.