Cyber Incident Victim: Oracle MICROS
Date:
Aug 2016
Location:
United States of America
Summary
A cybercrime group linked to the Carbanak gang breached multiple point-of-sale system vendors, including Oracle's MICROS unit and five additional providers, compromising servers to steal retail customer credentials and potentially gain remote access to merchants' payment terminals. The attackers exploited vulnerabilities in third-party web servers, deploying malicious code to harvest passwords and establish backdoors, though the full extent of data theft varied across victims—some confirmed exposure of business contact information and employee details, while others downplayed impacts, asserting only non-sensitive materials were accessed. The campaign targeted support portals and remote access systems, enabling potential follow-on attacks against downstream retailers, with evidence suggesting the hackers leveraged combined Carbanak and Dridex malware for initial infiltration and deeper network penetration. Collectively, the compromised vendors supplied over a million POS devices globally, raising concerns about cascading risks to payment card data across the retail and hospitality sectors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, a cybercrime group widely attributed to the Russian-linked Carbanak Gang breached at least six point-of-sale (PoS) system vendors, including Oracle’s MICROS division and five additional providers: Cin7, ECRS, Navy Zebra, PAR Technology, and Uniwell. The attackers first exploited vulnerabilities in the vendors’ servers to implant malicious code, aiming to harvest customer login credentials. These credentials could enable remote access to retailers’ PoS systems, where credit card data is typically processed and stored. While the full scope of data theft remained unconfirmed, forensic evidence indicated the hackers established backdoors on compromised servers and exfiltrated administrative credentials. Oracle confirmed its MICROS legacy systems were breached, prompting a password reset mandate for all 330,000 MICROS customers. ECRS disclosed that attackers exploited a recently discovered vulnerability in third-party Apache web server software supporting its myECRS customer portal, though no malware was distributed through its software downloads. ECRS acknowledged potential theft of contact details for employees, vendors, and clients but emphasized segregation between the breached portal and systems handling credit card data.
The incident impacted over 1 million PoS terminals globally, with Uniwell alone reporting 500,000 deployed systems. Cin7 detected malware designed to extract database and operating system passwords but found no evidence of data loss or damage during initial analysis. Navy Zebra confirmed investigating two server backdoors but asserted no private data was stored. PAR Technology downplayed the breach as a “non-material event” affecting a non-production server, while Uniwell stated only public documents were accessed but opted to decommission its vulnerable web server. Hold Security attributed the attacks to a Russian actor selling access to compromised vendors, with evidence suggesting Carbanak malware was deployed alongside Dridex for initial infection and targeted penetration. The breaches followed prior Carbanak-linked incidents at Staples, Sheplers, and Bebe, resulting in theft of 1.16 million credit cards. Law enforcement was notified by multiple vendors, with ECRS and Cin7 removing malware and enforcing password resets. The campaign highlighted systemic risks to retail and hospitality sectors through supply-chain attacks on PoS vendors.