Cyber Incident Victim: Cin7
Date:
Aug 2016
Location:
United States of America
Summary
A cybercrime group believed to be Russian breached multiple point-of-sale system vendors, including Cin7, exploiting server vulnerabilities to deploy malware designed to harvest passwords and potentially gain remote access to retailers' systems. The attackers targeted support portals and web servers, with compromised entities confirming malicious code installations and backdoors, though impacts varied—some reported no evidence of data loss or production system compromise, while others acknowledged potential theft of non-sensitive information like employee contact details or public documentation. The group, associated with Carbanak and Dridex malware tools, leveraged these breaches as gateways to infiltrate downstream retail environments, raising concerns about widespread access to payment systems and credit card data across hundreds of thousands of global businesses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In August 2016, Cin7, a UK-based point-of-sale (PoS) system provider serving hundreds of customers across 51 countries, confirmed it was among five cash-register vendors breached by a cybercrime group suspected of Russian affiliation. The attackers compromised Cin7’s servers alongside ECRS, Navy Zebra, PAR Technology, and Uniwell—all following an earlier breach at Oracle’s MICROS division. Investigative reporting by Forbes, corroborated by Hold Security founder Alex Holden, revealed the hackers exploited vulnerabilities in the vendors’ web servers to implant malicious code designed to harvest customer passwords from databases or operating systems. This access could enable remote infiltration of retailers’ PoS systems to steal credit card data, though no confirmed data theft from Cin7 or the other vendors was established at the time of disclosure. The group’s tactics involved demonstrating control through backdoors and stolen credentials, with evidence provided to Holden by the attackers themselves. Cin7 founder Danny Ing acknowledged the malware’s removal and initiated an investigation, stating no surface-level data loss or damage was detected but emphasizing the breach’s severity. PAR Technology and Uniwell downplayed impacts, characterizing compromised servers as non-critical or containing only public documentation, while ECRS admitted potential theft of employee and client contact information. Collectively, the breached vendors supplied over 1 million PoS terminals globally, raising concerns about cascading risks to retailers.
The incident response included immediate malware eradication by Cin7, password resets for Oracle MICROS customers, and ECRS’s portal replacement. ECRS engaged law enforcement and warned customers about potential phishing using stolen contact details, while Uniwell planned to decommission its vulnerable web server. Forensic analysis by Hold Security and KrebsOnSecurity linked the attacks to actors using Carbanak malware—previously tied to the theft of 1.16 million credit cards from Staples in 2014—and Dridex banking trojan. Security researcher Peter Kruse noted Carbanak’s deployment as a secondary payload after broad Dridex infections, enabling targeted network penetration. Alex Holden observed the hackers monetizing access through English-speaking intermediaries, with Navy Zebra’s compromised server already sold prior to disclosure. Despite Oracle’s confirmation of legacy system compromises and Cin7’s ongoing investigation, none of the vendors disclosed evidence of card data exfiltration. The breaches highlighted systemic vulnerabilities in PoS supply chains, with attackers leveraging vendor systems as gateways to retail networks. Historical context indicated Carbanak’s reemergence in 2016 after a five-month hiatus, expanding beyond financial theft to corporate accounting systems.