Cyber Incident Victim: ECRS
Date:
Aug 2016
Location:
United States of America
Summary
A breach at ECRS compromised its myECRS customer web portal via exploitation of a vulnerability in third-party web server software, allowing attackers to deploy malicious code. While the affected system was segregated from remote merchant access and credit card processing infrastructure, potential unauthorized access to contact details—including names, email addresses, business information, and phone numbers of employees, clients, and affiliates—was acknowledged. The company removed the malware, initiated a mandatory password reset, and planned a portal update, confirming no tampering with distributed software. This incident was part of a broader campaign targeting point-of-sale providers, attributed to Russian-linked threat actors using Carbanak and Dridex malware to infiltrate vendor systems, steal credentials, and potentially pivot to retail networks for credit card data exfiltration.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around August 11, 2016, ECRS, a U.S.-based point-of-sale (PoS) system provider serving thousands of businesses, confirmed a cybersecurity breach affecting its myECRS web portal. The portal, used by customers to access product documentation, download software, and obtain technical support, was compromised when attackers exploited a recently discovered vulnerability in third-party web server software powering the system. Forensic evidence indicated the attackers placed malicious code on the portal, though ECRS clarified no software distributed through the platform had been altered. The compromised system was segregated from ECRS’s remote access infrastructure for merchant PoS systems and did not store credit card processing data. However, ECRS acknowledged the possibility—though unconfirmed—that attacker exfiltrated contact information, including business addresses, telephone numbers, names, and email addresses of current and former employees, vendors, affiliates, and clients. The company advised customers to exercise caution regarding communications purporting to originate from ECRS, warning of potential social engineering attempts by the threat actors. In response, ECRS removed the malware, notified law enforcement, enforced mandatory password resets for all myECRS users, and committed to launching a patched portal version within 24 hours.
The ECRS breach was part of a coordinated campaign targeting at least five PoS providers—including Cin7, Navy Zebra, PAR Technology, and Uniwell—by a threat group assessed by cybersecurity firm Hold Security to have Russian origins. Attackers infiltrated vendors’ servers to harvest customer credentials, intending to pivot into retailers’ PoS environments housing credit card data. This methodology aligned with prior breaches at retail chains like Wendy’s and hotel groups including Hyatt and Trump properties. Forensic artifacts suggested possible Carbanak malware involvement, a tool historically linked to financially motivated Russian actors and previously deployed in the 2014 Staples breach compromising 1.16 million payment cards. Attackers demonstrated access to victim systems by providing security researchers with screenshots of backdoor credentials on Navy Zebra servers and proof of code execution on Cin7’s infrastructure. While ECRS and Cin7 confirmed data access attempts, PAR Technology and Uniwell downplayed impacts, characterizing compromised servers as non-critical or containing only public documentation. Collectively, the breached vendors supported over 1 million PoS terminals globally, raising concerns about downstream risks to merchants. The campaign highlighted emerging attacker focus on supply chain compromises as a vector for mass retail network infiltration.