Oracle attackers 'possibly got unlimited control over credit cards' on US retail systems, warns ERPScan

Almost every credit and debit card in the US potentially compromised, warns ERPScan CTO Alexander Polyakov

Alexander Polyakov, co-founder and chief technology officer of specialist security company ERPScan, which focuses on enterprise resource planning software, has described the recently exposed hack of software giant Oracle's internal systems as "a phenomenal targeted attack", that could potentially be even more damaging than even the 2014 hack of US retail chain Target.

That attack had cost Target an estimated $200m. But the attack on Oracle, believed to have been perpetrated by Russia's notorious Carbanak cyber crime gang, may end up costing Oracle much more if "malicious code" that the company admits was found running on "legacy" MICROS retail systems was exploited by the attackers.

It's not clear exactly what Oracle means by "legacy systems" in this context, and Polyakov notes that it was only last month that the software giant released some notable patches for its MICROS systems.

However, because US credit and debit cards are poorly secured it is possible that the attack on Oracle gave them widespread access to credit card details. Furthermore, as MICROS is one of the market-leading retail systems vendors, potentially almost every credit and debit card in the US could have been compromised.

"Taking into account that most point-of-sale terminals in the US still accept cards without a chip, the attackers possibly got unlimited control over credit cards," Polyakov told Computing.

He continued: "The most interesting feature is that the group attacked the vendor itself (Oracle) and with the gained-access to the MICROS support portal they were able to infect all devices, for example, via vulnerabilities in these devices, thereby breaching into thousands of retail networks.

"We cannot say exactly what the vulnerability was that was exploited by the hackers, but it is worth mentioning that in July 2016 the vendor released two patches for vulnerabilities in MICROS and several in other Oracle retail applications."

In April, Oracle fixed a number of other vulnerabilities found in MICROS POS (CVE-2016-0684, CVE-2016-3429, CVE-2016-0469). It's not clear whether this patching was required due to the insertion of malicious code into MICROS systems software.

"The question of how many vulnerabilities in MICROS POS are undiscovered remains open. However, the fact that MICROS Systems was purchased by Oracle just recently can also affect the code quality of this product," said Polyakov.

He added that the number of attacks using vulnerabilities in industry-specifics solutions is also growing. "It relates not only to the retail industry, but also to oil and gas, manufacturing, and many others. Unfortunately, most incident of this kind do not immediately become publicly known, as the attack vectors are very specific," Polyakov told Computing.

If Oracle can be compromised by hackers, anyone can. And if you work in financial services your organisation is especially at risk. So register now for Computing and Investment Week's Cybersecurity Strategy Briefing in London on Wednesday 5 October. Places are free to qualifying attendees and are already going fast.