Oracle MICROS hack: Five more companies have been compromised

Hackers cracked retail system vendors' servers in a bid to steal cash from their customers

The same hackers that attacked Oracle's MICROS retail systems unit, and were even able to inject "malicious code" into some of the company's software, have also compromised the security of at least five other retail system companies.

ECRS, PAR Technology, Uniwell and UK company Cin7- accounting for more than one million point-of-sale systems worldwide - have all admitted being hit in similar attacks. NavyZebra, the fifth named target, has not publicly commented on the claims.

The compromises may open up the companies to compensation claims from customers, which include US presidential candidate Donald Trump's hotel chain on more than one occasion, as a result of losses suffered and hits taken to their reputations.

The claims were made by Alex Holden, founder of Hold Security, who passed on the details to Forbes magazine. The magazine has verified the claims with four of the five companies.

UK-based Cin7 claims customers in 51 countries, and founder Danny Ing admitted that "malicious code" had been found that was designed to snaffle user names and passwords, which has now been removed. "On the surface there does not seem to be any damage or loss of data. Our team will investigate further... this is an extremely serious issue and we are now determining the appropriate response," he told Forbes.

Publicly listed Par Technology is the largest of the companies cracked, but claimed that it was a "non material event" because the hacked server didn't hold any production data. Its customers include the Five Guys restaurant chain, which is expanding in the UK. Uniwell, likewise, claimed that the hacked server only contained "public domain" information and president Steve Mori asserted that nothing confidential had been stolen.

ECRS admitted a breach of its myECRS portal used by customers to access product documentation, download software and for technical support. "ECRS was able to confirm that an unknown entity was able to place malicious code on this web portal. Evidence indicates that the attacker exploited a very recently discovered vulnerability in the third-party web server software that powers this portal to place this code," the company admitted.

NavyZebra, meanwhile, only confirmed that it was looking into the claims.

In total, more than one million PoS terminals around the world could be at risk, should the attacks prove to have been deeper than the companies are currently publicly admitting.

However, while the affected companies have asserted that "only" support systems appear to have been targeted, Holden suggested that this was just one part of their attack route into retailers. "There is definitely a high level of interest in PoS providers as gateways into retailers. In many cases, hackers seem to be interested in support information with a goal to get into remote systems as the highest authorised user," Holden told Forbes.

He went on to suggest that one hacker or group of hackers were responsible for the initial attacks and compromises, before selling access to the servers to others.

The Carbanak gang is believed to be behind all the attacks. It is named after the sophisticated malware identified and associated with the group, which is believed to be Russian, and no doubt protected to a certain degree by Russian officialdom. One of their tactics, though, is to deploy widely used tools, such as the Dridex malware, to achieve an initial infection, before deploying their own proprietary tools in order to dig deeper when they crack a system of interest.

And cyber crime clearly does pay: the gang is estimated to have made more than $1bn from its various attacks on banks and retailers around the world.

Have you used your credit or debit card in any retail chains that use Cin7, MICROS, ECRS, ParTech, NavyZebra or Uniwell PoS systems and been the subject of card fraud? Contact the author with your story.