MICROS, an Oracle-owned division that's one of the world's top three point-of-sale services, has suffered a security breach. The attack possibly comes at the hands of a Russian crime gang that siphoned out more than $1 billion (~£770 million) from banks and retailers in past hacks, security news site KrebsOnSecurity reported Monday.

Oracle representatives have told reporter Brian Krebs that company engineers "detected and addressed malicious code in certain legacy MICROS systems" and that the service has asked all customers to reset their passwords for the MICROS online support site. Anonymous people have told Krebs that Oracle engineers initially thought the breach was limited to a small number of computers in the company's retail division. The engineers later realized the infection affected more than 700 systems.

Krebs went on to report that two security experts briefed on the breach investigation said the MICROS support portal was seen communicating with a server that's known to be used by the Carbanak Gang. Over the past few years, Carbanak members are suspected of funneling more than $1 billion out of banks, retailers, and hospitality firms the group hacked into.

According to Krebs' sources, the attack started with a single infected system that was then used to compromise others. From there, "intruders placed malicious code on the MICROS support portal, and that malware allowed the attackers to steal MICROS customer usernames and passwords when customers logged in to the support website."

Oracle declined to answer Krebs' direct questions about the breach and merely told the reporter the corporate network and cloud/other service offerings remained OK. The company also stated that its customer payment card data is "encrypted both at rest and in transit in the MICROS hosted customer environments.” Krebs reports a mandatory password reset is happening for support accounts on the MICROS portal and an e-mail to customers is in progress.

According to Krebs' analysis of the situation, the Carbanak Gang likely chose its target within Oracle quite carefully.

This breach could be little more than a nasty malware outbreak at Oracle. However, the Carbanak Gang’s apparent involvement makes it unlikely the attackers somehow failed to grasp the enormity of access and power that control over the MICROS support portal would grant them. Indeed, Oracle’s own statement seems to suggest the company is concerned that compromised credentials for customer accounts at the MICROS support portal could be used to remotely administer—and, more importantly, to upload card-stealing malware to—some customer point-of-sale systems. The term “on-premise” refers to POS devices that are physically connected to cash registers at MICROS customer stores.

Over the past few years, a rash of breaches has hit point-of-sale systems operated by dozens of retailers, hotels, and other types of merchants. Target and Home Depot are two of the best-known names to be hit. Attackers use malware installed on cash registers to remotely capture payment card data when customers make purchases. The thieves then sell the data so it can be used to create fraudulent payment cards.

Listing image by Kanesue