Cybercriminals have found a new security flaw that they can exploit to install POS malware in Oracle Micros’ point-of-sale systems. Oracle has already issued updates for this problem. However, this will take months until the patch reaches the affected POS systems. For the time being, systems that have not been updated are vulnerable. In total it is estimated in more than 300.000. This situation could be avoided easily as per information security experts from The International Institute of cyber security.
Important system for the business
The reason is that the POS systems are critical systems for the business, and administrators of systems rarely program maintenance and update. All for fear that an unstable patch may cause more downtime and financial losses to their companies.
The error is nothing that should be ignored. According to Dmitry Chastuhin, the ERPScan security researcher who discovered the problem (known as CVE-2018-2636), the vulnerability allows an attacker to collect configuration files from the Microsoft POS systems. The collected data can be used to grant attackers full and legitimate access to the POS system and the attached services (database, server).
In the most common situation, an attacker will most likely install POS malware to collect payment card details. But an attacker could also install other types of malware for corporate espionage and proxy endpoints for future attacks.
The Vulnerability can be exploited remotely
This vulnerability can be exploited remotely through http requests carefully designed. A Shodan search, show us that around 170 careless people, have configured badly the POS systems that now were available online, and can be exploited if they were not updated with Oracle patches.
Oracle indicates that more than 300,000 companies have chosen to implement Micros POS systems to handle credit or debit card payments. This means that most systems are not exploitable through the Internet.
But these systems are also vulnerable. The hackers can compromise other systems in the web store. And use them like relay points for the attack code.
In addition, an attacker can always visit the store, identify an open network port, distract store personnel and infect the POS system by connecting a small Raspberry Pi board that executes the exploit malicious code.
Oracle takes out the patches
The patches for this vulnerability were made available in Oracle’s critical patch update (CPU) in January 2018. Currently, Oracle is the third largest provider of POS software in the market. The company suffered a security breach of its Micros network in 2016
The information security is important in all the cases, security companies like WebImprints can help with this kind of cases since it is not enough to use security tools and programs. The ideal is to have updated the programs to the latest version with a little help from the experts in information security. Thus we can hypothetically face more recent threats.
The Oracle case that we have told, that one of many of the information security problems that were can be resolved with installing updates.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.