Restaurants, bars and hotels are taking a big hit from the coronavirus pandemic, but they still can be inviting targets for cybercriminals.
A point-of-sale-system widely used in the hospitality industry to process credit card payments and other transactions — ORACLE MICROS Restaurant Enterprise Series (RES) 3700 — is vulnerable to a backdoor that allows attackers to see some of the information in the system’s databases, according to researchers at Slovakia-based cybersecurity company ESET.
The researchers stress that highly sensitive pieces of information — such as credit card numbers and expiration dates – do not appear to be vulnerable to the malware, which they’re calling ModPipe. The malicious software, for now, harvests only “data stored in the clear,” ESET says, including cardholder names. But ModPipe potentially could be the conduit for more harmful malware, given that it is modular — meaning that it’s designed for attackers to swap features in and out.
“What makes the backdoor distinctive are its downloadable modules and their capabilities. One of them – named GetMicInfo – contains an algorithm designed to gather database passwords by decrypting them from Windows registry values,” ESET says. “This shows that the backdoor’s authors have deep knowledge of the targeted software and opted for this sophisticated method instead of collecting the data via a simpler yet ‘louder’ approach, such as keylogging.”
A lot of things are unclear about ModPipe, ESET says. It’s not known how the malware was distributed, or what the actual “business model” for it is, given that it can’t harvest the most valuable data from the Oracle system. The majority of the victims found by ESET were in the United States.
Even if the attackers aren’t harvesting credit card numbers yet, the findings serve as a reminder that point-of-sale systems offer several layers of information to crooks and spies, including data about people’s habits, tastes and whereabouts.
ModPipe has a dropper and a loader for getting the malware onto the systems, ESET says, as well as a main module for handling key tasks and a networking module for communicating with command-and-control servers. The downloadable modules offer the ability to “steal database passwords and configuration information, scan specific IP addresses or acquire a list of the running processes and their loaded modules,” the researchers say.
Even amid a shaky economy for restaurants, bars, hotels and similar businesses, the hospitality industry remains a broad target for crooks, given the wide discrepancies in security from organization to organization, and the amount of money still flowing through the industry.
Recent U.S. incidents include claims from cybercriminals that they pilfered 3 million card numbers from a barbecue chain, as well as a major hotel chain reporting that data on millions of guests had been stolen.
Oracle did not respond to requests for comment Thursday.