A new kind of modular backdoor targeting point-of-sale (POS) restaurant management software from Oracle to steal sensitive payment information stored in the devices were discovered by security researchers.
The backdoor which has been named “ModPipe” affects Oracle MICROS Restaurant Enterprise Series (RES) 3700 POS systems. They are largely used software suite restaurants, and hospitality establishments to handle POS, inventory, and labor management, deployed in restaurant and hospitality sectors primarily in the US.
The backdoors have downloadable modules and it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.
The ESET researchers said that the exfiltrated credentials allow ModPipe’s operators to access the database contents, including various definitions and configuration, status tables and information about POS transactions.
Details such as credit card numbers and expiration dates are protected behind encryption barriers in RES 3700, thereby limiting the amount of valuable information feasible for further misuse. But the researchers presume that the threat actors might have a second downloadable module to decrypt the contents of the database.
The ModPipe infrastructure consists of an initial dropper which is used to install a persistent loader, which then unpacks and loads the next-stage payload — the main malware module that is used to establish communications with other “downloadable” modules and the command-and-control (C2) server via a standalone networking module.
The main among the downloadable modules include “GetMicInfo,” which is a component that can intercept and decrypt database passwords using a special algorithm, which could have been implemented either by reverse-engineering the cryptographic libraries or by making use of the encryption implementation specifics obtained after the data breach at Oracle’s MICROS POS division in 2016.
A second module called “ModScan 2.20” collects additional information about the installed POS system (e.g., version, database server data), while another module called “Proclist” collects details about currently running processes.
According to the researchers, ModPipe’s architecture, modules and their capabilities indicate that the creators have vast knowledge of the targeted RES 3700 POS software. They might be skilled from multiple scenarios such as stealing and reverse engineering the proprietary software product, misusing its leaked parts or buying code from an underground market.
All the businesses in the hospitality sector that uses the RES 3700 POS are recommended to update to the latest version of the software and also to use devices that run updated versions of the underlying operating system.
Image Credits : Motley Fool