Restaurant Point of Sale Attacks - ThreatWire

According to security researchers at ESET, new hospitality malware is hitting point of sale (POS) systems that affects restaurants, bars, and hotels, and can lead to decryption of database passwords, which attackers can use to try and steal sensitive payment information saved on these systems. They’ve dubbed the backdoor ModPipe and it affects the most popularly used POS system from Oracle MICROS called the Restaurant Enterprise Series RES 3700. As a seasoned credit card industry technician myself, I’m familiar with Oracle systems as I’ve set them up for restaurants - and they can run everything from inventory and labor management to billing and order acceptance.

In order to be in compliance with credit card regulations, POS systems like this must encrypt credit card numbers and expiration date details, but an attacker could in theory still download that encrypted data and use another module to decrypt it. Attacks would be able to collect cardholder names, though, as these would be in plain text. ModPipe in particular uses downloadable modules with a custom algorithm that targets RES 3700 products, stealing those database passwords and decrypting them from Windows registry values. This could let an attacker view database contents, including configurations, status tables and transaction data, according to the ESET analysis.

This is how ModPipe works: first, an attacker drops a payload directly on the RES 3700 which installs a persistent loader that unpacks another payload which is used to communicate with a central C2 server. The modules included in this second payload are where the attack occurs and include the main module, along with a networking module for communication and downloadable modules for stealing data. ESET researchers believe the attackers have deep knowledge of the targeted software and are using this sophisticated method for data collection.

Unfortunately, many businesses in hospitality still run outdated hardware and as such, many don’t update or can’t afford to purchase newer products to stay ahead of attacks like this. Businesses that can do so, are advised to update their RES 3700 products to the newest version of the software and only use devices that can be updated to the newest systems.

Links:
Watch this on youtube: https://youtu.be/iJjrM3KlTjU

Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch Directly! - https://snubsie.com/shop

Shop ThreatWire Merch on Teespring! - https://teespring.com/stores/morsecode

Join now for access to extra perks and to support ThreatWire!  https://www.patreon.com/threatwire

POS Malware:
https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/
https://www.oracle.com/industries/food-beverage/products/res-3700/
https://thehackernews.com/2020/11/new-modpipe-point-of-sale-pos-malware.html
https://www.zdnet.com/article/new-modpipe-malware-targets-hospitality-hotel-point-of-sale-systems/
https://www.cyberscoop.com/point-of-sale-backdoor-modpipe-eset/