Security News

One such group is FIN8, a financially motivated threat actor that's back in action after a year-and-a-half hiatus with a powerful version of a backdoor with upgraded capabilities including screen capturing, proxy tunneling, credential theft, and fileless execution. First documented in 2016 by FireEye, FIN8 is known for its attacks against the retail, hospitality, and entertainment industries while making use of a wide array of techniques such as spear-phishing and malicious tools like PUNCHTRACK and BADHATCH to steal payment card data from point-of-sale systems.

Researchers are detailing widespread security issues in point-of-sale terminals - specifically, three terminal device families manufactured by vendors Verifone and Ingenico. The issues, which have been disclosed to the vendors and since patched, open several popular PoS terminals used by retailers worldwide to a variety of cyberattacks.

ESET researchers have discovered ModPipe, a modular backdoor that gives its operators access to sensitive information stored in devices running ORACLE MICROS Restaurant Enterprise Series 3700 POS - a management software suite used by hundreds of thousands of bars, restaurants, hotels and other hospitality establishments worldwide. What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values.

The backdoor - dubbed "ModPipe" - impacts Oracle MICROS Restaurant Enterprise Series 3700 POS systems, a widely used software suite in restaurants and hospitality establishments to efficiently handle POS, inventory, and labor management. A majority of the identified targets are primarily located in the US. "What makes the backdoor distinctive are its downloadable modules and their capabilities, as it contains a custom algorithm designed to gather RES 3700 POS database passwords by decrypting them from Windows registry values," ESET researchers said in an analysis.

A North American merchant's point-of-sale terminals were infected with a mix of POS malware earlier this year, Visa reports. In May and June 2020, the company analyzed malware variants used in independent attacks on two North American merchants, one of which employed a TinyPOS variant, while the other involved a mix of malware families such as MMon, PwnPOS, and RtPOS. As part of the first attack, phishing emails were sent to a North American hospitality merchant's employees to compromise user accounts, including an administrator account, and legitimate administrative tools were used to access the cardholder data environment within the network.

Driver vulnerabilities can facilitate attacks on ATMs, point-of-sale systems and other devices, firmware security company Eclypsium warned on Monday. The firm now warns that the Windows drivers used in ATMs and PoS devices can be highly useful to threat actors targeting these types of systems.

The threat actor behind the Sodinokibi ransomware was observed scanning the victim networks for credit card or point of sale software. An off-the-shelf tool, Cobalt Strike is employed by a broad range of threat actors, including multiple ransomware gangs.

Cybercriminals behind recent Sodinokibi ransomware attacks are now upping their ante and scanning their victims' networks for credit card or point of sale software. It's not yet clear whether the attackers are targeting this PoS software to encrypt it as part of the ransomware attack, or because they want to scrape the credit card information on the systems as a way to make even more money in addition to the ransomware attack.

A point-of-sale system vendor that serves U.S. medical and recreational cannabis dispensaries left an unprotected database containing sensitive information about three clients and 30,000 of their customers exposed to the internet, researchers say. "Our team identified an unsecured Amazon S3 bucket owned by THSuite that exposed sensitive data from multiple marijuana dispensaries around the U.S. and their customers," the research report states.

Landry's, a popular restaurant chain in the United States, has announced a malware attack on its point of sale systems that allowed cybercriminals to steal customers' payment card information. According to the breach notification published this week, the malware was designed to search for and likely steal sensitive customer credit card data, including credit card numbers, expiration dates, verification codes and, in some cases, cardholder names.