Advisory Overview
Cybersecurity researchers have discovered a modular backdoor known as ModPipe targeting point-of-sale (POS) systems in the hospitality sector. This malware can potentially allow unauthorized retrieval of payment information. SKOUT recommends maintaining updates and patches for all POS systems to ensure security features are applied.
Technical detail and additional information
What is the threat?
A modular backdoor, ModPipe, can retrieve personally identifiable information (PII) from the Oracle Micros Restaurant Enterprises Series (RES) 3700 device that is typically used during a point-of-sale within the hospitality sector. ModPipe’s initial dropper installs the persistent loader that then unpacks and loads the main module. The main module creates a line of communication, called a pipe, with other malicious modules and the command and control (C2) through the networking module. One of the malicious modules, GetMicInfo, is used to decrypt database passwords by reverse engineering cryptographic libraries. This is used to retrieve configuration and information about point-of-sale transactions.
Why is this noteworthy?
The RES 3700 is the most widely used restaurant management software in the United States to date. ModPipe communicates with GetMicInfo which contains a custom algorithm designed to decrypt database passwords from the Windows registry. This is a highly sophisticated method to retrieve data, rather than keylogging which can be noisy.
What is the exposure or risk?
With the holiday season approaching, traffic to stores, restaurants, and hotels vastly increases. The main risk is the threat actor retrieving the card information to commit fraud. Currently, there is no proven method for the threat actor to retrieve the card information in plain text, due to the data being encrypted. Although there is no proven way to decrypt the card data, this does not mean the threat actors have not created a way unbeknownst to the public to perform such a task; ergo this is still a risk.
What are the recommendations?
SKOUT recommends updating and maintaining the Oracle Micros Restaurant Enterprises Series (RES) 3700 device to the latest version of the software. It is also recommended to maintain the physical hardware and ensure that it can update its operating system and firmware when updates are made available.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2020/11/new-modpipe-point-of-sale-pos-malware.html
- https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/
- https://www.zdnet.com/article/new-modpipe-malware-targets-hospitality-hotel-point-of-sale-systems/
If you have any questions, please contact our Security Operations Center.