Oracle is alerting customers it found malicious code in some of its MICROS point-of-sale systems and is requiring they change account passwords. The security measures come on the heels of reports the world’s No. 3 PoS service succumbed to a security breach perpetrated by the Carbanak gang.

The breach involves malware placed on a MICROS support portal that gave attackers the ability to capture MICROS customer user names and passwords as they logged in. Krebs on Security on Monday broke the news of the breach.

Oracle bought MICROS in 2014, and at the time said the technology was running on 330,000 customer sites in 180 countries. MICROS point-of-sale systems are sold to the hospitality and entertainment industry with customers including stadiums, theme parks and casinos. It also markets a point-of-sale tablet and docking station to customers for mobile point-of-sale devices.

Oracle declined to comment to Threatpost, however shared a brief letter sent to customers addressing the vulnerability.

“Oracle Security has detected and addressed malicious code in certain legacy MICROS systems. Oracle’s Corporate network and Oracle’s other cloud and service offerings were not impacted by this code. Payment card data is encrypted both at rest and in transit in the MICROS hosted environment… Consistent with standard security remediation protocols, Oracle is requiring MICROS customers to change the passwords for all MICROS accounts.”

As of Monday, the scope of the attack is still being investigated, but it’s believed that as many as 700 systems could be impacted, according to Krebs on Security, which cited two security experts familiar with the breach who say the malware infecting the PoS systems is communicating with servers known to be used by the Russia-based Carbanak gang.

Carbanak has been behind more than 100 breaches at banks in 30 countries, totaling an estimated $1 billion in losses, said researchers at Kaspersky Lab who uncovered the gang’s activities and disclosed them during the 2015 Security Analyst Summit.

Brian Krebs of Krebs on Security said he was alerted to the breach in late July. Little is known about how the Carbanak Gang was able to get its malware loaded onto the point-of-sale devices in the first place. Krebs’ sources believe the attacks started with a single system infection which was used to leapfrog to infecting other MICROS systems. Malicious code eventually made its way to the MICROS support website where it was then able to steal usernames and passwords when customers logged on to use the website.

There is speculation that the point of infection could also be located at the Oracle system level and could be the culprit behind dozens of PoS system attacks, including Wendy’s fast food restaurant chain.

Categories: Malware, Vulnerabilities, Web Security