US payments company NCR Corporation https://www.ncr.com confirmed on 15 April 2023 that a data center outage resulted from a ransomware attack. A well-known ransomware group has taken credit for the attack. NCR first reported investigating an “issue” related to its Aloha restaurant Point-of-Sale (PoS) product on 12 April 2023. The company said a limited number of ancillary Aloha applications for a subset of its hospitality customers had been impacted by an outage at a single data center. “On 13 April 2023, we confirmed that the outage resulted from a ransomware incident. Immediately upon discovering this development, we contacted customers, engaged third-party cybersecurity experts, and launched an investigation. Law enforcement has also been notified,” an NCR representative said.
The company has been working to restore affected services but said that impacted restaurants should still be able to serve customers, with only specific functionality being impacted. Cybersecurity researcher Dominic Alvieri noticed on 15 April 2023 that the ransomware group BlackCat, Alphv, and Noberus took credit for the attack on its Tor-based leak website. Still, the post was quickly removed by the hackers.
See: https://redskyalliance.org/xindustry/blackcat-in-luxembourg
In the now-removed post, the cybercriminals said they were contacted by NCR representatives who wanted to determine what type of data had been stolen from their systems. The hackers claimed they did not steal any actual NCR data, but they did obtain “a lot of credentials” that can be used to access NCR customer networks.
The removal of the post naming NCR from BlackCat’s leak website suggests that negotiations have started, and the cybercriminals are hoping to get paid. The BlackCat ransomware has been around since at least November 2021, and its leak website currently lists more than 300 victims. The group has been known to target industrial companies.
Researchers warned recently that the hackers have been exploiting vulnerabilities in a Veritas data backup product for initial access. NCR has not responded to questions regarding potential information compromise or the ransom payment. Still, it reported the following to news media: “We believe this incident is limited to specific functionality in Aloha cloud-based services and Counterpoint. At this time, our ongoing investigation also indicates that no customer systems or networks are involved. Our ATM, digital banking, payments, or other retail products are not processed at this data center.”
While in-restaurant purchases and transactions continue to operate, affected customers have reduced capabilities on specific Aloha cloud-based and Counterpoint functionality, impacting their ability to manage restaurant administrative functions. NCR is conducting concurrent efforts to establish alternative functionality for customers, fully restore impacted data and applications, and enhance its cyber security protections.”
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments