Hackers stole passwords for remote control dashboards and accessed 140,000 Wiseasy payment terminals worldwide.
Based in Singapore, Wiseasy is an Android payment terminal popular in the Asia-Pacific region with offices in 114 countries. The device is common in retail outlets, hotels, restaurants, and schools.
Buguard, a penetration testing and threat intelligence cybersecurity startup, discovered the leaked credentials on the dark web marketplace, with attackers actively accessing Wiseasy payment systems using the stolen details.
However, attempts to notify the breached company hit a brick wall after the company continuously canceled meetings without feedback.
Payment terminals’ remote control dashboards lacked two-factor authentication
Buguard’s CTO Youssef Mohamed told TechCrunch that Wiseasy employee passwords were stolen by malware from employees’ computers.
However, the remote control dashboards lacked basic security features such as two-factor authentication, making the stolen passwords more valuable to the hackers.
“This compromise serves as yet another reminder that hardening security is an imperative, and two-factor authentication is a major component of that approach,” Christopher Hallenbeck, CISO, Americas at Tanium, said. “It would be prudent for other organizations to use this opportunity to shore up their own authentication practices. The seemingly unending list of such incidents should be a wake-up call to those not yet impacted.”
Buguard’s attempts to notify the company in early July failed, with scheduled executive meetings canceled without a warning or feedback. Consequently, Buguard’s CTO could not confirm whether the company had secured the compromised devices.
However, Wiseasy’s spokesperson Ocean An later told TechCrunch that the company had fixed the issue internally and implemented two-factor authentication. Nevertheless, the company did not clarify whether it would notify clients whose payment terminals were potentially compromised or their customers.
Wiseasy later published a statement on its website claiming that an old version of WiseCloud was involved and clients’ payment terminals were not affected.
“Wiseasy conducted a thorough investigation two weeks ago. The old version of WiseCloud is involved in this accident. As the users and devices on this old platform have been migrated to the new version as of May 12, 2022 (two months before this accident), no clients are impacted,” the company posted on its website.
The payment solutions giant promised to continue providing secure services, adding that cloud service security and data privacy were its top priority.
“The latest version of WiseCloud has passed PCI DSS certification in November 2021. Wiseasy will continuously provide secured services to WiseCloud users.”
Attackers accessed remote control dashboards using an admin account
The cybersecurity firm discovered that threat actors could access remote control dashboards, including one linked to a privileged admin account. Wiseasy’s employees use the dashboards connected to the Wisecloud cloud service to control devices remotely.
Buguard’s CTO explained that hackers “accessed dashboards used to remotely configure and control thousands of credit card payment terminals manufactured by digital payments giant Wiseasy.”
Subsequently, attackers could abuse the remote control dashboards to unlock devices, install and remove apps, and access the wi-fi name and plaintext password of the network payment terminals’ network. Attackers could also exploit the remote dashboards to access user permissions, add users, control payments, and make configuration changes. Furthermore, the remote control dashboards could access personal information such as names, phone numbers, and email addresses stored on the payment terminals.
Scammers frequently target payment terminals with credit card skimmers. However, compromising remote control dashboards to target individual payment systems is a new tactic. The tactic shows the lengths cybercriminals are willing to go to commit payment fraud.