Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Hotel Chains. Show all posts

Panera Bread and Omni Hotels Hit by Ransomware Outages: What You Need to Know

 

In a tumultuous turn of events, Panera Bread and Omni Hotels were thrust into the chaos of ransomware attacks, unleashing a cascade of disruptions across their operations and customer services. 

Panera Bread, celebrated for its culinary delights and pioneering loyalty programs, found itself in the throes of a massive outage that paralyzed its internal IT infrastructure, communication channels, and customer-facing platforms. The ransomware strike, striking on March 22, 2024, encrypted critical data and applications, plunging employees and patrons into disarray amidst the ensuing turmoil. 

Among the litany of grievances, Panera Sip Club members were left disheartened by their inability to savour the benefits of their subscription, notably the tantalizing offer of unlimited drinks at a monthly fee of $14.99. The frustration reverberating among members underscored the profound repercussions of cyber incidents on customer experience and brand loyalty. 

As of January 23, 2024, Panera Bread and its franchise network boasted an extensive presence with 2,160 cafes sprawled across 48 U.S. states and Ontario, Canada. However, the ransomware onslaught cast a shadow over the company's expansive footprint, laying bare vulnerabilities in cybersecurity defenses and underscoring the imperative for robust incident response protocols. 

In tandem, Omni Hotels grappled with a parallel crisis as ransomware-induced IT outages wreaked havoc on reservation systems and guest services. The bygone week witnessed a flurry of disruptions, from protracted check-in delays averaging two hours to resorting to manual interventions to grant access to guest rooms. 

The financial fallout of these cyber calamities remains nebulous, yet the toll on customer trust and brand reputation is palpable. The opacity shrouding the attacks has only exacerbated apprehensions among employees and patrons alike, accentuating the exigency for fortified cybersecurity measures and transparent communication strategies.

Amidst the evolving threat landscape, organizations must fortify their cybersecurity defenses and hone proactive strategies to avert the pernicious impact of cyber threats. From regular data backups and comprehensive employee training to the formulation of robust incident response blueprints, preemptive measures are pivotal in blunting the impact of cyber onslaughts and fortifying resilience against future incursions. 

The ransomware assaults on Panera Bread and Omni Hotels serve as poignant reminders of the pervasive menace posed by cyber adversaries. By assimilating the lessons gleaned from these incidents and orchestrating proactive cybersecurity initiatives, businesses can bolster their resilience and safeguard the interests of stakeholders, employees, and patrons alike.

Vulnerability in Oracle Property Management Software Puts Hotels at Risk

 

The hundreds of hotels and other hospitality-related organisations across the globe who use Oracle's Opera property management system may wish to immediately patch a bug that Oracle revealed in its April 2023 security update. 

Only an authenticated attacker with highly privileged access might take use of the vulnerability (CVE-2023-21932), according to Oracle, which has defined it as a complicated flaw in the Oracle Hospitality Opera 5 Property Services software. Based on factors like the apparent inability of an attacker to remotely exploit it, the vendor gave it a moderate severity rating of 7.2 on the CVSS scale. 

Inaccurate evaluation 

Oracle's description of the vulnerability is incorrect, according to the researchers who actually found and reported the bug to the firm. 

The researchers from Assetnote, a company that manages attack surfaces, and two other organisations claimed in a blog post that they had used the weakness to pre-authenticate remote code execution while taking part in a live hacking event in 2017. One of the biggest resorts in the US was mentioned by the researchers as the target in that incident. 

"This vulnerability does not require any authentication to exploit, despite what Oracle claims," Shubham Shah, co-founder and CTO of Assetnote, explained in a blog post this week. "This vulnerability should have a CVSS score of 10.0."

In order to centrally manage reservations, guest services, accounting, and other activities, hotels and hotel chains all over the world use Oracle Opera, also known as Micros Opera. Major hotel brands like Marriott, IHG, Radisson, Accor, and the Wyndham Group are among its clients. 

Attackers who use the software to their advantage may be able to obtain guests' sensitive personal information, credit card information, and other data. The Opera 5 Property Services platform's version 5.6 contains the bug CVE-2023-21932. 

Oracle claimed that the flaw enables attackers to access all data that Opera 5 Property Services has access to. A portion of the system's data would also be accessible to attackers, who might edit, add, or remove it. 

Shah, a bug hunter on the HackerOne platform, in connection with Sean Yeoh, engineering lead at Assetnote, Brendan Scarvell, a pen tester with PwC Australia, and Jason Haddix, CISO at adversary emulation firm BuddoBot, conducted a source-code analysis of Opera and found the vulnerability. 

Shah and the other researchers determined that CVE-2023-21932 involved an Opera code fragment that decrypts an encrypted payload after sanitising it for two particular variables rather than the other way around.

According to the researchers, this kind of "order of operations" flaw enables attackers to use the variables to smuggle in any payload without any sanitization taking place.

"Order of operations bugs are really rare, and this bug is a very clear example of this bug class," Shah tweeted earlier this week. "We were able to leverage this bug to gain access to one of the biggest resorts in the US, for a live hacking event." 

The researchers gave an explanation of the steps they took to get around particular restrictions in Opera in order to execute pre-authentication, noting that none of them required any kind of specialised access or software knowledge. 

Security expert Kevin Beaumont claimed there were a number of Shodan queries an attacker might use to discover hotels and other companies using Opera in response to the Assetnote blog.

According to Beaumont, every property he discovered using Shodan was not patched. We must eventually discuss Oracle product security, Beaumont stated.

CVE-2023-21932 is only one of many bugs in Oracle Opera, according to Shah and the other researchers, at least some of which the company has not fixed. Please never post this on the Internet, they pleaded.