Warning issued to retailers’ CISOs worldwide after three attacks in UK

CISOs at retailers around the world should be tightening their defenses after several recent cyber attacks crippled shopping and supermarket chains in the UK. Those included successful attacks on retail chain Marks & Spencer and supermarket chain Co-op, and the attempted hack of high-end retailer Harrods.

Over the weekend, the UK National Cyber Security Centre (NCSC) urged retailers to follow best cybersecurity practices to minimize the chances of being victimized, as well as to help them recover if an attack gets through defenses. A ransomware gang called DragonForce claims responsibility for all three incidents, according to the BBC.

In a letter to members, Co-op CEO Shirine Khoury-Haq wrote that hackers “accessed data relating to a significant number of our current and past members.” And the BBC reported that Co-op has now told staff holding online meetings to keep computer cameras on, and to verify all attendees so they could detect lurking hackers, after the attackers showed the BBC screenshots of a confidential internal Teams call.

Marks & Spencer has been forced to suspend online orders and stop hiring, and an insider told Sky News that it could take months for the chain to recover from the attack.

NCSC said in its alert that it has “insights” into the three attacks, but “we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all.”

Johannes Ullrich, dean of research at the SANS Institute, said in an email that the common denominator could be a vulnerability in software all three retailers use.

Retail IT networks hard to secure

Traditionally, IT networks of retailers have been difficult to secure, said Robert Beggs, head of Canadian-based DigitalDefence, an incident response firm. These chains are distributed entities with multiple data networks and applications that frequently contain legacy systems and have a mobile workforce, he noted. In addition, they handle large volume of financial transactions and are very sensitive to any amount of network downtime. Combined, that makes them ideal targets for a cyber attack, he said.

There could be two factors in the recent UK attacks, Beggs said:

First, a group may be targeting UK retailers because they understand the business processes and target architectures (network, devices and servers, operation of PoS devices, security controls) common in that vertical. More importantly, he added, they may have identified and know how to implement a consistent social engineering attack that works particularly well with UK retailers.

“Targeting UK-based retailers may indicate that the attackers are located in the UK, or at least speak English fluently and can use these skills to increase their chance of success,” he said.

Second, Beggs added, a publication quotes a source within Marks & Spenser suggesting it was unprepared for the attack. If true, it’s “a signal that smaller organizations that lack the presumed resources of M&S may also be unprepared. This increases the risk to the retail sector, and will invite attacks from multiple groups looking to exploit potentially lucrative targets.” 

Experts say crooks target retailers for several reasons: To get credit card numbers of customers, personal information of employees, and probably most importantly, to ransom stolen data and extort money from management. Every day a company is offline can cost it big money.

They’ll use the same range of tactics to get network access that they employ against any organization: Credential stuffing, buying or leveraging stolen admin credentials, exploiting vulnerabilities, tricking employees into giving network access by impersonating help desk staff, sending infected phishing emails, installing data scraping malware on websites in so-called Magecart attacks  … the list goes on.

Advice to CISOs

In its weekend post, the UK’s NCSC said, “Preparation and resilience does not mean just having good defenses to keep out attackers. No matter how good your defenses are, sometimes the attacker will be successful. It also means detecting threat actors when they are using your employees’ legitimate access (or are on your network, or in your cloud services) whilst being able to contain attackers to prevent damage, and to respond and recover when an attack has got through your defenses.”

It offered this advice to all organizations, including retailers:

• ensure multi-factor authentication is deployed across the organization;
• enhance monitoring against unauthorized account misuse; for example, looking for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behavior, especially where the detection type is ‘Microsoft Entra Threat intelligence;’ 
• pay specific attention to domain admin, enterprise admin and cloud admin accounts, and check if access is legitimate; 
• review their help desk password reset processes, including how the help desk authenticates staff members’ credentials before resetting passwords, especially those with escalated privileges; 
• ensure security operation centres can identify logins from atypical sources such as VPN services in residential ranges, through source enrichment and similar;
• ensure they have the ability to consume techniques, tactics, and procedures sourced from threat intelligence rapidly and the ability to respond accordingly.