Supply Chain Attacks on Retail – What Happens When Trusted Channels Can’t be Trusted?

Posted on by Netta Schmeidler

The holiday season has officially begun, but for many retailers those visions of dancing sugarplums have given way to nightmares about cyberattacks. The ThreatMetrix Q3 2017 Cybercrime Report  predicts that the number of ecommerce attacks in the last quarter of 2017 will be greater than the number of attacks across all industries in the same quarter last year, with more than 50 million attacks during the Black Friday shopping days alone. 

Retailers make a prime cybercrime target. They handle vast amounts of personal information, including payment card data, but are not subject to the same regulatory restrictions as the financial industry. Aging IT infrastructure and unpatched software vulnerabilities also improve cybercriminals chance of success. According to researcher Willem de Groot, who closely tracks retail cybersecurity trends, about 50-200 new stores are successfully hacked per day. 

While most retail breaches can be attributed to phishing schemes, human error and weak or stolen passwords, some of the largest breaches come courtesy of vulnerable third-party suppliers. The infamous Target and Home Depot breaches were both caused by compromised vendor credentials. And CVS, Costco, Rite Aid and several other chains all suffered credit card data breaches through their photo operations vendor, PNI Digital Media. The fallout from such attacks can be substantial – Home Depot’s breach cost is at least $179 million so far, without taking into account legal fees or undisclosed payouts. Not to mention the tens of millions of inconvenienced and disgruntled customers. 

Cybercrime groups deliberately target a company through its smaller suppliers and vendors since they generally have fewer security controls in place. The 2017 State of Cybersecurity in Small and Medium-Sized Businesses study by the Ponemon Institute found that 61 percent of SMBs reported a cyberattack in the past 12 months, and 54 percent reported successful data breaches involving customer and employee information. This implies a pretty high success rate. Not surprising, however, when you consider that the same study found nearly three-quarters of small businesses operate without sufficient IT personnel and only about two-thirds have a designated person responsible for IT. 

Without the necessary staffing, the effort of patching and putting into place an adequate cybersecurity infrastructure becomes daunting to say the least. As a result, small businesses, subcontractors and suppliers often leave themselves – and others in their supply chain – exposed. Attackers can use the stolen vendor credentials to enter and make their way through the retailers’ network, escalating privileges until they eventually install their preferred flavor of malware. In the case of PoS terminals, usually keyloggers or RAM scrapers; for online stores, credit-card skimming or other data collecting malware. 

Even if retailers and all their vendors do everything right, there’s another type of supply chain hack that can bypass most retailers’ cyber defenses – malware infected versions of legitimate software. It used to be that you could download legitimate software from a trusted vendor site with signed certificates and you were good to go. The recent CCleaner attack changed all that. Over 2 million users of the popular performance optimization software unknowingly downloaded a malware infected update. A similar tactic was used in the NotPetya epidemic this summer, in which hackers infiltrated the update mechanism of MEDoc financial software and pushed a fake update containing the NotPetya malware. The virus quickly spread through corporate networks, hitting companies as diverse as a Russian oil giant, Russian and Ukrainian banks and the German retail chain Metro. 

And while these were perhaps the most publicized software supply chain attacks, they are not anomalies. In the last few months, Kaspersky Lab discovered a backdoor file inserted in NetSarang server management, Microsoft researchers uncovered an attack targeting financial institutions via updates from a compromised third-party editing tool and several Chrome browser extensions were hijacked and malicious code added. 

Except for the NotPetya attacks, where obvious and immediate destruction was the goal, many software supply chain hacks go undetected. Often, they use memory injection techniques where malicious code is directly loaded into the memory, so it does not leave files or other detectable digital traces. But the initial attack is only the first step to gain a foothold in the targeted system. From there they deliver second stage malware to select targets. In the CCleaner case, although millions downloaded the initial backdoor file, the second stage malware was only delivered to 12 technology and telco companies and logs detail additional potential targets included carriers / ISPs, server hosting companies and domain registrars, indicating they were likely seeking new potential supply chain attack avenues. 

All is not doom and gloom. There’s much retailers can do to protect themselves and their customers online and in stores:

  • Keep all operating system and web development software up to date.
  • Have a systematic patch management program in place and maintain a web application firewall.
  • Safeguard admin credentials and change passwords regularly; use multi-factor authentication or two-step verification procedures as feasible.
  • Protect endpoints with a robust security stack including updated antivirus and an advanced threat prevention layer that can stop fileless and highly evasive advanced attacks. CISOs are well advised not to out rule innovative solutions by smaller vendors. Those might well be the ones to close security gaps. 

The good news is that cyber threats don’t seem to be deterring shoppers. The National Retail Federation expects holiday retail sales to rise by 3.6 and 4 percent and Deloitte's annual holiday retail survey predicts online spending will to exceed in-store for the first time this year.

Netta Schmeidler

VP of Product Management , Morphisec

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs