Blog

Under the Microscope – Dissecting 3 Real-life Attack Paths in Retail

Posted by: Chris Keller
September 12, 2023
Getting your Trinity Audio player ready...

Few industries are as competitive as retail. 

From giants like Amazon to independent boutiques to your neighborhood hardware store and everything in between, they all have one thing in common – they want consumers to spend money – lots of money. At the same time, malicious actors are also looking to get their hands on that money too. But they take decidedly less legal means of acquiring it; with ever-increasing frequency, they go straight to the source, attacking IT systems at sellers large and small. 

Why is retail such an attractive target?

Retail suffers from a truly perfect cyber storm: handling tremendous volumes of transactions and money, the storing of millions of customer details (including credit cards and PINs), employing frontline staff who may lack cybersecurity training, and relying on older point-of-sale (POS) equipment that is not necessarily updated, secured or monitored for cyber readiness.

But just how bad is it? In 2022, Security firm Thales found that 45% of retail respondents said the volume, severity and/or scope of cyberattacks had increased in the previous 12 months. And Verizon documented 406 incidents against retailers since the beginning of 2023, 193 of which had confirmed data disclosures. As one of our customers – a global retailer – put it, “We have thousands of stores around the world with many components per store, so dealing with vulnerabilities is a huge task.”  

So, yeah, it’s a pretty big problem.

In my experience, although some of the most popular retail attack scenarios (malware on POS systems, supply chain attacks, user account compromise) continue to be leveraged, the evolution of a targeted digital experience continues to add to the ever expanding attack surface. The reliance of retail on customer’s personal data and 3rd party cloud providers opens up new avenues of exposure as retailers aim to provide a personalized 24/7 shopping experience. In order to create these experiences, retailers need to have very specific customer data and leverage automation from all of their systems – all of which requires those systems to be properly secured.

There are many resources discussing the specific threats facing retailers and how to best secure retail environments. In this blog, I’ll take a bit of a different approach by putting three real-life attack paths from actual retailers under the microscope. Attack paths are the routes by which attackers can take to enter systems and reach assets. Certain exposures on their own, aren’t capable of being leveraged in any significant way by attackers. But when chained with other “insignificant” exposures, they often wind up creating clear pathways for an attacker. By understanding the construct of attack paths and diving deep into these near misses, we can better understand how the attacks would have occurred – and importantly, how to prevent similar attacks down the road.

True Story #1

Who was the customer?

What was the attack path?

Upon examining the customer’s exposure landscape, we found that the Active Directory in their Asian acquisition had a high risk score and could in fact be compromised in just two steps. This AD implementation was missing the ZeroLogon patch – since despite having installed the patch, their IT team had neglected to reboot the AD server to activate the patched element. For this reason, the company’s vulnerability scanner reported that their AD was safe, even though the patch hadn’t been applied and the DLL was still out of date.

What was the impact?

The outbound attack path from the compromised Active Directory instance could potentially compromise all the other Active Directory instances in the organization, since trust had been established as part of the M&A process. By exploiting this vulnerability, any attacker could have easily breached the company’s global Active Directory Forest, hopping from one company to all the others.

How was it remediated? 

In this case, a small fix was able to reduce a massive attack surface. Once the Asian acquisition rebooted their Active Directory, the DLL version was updated and the vulnerability was shut down.

What’s the takeaway?

In many cases, closing a huge gap does not require a huge plug. In this case, a simple reboot did the job. The complexity here was in identifying the choke point that an attacker could exploit, not in the remediation itself.

 

True Story #2

Who was the customer? 

A large travel company selling getaway bookings had just merged with another company in the same industry and integrated both companies’ infrastructures.

What was the attack path?

The customer had a product testing server which was always running and was not considered critical. Despite the assumption that this server was updated, it had actually not been correctly patched since 2017! The lengthy list of vulnerabilities on this server included serious legacy issues like PrintNightmare and EternalBlue.

What was the impact? 

A compromise of this seemingly unimportant server would have provided an easy path to far more important systems.

How was it remediated? 

Once the server had been identified, the customer realized that they didn’t actually need it…so they simply turned it off! This drastically reduced risk to the rest of the environment.

What’s the takeaway? 

Large digital ecosystems frequently contain extraneous or neglected assets that attackers can target and use as jumping-off points to more critical assets. Simply identifying and remediating (often just patching – but sometimes just shutting down) these assets has a tremendous positive impact on organizational security posture as a whole.

 

True Story #3

Who was the customer?

A large retail company that had recently onboarded to the XM Cyber platform.

What was the attack path?

An initial scan of the company’s exposures uncovered an open path from a DMZ server that was exposed to the internet, which could directly lead to domain compromise. Running Windows, this DMZ server was connected to the customer’s Windows domain and administered with a domain admin account.

What was the impact?

If the DMZ server were to be compromised, the attacker could directly harvest domain admin credentials and connect to the domain controller with all permissions.

How was it remediated?

The customer remediated the issue by restricting permissions and removing users.

What’s the takeaway? 

In complex environments with multiple moving parts to manage, practicing good permissions hygiene can dramatically improve security.

 

The Bottom Line

It probably goes without saying, but retail is big business and for attackers, it only becomes more attractive as sales volumes grow. So back to that same customer – “By focusing on the critical issues …..there are huge time savings both within my team and within the stores.” Getting an understanding of potential attack paths and the critical exposures that exist across environments and how exposures come together means that security teams can address the issues that actually impact risk and dramatically lower risk. 


Chris Keller

Chris has 15+ years experience as a sales engineer working with many different products across various security disciplines.  From endpoint security to application & network access control, to email security and data protection Chris has spent the last few years specializing in Active Directory security and the attack paths that can be hiding in plain sight.  At XM Cyber he is focused on helping customers understand how these paths can be exploited in a hybrid environment and how IT teams can proactively eliminate attack paths before attackers can exploit them.

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.