Background
Since 22 April, major retail organisations around the United Kingdom have experienced disruption from multiple ransomware attacks targeting the sector. Several well-known brands have been impacted, with speculation growing that one cybercriminal group in particular – Scattered Spider – may be behind the activity as part of a coordinated campaign.
As the retained IR provider of choice to some of the UK’s largest high street brands, S-RM has been actively supporting several organisations in response to these events. In this snap analysis, our team shares insights on what motivations may underpin the campaign, as well as practical steps retail organisations should consider to protect themselves from this evolving threat.
Our team of experts is standing by to assist UK retailers concerned about their exposure to this latest threat. Please reach out to us via our website if you’d like to speak to one of our experts, who can share further tailored technical details on how to protect your organisation.
If you’ve already identified potentially suspicious activity and would like some support in defining and triaging it, please contact our Incident Response team at [email protected].
What makes retail organisations a prime target?
Many of our clients and partners have asked in recent days why the retail sector has found itself a focus of this most recent campaign. While ransomware is an indiscriminate threat, several characteristics of the sector and the profile of the likely threat actor in these cases have elevated the threat level:
- Value of payment data: Retailers store large amounts of customer payment information within corporate databases and point of sale devices or on central database servers (SQL). This sensitive data is highly valuable to cybercriminals, who can use it as leverage to extort organisations.
- Fragmented multivendor environments: Retail businesses often rely on multiple vendors and distributed point of sale (POS) systems across many locations. This complexity significantly expands the attack surface of these organisations and makes it challenging to implement consistent, organisation-wide security controls.
- Omni channels and cloud infrastructure sprawl: Integrating in-store, online, mobile, loyalty, and supply chain platforms creates a sprawling and interconnected IT environment. This makes it challenging for retail organisations to maintain an accurate inventory of all systems and ensure that each system is properly monitored and secured.
- Legacy systems: Many retailers still rely on legacy systems such as older Windows-embedded devices, because it is difficult to replace or update them without disrupting essential operations. These legacy systems often have unpatched vulnerabilities, leaving persistent security gaps which are attractive targets for cyber attackers.
- Recognition: Groups like Scattered Spider are motivated by notoriety and public recognition. High-profile retail breaches are attractive targets because they attract significant media attention. Furthermore, public intelligence reports indicate that members of the group have local ties, suggesting they may be drawn to well-known British brands that are household names.
What can you do about it?
Retail organisations concerned about their exposure to the ongoing campaign should consider the following:
Enhance IT Help Desk protections against social engineering
Scattered Spider is known to specialise in highly sophisticated social engineering attacks. What makes these campaigns so effective is the native language advantage of the group’s members, enabling the group to more genuinely impersonate British employees. IT organisations should consider implementing heightened security protocols for all requests related to account resets or credential reminders. Strategies can include:
- Limiting self-service password reset features, especially for privileged users and implementing enhanced monitoring strategies for associated requests.
- Implementing additional security verification procedures to prevent impersonation of employees. Scattered Spider has been known to target HR systems to fraudulently obtain valid forms of ID/authentication, which can then be used to gain further administrative privileges from central IT teams. Consider requirements for employees to produce multiple forms of independently sourced ID verifications to authenticate with central IT teams.
Extra vigilance on ESXI environments
Scattered Spider is known to employ sophisticated methods to avoid detection within victim environments, such as ‘living off the land’ techniques, which involves the use of legitimate system tools and processes to evade scrutiny from defensive tooling like endpoint detection and response (EDR) systems. Specifically, technical teams are advised to look out for unknown or newly created Virtual Machines within ESXi environments. Our intelligence indicates that Scattered Spider may be creating VMs in user environments as part of their attacks, having gained access to infrastructure using credentials obtained through social engineering.
