{"id":3056,"date":"2025-05-05T20:25:53","date_gmt":"2025-05-05T20:25:53","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3056"},"modified":"2025-05-05T20:25:53","modified_gmt":"2025-05-05T20:25:53","slug":"warning-issued-to-retailers-cisos-worldwide-after-three-attacks-in-uk","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3056","title":{"rendered":"Warning issued to retailers\u2019 CISOs worldwide after three attacks in UK"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>CISOs at retailers around the world should be tightening their defenses after several recent cyber attacks crippled shopping and supermarket chains in the UK. Those included successful attacks on retail chain Marks &amp; Spencer and supermarket chain Co-op, and the attempted hack of high-end retailer Harrods.<\/p>\n<p>Over the weekend, <a href=\"https:\/\/www.ncsc.gov.uk\/blog-post\/incidents-impacting-retailers\" target=\"_blank\" rel=\"noopener\">the UK National Cyber Security Centre (NCSC) urged retailers<\/a> to follow best cybersecurity practices to minimize the chances of being victimized, as well as to help them recover if an attack gets through defenses. A ransomware gang called DragonForce claims responsibility for all three incidents, according to the BBC.<\/p>\n<p>In a letter to members, <a href=\"https:\/\/www.coop.co.uk\/cyber-incident\" target=\"_blank\" rel=\"noopener\">Co-op CEO Shirine Khoury-Haq wrote<\/a> that hackers\u00a0\u201caccessed data relating to a significant number of our current and past members.\u201d And the BBC <a href=\"https:\/\/www.bbc.com\/news\/articles\/cg72k851dd8o\" target=\"_blank\" rel=\"noopener\">reported<\/a> that Co-op has now told staff holding online meetings to keep computer cameras on, and to verify all attendees so they could detect lurking hackers, after the attackers showed the BBC screenshots of a confidential internal Teams call.<\/p>\n<p>Marks &amp; Spencer has been forced to suspend online orders and stop hiring, and an insider <a href=\"https:\/\/news.sky.com\/story\/mands-had-no-plan-for-cyber-attacks-insider-reveals-with-staff-left-sleeping-in-the-office-amid-paranoia-and-chaos-13361359\" target=\"_blank\" rel=\"noopener\">told Sky News<\/a> that it could take months for the chain to recover from the attack.<\/p>\n<p>NCSC said in its alert that it has \u201cinsights\u201d into the three attacks, but \u201cwe are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all.\u201d<\/p>\n<p>Johannes Ullrich, dean of research at the SANS Institute, said in an email that the common denominator could be a vulnerability in software all three retailers use.<\/p>\n<h2 class=\"wp-block-heading\">Retail IT networks hard to secure<\/h2>\n<p>Traditionally, IT networks of retailers have been difficult to secure, said Robert Beggs, head of Canadian-based DigitalDefence, an incident response firm. These chains are distributed entities with multiple data networks and applications that frequently contain legacy systems and have a mobile workforce, he noted. In addition, they handle large volume of financial transactions and are very sensitive to any amount of network downtime. Combined, that makes them ideal targets for a cyber attack, he said.<\/p>\n<p>There could be two factors in the recent UK attacks, Beggs said:<\/p>\n<p>First, a group may be targeting UK retailers because they understand the business processes and target architectures (network, devices and servers, operation of PoS devices, security controls) common in that vertical.\u00a0More importantly, he added, they may have identified and know how to implement a consistent social engineering attack that works particularly well with UK retailers.<\/p>\n<p>\u201cTargeting UK-based retailers may indicate that the attackers are located in the UK, or at least speak English fluently and can use these skills to increase their chance of success,\u201d he said.<\/p>\n<p>Second, Beggs added, a publication quotes a source within Marks &amp; Spenser suggesting it was unprepared for the attack.\u00a0If true, it\u2019s \u201ca signal that smaller organizations that lack the presumed resources of M&amp;S may also be unprepared.\u00a0This increases the risk to the retail sector, and will invite attacks from multiple groups looking to exploit potentially lucrative targets.\u201d\u00a0<\/p>\n<p>Experts say crooks target retailers for several reasons: To get credit card numbers of customers, personal information of employees, and probably most importantly, to ransom stolen data and extort money from management. Every day a company is offline can cost it big money.<\/p>\n<p>They\u2019ll use the same range of tactics to get network access that they employ against any organization: Credential stuffing, buying or leveraging stolen admin credentials, exploiting vulnerabilities, tricking employees into giving network access by impersonating help desk staff, sending infected phishing emails, installing data scraping malware on websites in so-called Magecart attacks\u00a0 \u2026 the list goes on.<\/p>\n<h2 class=\"wp-block-heading\">Advice to CISOs<\/h2>\n<p>In its weekend post, the UK\u2019s NCSC said, \u201cPreparation and resilience does not mean just having good defenses to keep out attackers. No matter how good your defenses are, sometimes the attacker will be successful. It also means detecting threat actors when they are using your employees\u2019 legitimate access (or are on your network, or in your cloud services) whilst being able to <em>contain <\/em>attackers to prevent damage, and to <em>respond <\/em>and <em>recover <\/em>when an attack has got through your defenses.\u201d<\/p>\n<p>It offered this advice to all organizations, including retailers:<\/p>\n<p>ensure multi-factor authentication is deployed across the organization;<\/p>\n<p>enhance monitoring against unauthorized account misuse; for example, looking for \u2018risky logins\u2019 within Microsoft Entra ID Protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behavior, especially where the detection type is \u2018Microsoft Entra Threat intelligence;\u2019\u00a0<\/p>\n<p>pay specific attention to domain admin, enterprise admin and cloud admin accounts, and check if access is legitimate;\u00a0<\/p>\n<p>review their help desk password reset processes, including how the help desk authenticates staff members\u2019 credentials before resetting passwords, especially those with escalated privileges;\u00a0<\/p>\n<p>ensure security operation centres can identify logins from atypical sources such as VPN services in residential ranges, through source enrichment and similar;<\/p>\n<p>ensure they have the ability to consume techniques, tactics, and procedures sourced from threat intelligence rapidly and the ability to respond accordingly.\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>CISOs at retailers around the world should be tightening their defenses after several recent cyber attacks crippled shopping and supermarket chains in the UK. Those included successful attacks on retail chain Marks &amp; Spencer and supermarket chain Co-op, and the attempted hack of high-end retailer Harrods. Over the weekend, the UK National Cyber Security Centre [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":3057,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3056","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3056"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3056"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3056\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3057"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}