November 26, 2019 MITRE ATT&CK
Brian Donohue Susannah Clark

10 Hackers Hacking: A Holiday Countdown of Retail Cybersecurity Threats

On the eve of Black Friday and Cyber Monday, we have a little gift for you: the top 10 MITRE ATT&CK techniques Red Canary detected against the retail sector in 2019.

Holiday shopping season has been a boom time for retail breaches over the years. Naughty code such as FrameworkPOS can really put a damper on all the holiday cheer, causing reputational damage and direct financial losses. Many retailers implement enterprise-wide code freezes, leading to downtime during a period in which revenue is so important.

Ultimately, peak retail season is just about the worst time to have to disclose a data breach or other security incident. Luckily, Red Canary is here to help retailers stay vigilant.

Here’s the list—we checked it twice—of ATT&CK techniques that adversaries used against our retail customers in 2019, from fewer detections to the most:

10. Registry Run Keys / Startup Folder (T1060)

A tried-and-true method for achieving persistence, attackers can add entries to the “autorun keys” in the Registry or startup folder on Windows systems to automatically execute with the associated user’s permissions at startup.

retail cybersecurity threats: Registry Run Keys / Startup Folder

 

9. Service Execution (T1035)

Adversaries use this execution technique to run a binary, command, or script as a native Windows service, which simultaneously helps an attack blend in with routine process activity while achieving high privilege levels.

Retail Cybersecurity: Service Execution

 

8. Spearphishing Attachment (T1193)

This is the variety of phishing that leverages email messages with malware-laden attachments. Phishing has been an effective initial access technique for decades, but T1193 has been particularly en vogue in the era of weaponized macros, Visual Basic Scripts, and PowerShell.

Retail Cybersecurity: Spearphishing attachment

 

7. Scheduled Task (T1053)

Straddling three tactics, Scheduled Tasks offer adversaries a technique for persisting, elevating privileges, and executing code on Windows systems. Assuming the adversary has gained the privileges to do so, they may use Windows Task Scheduler to schedule programs or scripts to execute at a specified time.

Retail Cybersecurity: Scheduled Task

 

6. Bypass User Account Control (T1088)

Alternatively used for privilege escalation and defense evasion, attackers often leverage Windows User Account Control (UAC) to elevate their privileges to administrator-level permissions, sometimes prompting the user for confirmation but sometimes doing so in the background—depending on account configuration and the program or process the attacker is leveraging.

Retail Cybersecurity: Bypass User Account Control

 

5. File Deletion (T1107)

Smart adversaries clean up after themselves, removing any malware, tools, or other non-native files dropped or created on a system. Unfortunately, this is a defense evasion technique that majorly complicates incident response and is also very hard to detect, given that humans and operating systems also normally delete files.

Retail Cybersecurity: File Deletion

4. Indicator Removal on Host (T1070)

This is a defense evasion technique that manifests in a variety of ways, particularly as adversaries attempt to delete or alter logs or carry out other anti-forensic activity on a host system. We’ve observed attackers exercising this technique as part of ransomware attacks (volume shadow copy deletion) and to disable Windows Event Log collection, to name a couple of methods.

Retail Cybersecurity: Indicator Removal on Host

 

3. Disabling Security Tools (T1089)

To evade detection, adversaries kill security software or event logging processes, delete Registry keys so that tools do not start at run time, or disable other tools to interfere with security scanning or event reporting.

Retail Cybersecurity: Disabling Security Tools

 

2. PowerShell (T1086)

Powerful, performant, and installed on basically every Windows system on the planet, adversaries use this interactive command-line interface and scripting language to execute code and perform countless other malicious actions on Windows systems. It’s incredibly popular among sysadmins as well, enabling them to remotely apply configuration changes, enforce security policy, and carry out all variety of daily tasks, which makes it hard to baseline.

Retail Cybersecurity: PowerShell

 

 

And the most detected technique—the canary in a pear tree, if you will—is….

1. Masquerading (T1036)

More often than any other technique, we detected adversaries on retailers’ systems manipulating file metadata-associated executables—often re-naming them to appear as a legitimate, trusted program to evade defenses and observation.

Retail Cybersecurity: Masquerading

 

 

 

This was just a sneak preview—we’ll be counting down the top ATT&CK techniques for finance, education, healthcare, manufacturing, and other sectors in our 2020 Threat Detection Report, out early next year! Sign up below to get the report sent right to your inbox.

 

If you just can’t wait, you can read last year’s report here, which includes detailed and actionable collection and detection guidance for half of the techniques listed here.

And while in you’re in that holiday spirit, why don’t you rewatch our favorite Christmas movie too.

 

 

Researchers, Assemble! Why Red Canary is a Founding Sponsor of MITRE’s Center for Threat-Informed Defense

 

ATT&CK T1501: Understanding systemd service persistence

 

Debriefing ATT&CKcon 2.0: Five great talks at MITRE’s ATT&CK conference

 

Data sources, Linux detection, and more at ATT&CKcon 2.0

Subscribe to our blog