- Critical infrastructure providers and most U.S. retailers got through the holiday weekend unscathed, as pre-Thanksgiving alerts from federal authorities put security operations teams on notice to prepare for threat activity and tighten password and authentication protocols.
- Ikea, the multinational home furnishings retailer, faced off against a sophisticated phishing attack that used stolen reply chain emails against company employees. The Netherlands-based retailer, which has a major presence in the U.S., said Black Friday sales and operations were not impacted by the attack, however ongoing efforts were being conducted to "seal and solve" the attack.
- Ikea said its highest priority is to make sure customer, co-worker and business partner data is secure and handled correctly. All personal information, including credit card numbers, addresses and other sensitive data was encrypted, the company said. There was no indication of customer data being compromised during the attack.
Most of the infosec community gave thanks after the long holiday weekend as the vast majority of e-commerce, retail and critical infrastructure providers returned to work Monday without a major ransomware attack or other major data breaches.
Much of the industry was on edge after the FBI and the Cybersecurity and Infrastructure Security Agency warned of potential holiday disruptions during the Thanksgiving weekend.
"CISA encourages companies of all sizes to remain vigilant against cyber threats and implement cyber hygiene best practices, including multifactor authentication, strong passwords and proactive patch management," Matt Hartman, deputy executive assistant director of cybersecurity at CISA told sister publication Cybersecurity Dive in an emailed statement. "We remain ready to assist organizations and critical infrastructure entities impacted by ransomware and encourage all to visit stopransomware.gov to take action to protect themselves."
Ransomware attacks against Colonial Pipeline, IT monitoring service Kaseya and meat distributor JBS USA, all took place during long weekends or holidays, leading federal authorities and industry executives to fear a nation state or criminal threat actor would target vulnerable U.S. industries during holiday weekends.
"There's nothing like the element of surprise and no one would have been surprised by an attempted attack over the U.S. holiday weekend," said Jessica Burn, senior analyst, security and risk at Forrester.
Due to recent attacks and government warnings, the industry has a "constant sense of dread," Burn said. Large, mature organizations are increasingly vigilant and have put their security teams in place to prepare for potential attacks.
"Retailers and their technology partners have made significant investments to improve cybersecurity across the sector and reduce the risk and likelihood of breaches and other cyber incidents," a spokesperson for the National Retail Federation said.
The attack against Ikea involved an ongoing reply chain email to target internal employee mailboxes. These types of attacks generally involve the threat actor taking over an email account and inserting some form of malicious attachment as part of an ongoing message thread.
"We are aware of the situation regarding the phishing attack against parts of the IKEA organization," a spokesperson told Cybersecurity Dive in an email statement. "Actions have been taken to prevent damages and a full-scale investigation is ongoing to seal and solve the issue. We take the matter very seriously as safeguarding personal data is a primary concern for IKEA."
Using exploited email accounts to phish other colleagues within an organization is a very common tactic used by threat actors, according to Peter Firstbrook, VP analyst at Gartner.
Phishing attacks have cost enterprises an average of $14.8 million per year, according to a study by Ponemon Institute.
"Attackers try to get several accounts in a business and keep a few in reserve to monitor IT communications to employees," Firstbrook said in an email. "It can be hard to get them out without changing credentials for everyone in the company."
The attack could stem from an unpatched Microsoft Exchange server or just an account compromise due to credential theft, Firstbrook said.