Why Breached Retailers Get Hit AgainSecond SuperValu Breach Illustrates Ongoing Risks
In the wake of this week's news that a second point-of-sale breach has struck grocery chain SuperValu, experts warn many more retailers are likely to suffer a similar fate.
In fact, security researchers say many compromised retailers fail to completely eradicate malware from their networks or close off malicious remote access points after an initial breach is discovered. This leaves the door open for ongoing attacks.
"Anyone in a franchised environment, which SuperValu is, cannot be totally sure that all the risk has been squeezed out of the system, as if that is even possible," says Gray Taylor, executive director of Conexxus, a technology consortium dedicated to developing standards for the convenience-store and gas-station markets.
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says hackers routinely attack the same retailer more than once. "It's also common for them to remain in a network when the retailer thinks they have extricated all the malware," she says. "Even if the retailer gets rid of the malware, the hacker can still be in the network through a door he or she has previously opened, e.g., remote-access account takeover."
Once breached, hackers spend time getting to know the retailer's technical environment and network architecture, Litan says. Any card-accepting merchant that has been breached should assume they'll be repeatedly hit by breaches, she adds.
Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, says hackers often hit high-value targets more than once. But until more is revealed about the methods used in this second attack on SuperValu, the industry can only speculate about what may have happened, he adds.
"If the same attack methods were used twice by the same hackers, then SuperValu has some explaining to do," Wills says. "If the same, or different, group of hackers succeeded in executing a different attack the second time, the judgment on SuperValu may be slightly less harsh, as it could have been a zero-day vulnerability that was exploited. Or, they could have less than up-to-date threat detection and response capabilities to deal with APTs [advanced persistent threats]. That's still rather common among POS integrators. As an industry segment, they tend to be on the trailing edge when it comes to staying current with the threat environment, often not going far beyond minimal PCI compliance."
Tom Kellermann, chief cybersecurity officer at Trend Micro, notes that most breached retailers are hit with secondary infections that often go undetected even after the initial infection is discovered.
"These networks are compromised, not merely the POS devices," Kellermann says. "As evidenced by Trend Micro research, cybercriminals are deploying multiple backdoors within systems, and in some guilds of thieves they are selling the 'owned' systems to other criminals." (see Mitigating the Risk of Backdoor Attacks).
The Best Defense
SuperValu is not the first retailer to have its POS network breached a second time. Arts and crafts retail chain Michaels suffered a similar fate, being the target of two separate POS attacks in spring 2011 and then again in late 2013. But the attack methods were very different, and investigators do not believe those two breaches are linked.
Experts say the best defense for retailers that accept cards for payment is to take steps to begin removing accessible card data from their networks.
"We need to totally rethink our approach to all privacy, from personally identifiable data to simple account information," Taylor says. "All information should be encrypted and tokenized with the consumer in control of the private key."
Additionally, once a breach is discovered, merchants should change their technical environment so that hackers can't find their way back into the network. By changing the infrastructure, the organization ultimately closes off and seals backdoors previously used for nefarious entry.
"While that is difficult to pull off because of resource constraints, it's a highly effective security control that would mitigate the risks in these types of instances," Litan says.
Joseph Loomis, founder and CEO of security firm Cybersponse and a cooperative member of the Federal Bureau of Investigations' and Drug Enforcement Agency's divisions on cybercrime, echoes that theme.
"In this case [SuperValu], I would guess that the group that penetrated the network had exposed other vulnerabilities for additional or future access," Loomis says. "When you're dealing with automation of attacks and the sheer number of holes in a compromised network, it's a difficult feat to assume that a perpetrator leaves at first sign of the authorities. This is why they are called APTs - advance persistent threats. They never go away."
Because SuperValu is providing network support to other supermarket brands, it needs to undergo a stringent review and audit to ensure that future compromises don't adversely impact other, connected networks, he adds.
The SuperValu Breach
Many security experts say SuperValu's second attack was likely waged the same way as the first attack, or at least exploited some of the same backdoors. Al Pascual, a fraud expert and analyst with consultancy Javelin Strategy & Research, says hackers probably didn't have to do much additional work to wage the second attack.
"With so few stores affected in this breach, it's likely that terminals with known vulnerabilities were targeted," he says. "This is Supervalu's second strike - consumers are only going to give a business so many chances to get this right; and even if it only affected a handful of locations, consumers still recognize the brand as being affected. There is a lesson here for other businesses that is especially relevant for those with complex infrastructures to manage: being compromised is not a vaccination against future incidents."
SuperValu announced Sept. 29 that a newly discovered breach may have exposed credit and debit cards used at checkout lanes at four of its stores. AB Acquisition, which runs five supermarket brands previously owned by SuperValu, also confirms an intrusion, saying malware may have impacted payment card information at various stores in 21 states. SuperValu continues to offer POS and general IT support and services to those five supermarket brands.
The second SuperValu breach involves different malware than what infected the grocer's network two months earlier, the company reports. In August, SuperValu discovered a breach that compromised POS systems at 180 its grocery stores - including franchised stores - as well as stand-alone liquor stores across seven states. The August breach also reportedly affected customers of 836 Albertsons, ACME Markets, Jewel-Osco, Shaw's and Star Markets stores in 21 states.
"[SuperValu] believes this was a separate intrusion from the one announced on Aug. 14," the company says in a Sept. 29 statement. After learning about the incident, the company took steps to secure the affected part of its network and believes it has eradicated the malware from its systems. An investigation into the breach is under way, Supervalu says.
SuperValu did not respond to Information Security Media Group's request for additional comment about the breaches and subsequent investigation.