Weathering Retail Cybersecurity Storms

The retail industry is highly seasonal, experiencing tremendous activity bursts during specific periods. Many of these periods coincide with holidays like Memorial Day, Labor Day, and Christmas with retailers launching grand promotions that result in frenzied activity in both their physical and electronic storefronts. Major retailers now see levels of revenue from their e-commerce engines that rival, and in some cases surpass, their physical stores. As a result, e-commerce is no longer a “nice to have” alternative revenue generator, but a critical part of the broader business.

Every retailer knows exactly how much revenue their electronic presence delivers over a given time period, making it easy to assess the potential damage of an outage or interruption. In fact, it’s not uncommon for retailers to put that figure at thousands of dollars per minute, even more during holiday periods.

With the aforementioned retail activity, we see corresponding increases in cybercrime. Threat actors use these periods of dramatically increased activity to mask their own illicit activities, much like a physical criminal would use the cloak of darkness for a robbery. For example, over the Labor Day holiday sales period this year, the retail vertical saw an 79% surge in blocked automated attack traffic year over year.

Cequence recently issued a press release around these retail findings, and published a great infographic that provides a more graphical view of these retail cybersecurity storms that retailers face.

There are no shortage of attack types that the retail industry must weather. These attacks include, but aren’t limited to:

• Account takeover
• Inventory Hoarding
• Hype/Flash Sales
• Price Scraping
• Gift Card Fraud
• Loyalty Program Abuse

Each of these attacks adversely affects site performance and availability, customer satisfaction, and your bottom line.

Since Cequence works with many large retailers, we’re in a position to see how threat actors behave toward the industry as a whole. We leverage this data to constantly improve the efficacy of our API security and bot management solutions. And while we regularly detect and prevent attacks, we also on occasion discover new vulnerabilities before they are even exploited.

Recent Food & Drug Retail Cybersecurity Vulnerability Example

Recently, a Cequence CQ Prime team member identified a critical vulnerability within a web application of one of the largest food and drug retailers in the United States. Their IT infrastructure had a number of publicly-accessible subdomains, inadvertently exposing the actuator endpoint which is used to monitor and manage the health, performance, and behavior of an application. In this case, the actuator endpoint permitted unauthorized users to access and extract sensitive data from heap dumps, offering a snapshot of active objects and potentially sensitive data such as root passwords.

Once Cequence Security identified this critical vulnerability, we followed a responsible disclosure protocol, notifying the retailer and giving them a 90-day period to verify and remediate the issue. Providing this window of time is crucial for giving organizations the opportunity to address significant vulnerabilities without exposing their systems further to risk. To frame this more clearly, this vulnerability is so serious that it could lead to severe security breaches and would likely be awarded a CVSS value of 9.8, indicating the highest level of risk.

Some Technical Details

To protect the retailer, we’re not disclosing their identity, but do want to provide a bit fuller picture to help us all learn from the incident.

The exposed actuator endpoint enables attackers to download heap dumps directly from the server. Heap dumps are essentially snapshots of all the objects in memory (or Java Virtual Machine (JVM) heap) at a certain point in time. What is revealed in heap dumps is often far more sensitive than simply API endpoints. Credentials, session tokens, and configuration details are frequently revealed which when compromised, can lead to serious business disruption.

By utilizing tools such as Visual VM, attackers can analyze these dumps to uncover sensitive information, including user credentials, session tokens, and configuration details. This data can be exploited to gain administrative access to the retailer’s AppDynamics portal (a common application performance monitoring tool), enabling malicious actors to:

1. Perform CRUD operations on all users and roles, which can lead to privileged account creation, deletion of legitimate accounts, and adversely affecting database performance
2. Create and destroy server instances, perhaps building undetected criminal shadow infrastructure, or performing acts of wanton destruction
3. Manage databases, creating or deleting them at will, casting doubt on what data is correct and legitimate, and what might be falsified
4. Introduce policies that hinder the system’s normal operations, disable security measures to gain further access, or create backdoors for future attacks

“The implications of this retail cybersecurity exposure are substantial,” said Parth Shukla, Security Engineer at Cequence. “An attacker with access to AppDynamics could potentially monitor all of this retailer’s applications, gaining insights into online orders, customer behavior, and even in-store point-of-sales data if monitored by AppDynamics. This could expose vast amounts of sensitive information and leave the entire operational landscape vulnerable to scrutiny and manipulation.”

The Impact: Why It Matters

The potential fallout from this particular vulnerability is significant. Unauthorized access to sensitive data often leads to:

1. Operational Disruption: Attackers gaining control over server instances and databases.
2. Data Breaches: Exposure of confidential information, including user credentials and session tokens that can lead to further downstream breaches and even lawsuits.
3. Reputational Damage: Loss of customer trust and confidence.
4. Financial implications: Breach notification laws often have direct financial penalties, in addition to the cost of reaching out to all affected customers, providing credit monitoring services, etc.

This vulnerability was completely preventable. Perhaps AppDynamics was misconfigured by the retailer, or maybe there was another set of events that enabled the inappropriate exposure of a sensitive endpoint. Organizations must know what endpoints exist, where they are, and which are publicly accessible, so continuous API discovery is key. Regular testing and assessments help, as do solid dev/QA/runtime processes.

Our CQ Prime threat research team is constantly on the lookout for new and interesting threats. Understanding how they work, where they’re being delivered from, the tools delivering the attack, etc. This understanding not only enriches them professionally, but makes our product offering more valuable, as their insights and learnings are constantly being added to our machine learning models and threat database. All of which to say, their work is constantly making the Cequence Unified API Protection platform an even more capable solution, benefiting all of our customers.

Cybersecurity Strategies for Protecting the Retail Business

Retailers must safeguard their electronic presence to protect both their customers, partners, and the business as a whole. Not doing so is costly on many fronts. A discovery, comply, and protect methodology is an effective framework for meeting these retail cybersecurity goals.

• Discover your APIs. You can’t protect what you’re unaware of, so it makes sense to put a system in place that continuously discovers and inventories new, unknown, and shadow APIs. Cequence Spyder is an easy way to get started.
• Make sure that your APIs follow your internal governance as well as comply with external regulations. For example, most retailers accept credit cards, and therefore must comply with PCI DSS. Having documentation for your APIs, and testing them in pre-production before going live is key. Cequence Sentinel offers API Security testing and compliance.
• Retailers must protect their applications and APIs to prevent attacks, abuse, fraud, and data loss. Because every second of downtime matters, the system of record must be capable of real-time detection and mitigation. Cequence Spartan offers industry-leading application and API protection through bot management and fraud prevention.

Want to learn more? Get started with a free, no-obligation API security assessment that provides an attacker’s view into your organization’s APIs. Or better still, book a personalized demo.