Changes in Retail and Hospitality Cyber Threat Trends During the 2020 and 2021 Holiday Seasons

Key Infrastructure and Critical Vulnerabilities: New UBER Data Breach Highlights the Organizational Vulnerability From Supply Chain Attacks and Third-Party Software

A recent breach of the mobile device management platform Teqtivity has led to the most recent theft of UBER data. The unidentified threat actor responsible for leaked employee email addresses, corporate reports, and IT asset information stolen from the third-party vendor. The four posts published on a popular hacking forum by “UberLeaks” (threat actor handle) mention the threat group Lapsus$, but reportedly fall short of claiming Lapsus$ is behind this breach. The mention of Lapsus$ traces back to the September attacks on Uber in which threat actors gained access to UBER’s internal network and the company’s Slack server. UBER claims that despite this reference, Lapsus$ played no role in this most recent incident. According to a new report from UBER, the newly leaked data mainly consisted of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses of over 77,000 UBER employees, and ‘other’ corporate information. A statement released by UBER confirmed the files and source code leaked are not owned by UBER, and is unrelated to the September security incident, although they are still looking into the matter. UBER implied the leak of data comes from Teqtivity’s side. While no customer data has been leaked, the data does contain enough information to conduct targeted phishing attacks on employees at UBER. (1)  

This recent breach at Teqtivity, a third-party vendor contracted by UBER, highlights the apparent vulnerability employers face when their business is linked to third-party vendors. As a result of this leak, a mass amount of employee data has been released to the world, opening the company up to an increased likelihood of phishing attacks. Security researchers who analyzed the leak recommend employees of UBER to be on the lookout for phishing emails impersonating that of UBER IT personnel. This substantial breach in a major organization brings to light the importance of implemented security measures, not only within the organization itself but also in any organizations that have ties to the firm in question.

New & Noteworthy: Changes in Retail and Hospitality Cyber Threat Trends During the 2020 and 2021 Holiday Seasons

An analysis by the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC) determined there are six key consistent trends between the holiday seasons of 2020 and 2022. Reports about the Qakbot malware dropped from 34% of total reported threats in 2020 to 5% of total reported threats in 2021. Emotet, another prevalent malware, has also seen a significant drop, coming down from 20% of total reported threats in 2020 to 3% in 2021. While the aforementioned malware has seen a decrease in reports, Agent Tesla malware has risen from 15% in 2020 to 16% in 2021. Dridex remained relatively stable at 3% during both periods. In regard to the techniques being used by cyber adversaries, credential harvesting and phishing both remain two of the most common threats reported all-year round. Credential harvesting indicators are up slightly from 13% of all reported threats in 2020 to 17% of all reported threats in 2021. Phishing activity on the other hand is down slightly from 18% in 2020, to 16% in 2021. (2, 3) Based on these trends, RH-ISAC suspects it is highly likely these same trends will appear again in the 2022 holiday season.  

RH-ISAC members observed a notable increase in imposter websites, product-focused phishing attempts, and phishing attempts impersonating executives. Being brought into play by many organizations in the retail and hospitality sector to increase their defensive operation advantage is an updated security policy and their subsequent planning for the worst-case scenario and the use of resource and sharing platforms. (2)

Holiday seasons can be popular times for threat actors who want to carry out attacks. Making the extra effort to remain diligent with regard to security measures and preparation will continue to be the best defense against the unknown.

Exploit Tools and Targets: Increased Prevalence in Attacks Targeting the Healthcare Sector

Over the last week were two ransomware attacks on healthcare organizations. The victims were Keralty (a Colombian health care provider) (4),  and a French hospital. (5) The first of the two, the Colombian health care provider, suffered a disruption to their IT operations, meaning that the scheduling of appointments was rendered useless. The extent of the disruption led to patients waiting in line for at least twelve hours to receive care. (4) The French hospital suffered an attack on the facility’s phone and computer systems, forcing the hospital to partially cancel operations, and transfer six patients to other healthcare facilities. (5)

Some threat actor groups stated in the past they will not knowingly attack public service providers such as healthcare facilities. It is evident that this is beginning to phase out and can be determined by the notable increase in attacks on the healthcare sector, which continues to increase year after year.  (7) According to the Center of Internet Security, the average cost of a healthcare data breach is significantly higher than that of a non-healthcare related breach—they estimate the costs at $355 per healthcare-related record stolen versus $185 per non-healthcare related record stolen. (7) Having healthcare records valued at almost double that of non-healthcare related records, threat groups are probably going to continue targeting healthcare organizations due to the potential benefits of a successful ransom.   

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at [email protected] or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

Please refer to our support page for guidance on how to access the feeds.

You might also be interested in:

Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation

Australia Seeks to Disrupt & Stop Cybercriminal Syndicates with New Task Force

Investigating NATO-Themed Phishing Lures With EclecticIQ Intelligence Center and Endpoint Response Tool

Appendix

1. https://www.bleepingcomputer.com/news/security/uber-suffers-new-data-breach-after-attack-on-vendor-info-leaked-online/
2. https://rhisac.org/wp-content/uploads/Holiday-Trends-Report-2022_White.pdf
3. https://rushhourtimes.com/holiday-2022-cyber-threat-trends-for-retail-and-hospitality/
4. https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/
5. https://www.bleepingcomputer.com/news/security/ransomware-attack-forces-french-hospital-to-transfer-patients/
6. https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/
7. https://meriplex.com/the-rise-of-cyber-attacks-on-the-healthcare-industry/