As the Thanksgiving weekend approaches, a pivotal period for holiday festivities unfurls across the United States and increasingly across global markets, ushering in a critical window for the retail industry.
For cybersecurity teams, the Black Friday weekend signifies an escalation in vigilance, as ransomware attackers and other malicious entities hone in on the frenzy of consumer activity and corporate IT infrastructures.
During this time, corporate workers often embark on family travels or vacations, engaging in limited work hours or remote check-ins. As companies grapple with negligible visibility into their IT ecosystems, the challenge of tracking remote employee identities intensifies, exacerbated by scarce off-hours staffing.
“Numerous security teams function at diminished capacity during the holiday season,” stated Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center, during a discussion with Cybersecurity Dive. “Nevertheless, this does not imply that networks are left defenseless.”
Fortifying the Perimeter
Managing security amidst the proliferation of remote work has presented persistent challenges for organizations. Employees frequently access corporate networks from home, employing personal devices or software not sanctioned by their employers, often sharing those devices with family members.
These complications are magnified during the holiday season, as employees connect to their corporate networks from varied locations and time zones.
This complexity renders it increasingly arduous for security teams to verify the identities of employees, contractors, or high-ranking executives with privileged access.
Notably, ransomware cohorts and other cyber adversaries preferentially initiate reconnaissance and malicious activities during overnight hours, weekends, or extended holidays—periods when security personnel are often distracted or unavailable due to reduced staffing.
A report unveiled by the cybersecurity firm Semperis reveals that over half of all ransomware attacks in the past year transpired during weekends or holidays. Conducted by Censuswide, a market research organization based in London, the report surveyed 1,500 IT and security professionals worldwide.
The participants included security leaders from North America, the United Kingdom, continental Europe, and the Asia-Pacific region.
The findings indicated that approximately three-quarters of organizations maintain an in-house security operations center. Furthermore, eight in ten companies curtail their staffing levels by 50% or more during weekends and holidays, thereby heightening their vulnerability to cyberattacks.
“During the holiday period, we recognize that security teams are predominantly operating with reduced personnel,” commented Matt Brady, senior principal researcher in Unit 42 at Palo Alto Networks.
“Unfortunately, cybercriminals are acutely aware of this and actively seek to leverage those coverage gaps.”
Insights from a Lengthy Weekend
A social engineering attack against Marks & Spencer illustrates the vulnerabilities prevalent during holiday periods. Testimony before a subcommittee in the U.K. House of Commons revealed that this damaging attack commenced on April 17, mere days before Easter.
The fallout from this attack amounted to over $400 million in lost revenue and costs for the British retail giant, marking one of the initial incidents in a series of cyberattacks attributed to the Scattered Spider group.
The entire retail sector subsequently endured months of assaults, leading to significant financial losses and compromises of customer data across various nations.
Officials from the Retail & Hospitality Information Sharing and Analysis Center indicated that retailers typically undertake additional safeguards in anticipation of the holiday season.
“Many begin reinforcing their defenses months in advance with comprehensive, company-wide security training programs, enhanced phishing simulations, and mandatory refreshers for frontline staff,” noted Pam Lindemoen, chief security officer and vice president at RH-ISAC, speaking to Cybersecurity Dive.
“They update and rehearse incident response protocols, conduct more frequent and realistic tabletop exercises, and enhance access controls on critical systems.”
While the Cybersecurity and Infrastructure Security Agency has not flagged any specific threats related to the holiday season, it has indicated readiness to address any potential crises.
“The holiday season inherently elevates the risk of malicious actors exploiting vulnerable systems,” remarked CISA spokesperson Marci McCarthy. “This underscores the imperative for robust cybersecurity practices to be sustained year-round, not solely during periods of heightened alert.”
Overnight Encryption
Researchers from the Google Threat Intelligence Group have advised that while ransomware activity may not experience a notable surge during holiday seasons, off-hours attacks provide adversaries with improved access to sensitive data.
Zach Riddle, a principal analyst at GTIG, observed that ransomware incidents in December have shown slight reductions in activity.
He referenced leaked communications from hackers utilizing Black Basta ransomware, which indicated that these actors typically pause their operations between Christmas Eve and January 15, coinciding with the conclusion of the Russian Orthodox Christmas holiday.
However, Riddle cautioned that ransomware groups strategically deploy attacks during off-hours to encrypt targeted data.
In 2024, hackers reportedly encrypted data between the hours of 6 p.m. and 8 a.m. in over 70% of incidents that his company investigated. Additionally, in 30% of cases, encryption activities commenced over weekends.
“This tendency likely stems from the aim to deploy ransomware outside of standard working hours, thereby minimizing detection while maximizing impact,” Riddle articulated to Cybersecurity Dive.
“Executing encryption during non-working hours affords threat actors additional time to finalize their operations before victims can recognize and respond to the incidents, especially when multiple systems are affected, which can prolong the encryption process significantly.”
Source link: Cybersecuritydive.com.
