Two weeks ago, Morphisec Lab, led by VP R&D Michael Gorelik, warned of a new attack by the FIN7 cybercrime group against restaurants across the US. Earlier this year, the financially motivated FIN7 group, one of the leading threat actor groups operating today, targeted restaurant chains Chipotle, Baja Fresh and Ruby Tuesday, among others. And you certainly remember the massive 2016 attack on the Wendy’s fast food chain, which resulted in over 1000 Wendy’s locations hit by a credit card breach. Numbers were also big in the Arby’s data breach discovered in January 2017: according to the credit union service PSCU, 350,000 credit and debit card accounts might have been impacted by the hack on Arby’s point-of-sale (PoS) systems.
Clearly, the restaurant industry is a target of choice for hackers.
The picture becomes even gloomier when looking at the hospitality industry as a whole. Over the past several years, virtually every major hotel group has been attacked: Starwood Hotels & Resorts (including Sheraton, Westin and W Hotel brands), Mandarin Oriental Hotels group, Trump Hotels, Hilton, Hyatt, Hard Rock Hotels and Omni Hotels, among others. The latest victim, the Intercontinental Hotel Group, discovered malware across multiple brands and more than 1,000 properties. They are still investigating the extent of the breach.
What Makes the Hospitality Industry so Vulnerable?
The past five years have seen a huge shift in the hospitality industry. Hotels are now nearly completely digitalized, pushed, in part, by online travel agencies (OTAs) such as Expedia and Hotels.com. Restaurants of all sizes are increasingly digital as well, from reservation apps and payment processing systems to the complex corporate networks of large chains. Most establishments successfully made the rapid transition demanded, but the necessary IT and security resources did not keep pace. At the same time, cyber threats continue to rapidly evolve, ranging from point-of-sale (PoS) malware to DDoS attacks, ransomware, malvertising and spear phishing attacks. In addition, CISOs need to worry about attacks via vulnerable 3rd party suppliers and OTAs. Just last month, Hotels.com suffered a breach which exposed customer login and contact information along with the stored credit card information.
Common hospitality cyberattack Types
An overwhelming 74% of all hospitality cyberattacks involve PoS intrusions. PoS systems are a weak security point for many networks as they are in constant use and often are not patched or updated – they also provide direct access to lucrative payment cards and other personal data, such as passport information, driver's license details, address details, emails, date of birth, and more. Cybercriminals have established their marketplaces on the dark web to easily trade this lucrative information for money. In addition, PoS systems in hotel restaurants and other on-premise facilities also serve as gateways to a chain’s regional, national or global data systems.
DoS attacks that swamp the business’s networks account for approximately 20% of hospitality cyber incidents. While they don’t carry the same risks as data breaches, they can impact revenue by bringing down critical systems such as online booking portals and billing systems. In addition, DDoS attacks are often a diversion to hide other attacks, mainly data exfiltration.
As if hospitality didn’t have enough to contend with, ransomware has emerged as a viable threat to the industry. In January 2017, attackers locked the computer system of a four-star Austrian hotel, demanding $1,800 in bitcoins to restore functionality.
The Hacker’s Icing on the Cake – Stolen Data
The wide-spread Jaff Ransomware attacks in May 2017 are a perfect example of the integration between data breach, ransomware and “cybercrime e-commerce”: this ransomware doesn’t stop at encrypting the victims’ data, it also extracts any valuable data to be sold on a webshop that resides on the same server as the ransomware. “By combining these informational assets, cybercriminals are engaging in both the long game, required to monetize stolen card data and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,” states Heimdal Security in a recent blog post.
Sheltering From attacks
With solid policies, a reasonable, well-managed patching plan, and the right combination of traditional and innovative cyber security products, the hospitality industry can make itself safer from current threats as well as those to come. Early detection is key to controlling attack costs and reputation damage. The hospitality industry has a better track record than some – most incidents are discovered within several weeks. But with system breach taking only minutes and data exfiltration completed in hours or days, it’s not good enough.
In many cases, loading up slim PoS terminals with heavy anti-malware products is not feasible from a system performance point of view. Therefore, restaurant and hotel businesses should focus on building a security stack for their PoS devices and other systems that prevents threats at the pre-breach stage, but does not slow down operations or require a huge IT team. A good prevention stack consists of an antivirus solution to handle known threats and a prevention layer that effectively prevents unknown, advanced attacks.
While there are many serviceable AV solutions to pick from, protecting against advanced threats gets trickier. For example, the latest FIN7 attacks on restaurants used fileless techniques that were not only undetectable by signature-based AV solutions, but also weren’t stopped by many of the behavioral security tools. Detection tools offer no refuge from the growing fileless and sophisticated in-memory attack vectors . Morphisec’s patented Moving Target Defense technology by contrast is attack agnostic. It makes targeted vulnerabilities in applications and web browsers inaccessible to attackers by morphing the targets ahead of attacks.
Understanding the threats is the first step to a better defense. Contact us to discuss with our security experts how Morphisec can protect your hospitality business in an ever-evolving threat landscape.