An apparent ransomware infection at Barnes & Noble, which impacted the retailer’s corporate systems and disabled in-store point-of-sale terminals, has led to speculation over whether a lack of business network segmentation could have assisted the malware’s propagation.
The Oct. 10 attack also prevented users of the Nook digital reader from accessing content and services, serving as a reminder to the corporate world of the unique damage that ransomware can deal to companies specializing in consumer-facing content delivery and distribution.
How did it happen?
New York-based Barnes & Noble acknowledged the incident in a public statement, via Twitter and in an emailed notification to customers, though it has not confirmed the initial attack vector or explained how the malware crept from one part of the business to another. Technically, it hasn’t even used the word ransomware, although reports state that the Egregor ransomware gang has posted snippets of data stolen from the retailer’s breached network, in what appears to be yet another “double extortion” attack (meaning files were encrypted plus data was stolen in an attempt to coerce a ransom payment).
"Barnes & Noble was the victim of a cybersecurity attack,” the retailer said in a statement provided to SC Media. While we are still investigating, we can reconfirm that as all customer data is end to end encrypted and tokenized that no customer credit card or other financial data was exposed."
While some experts advised avoiding conjecture, others have openly considered the possibility that a lack of business segmentation could have exacerbated the attack, both because the malware was able to spread across B&N systems on its own and because the adversaries were able to move silently and laterally around the compromised organization for a period of time before executing the ransomware.
“Certainly, properly configured security segmentation is designed to help prevent intruders from moving laterally throughout a network,” said Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ. “There are dozens of historical examples from the SingHealth intrusion to the OPM intrusion where a hostile actor made their way onto one server in one part of the network and then migrated further into the network, moving laterally from server to server, due to a lack of segmentation.”
However, “without having full forensic detail, I wouldn't speculate on what happened,” he noted.
Brett Callow, threat analyst at Emsisoft, did offer the possibility that systems were taken offline as a precautionary measure, adding that “at least one ransomware group has previously been observed scanning for POS systems as part of their attack," while James Carder, chief security officer and vice president at LogRhythm, said "the incident begs the question of why two very different and distinct environments are connected to each other," calling it indication of weak internal controls.
“Additionally, the likelihood that a compromised consumer device spread to the server, then down to the POS systems is very low," Carder added. “Without more data, the initial compromise likely happened at the back-end infrastructure that supports the eReader.”
Getting segmentation right
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, also acknowledged that segmentation “is difficult to get right. Internal computer systems often need access to and from dozens of other systems they are dependent on. Does the backup server need to have access to the segmented network? Do administrators need access for maintenance and troubleshooting? Any of these things and more can provide pathways to compromise segmented networks.”
“Even best practices like requiring IT administrators to connect to segmented networks through gateway systems or ‘jump boxes’ or through private administrative VLANs can quickly fail if an attacker gains administrator-level access through another network segment,” Clements continued.
Another common segmentation issue relates to VPN remote access, Clements added. “In many organizations improper VPN access controls give normal users access to the entire network, but even if access to sensitive segmented networks has been restricted to administrators only, the flood of recent VPN server vulnerabilities can give attackers a direct pathway to stealing administrator passwords and access."
Indeed, there is also conjecture that the Barnes & Noble attack may have been carried out by exploiting a vulnerability in Pulse Connect Secure VPN servers (CVE-2019-11510), after Bad Packets reported that the retailer failed to patched the flaw for months.
“First, we looked for a vulnerability disclosure policy from B&N and didn’t find one. That is a huge issue,” said Chloé Messdaghi, vice president of strategy at Point3Secuirty. “This really demonstrates the value of vulnerability programs and the importance of systematically managing and addressing the vulnerability alerts that they often yield.”
Discontent with lack of content
Whatever the cause of the attack, the infection caused chaos after NOOK users were unable to pull up books that they had purchased from the retailer.
Needless to say, consumers became agitated plays to the advantage of any attacker who strategically targets providers and distributors of digital content, be it books or video games or music.
"Get better technical support. I'm tired of not being able to read one of the thousand plus books on my my Samsung tablet through the nook app," said one Twitter user in response to a B&N posting.
“Content providers are an obvious target for ransomware groups as they are perceived to be more likely to pay due to pressure from customers to restore systems,” said Callow. “This is especially true as the longer an outage drags on, the more likely it is that customers will transition to an alternative platform resulting in a permanent loss of revenue.”
“The core business of digital content providers is allowing customers to have access to content at their fingertips,” agreed Chris Kennedy, chief information security officer and vice president of customer success at AttackIQ. “This is a relatively saturated market, which means ease of use and timely availability are what draws consumers to one provider versus another... Ransomware attacks executing DoS of content will be catastrophic, given all of the other options available to consumers and ways that content can be consumed.”
Barnes & Noble isn’t the first to face this dilemma. During the recent Garmin ransomware attack and services outage, consumers complained their watches weren’t working, and the aviation industry made clear that the navigational data they’d contracted for was business critical. "When customer data is put out there by attackers it becomes a customer loyalty problem and a PR situation,” said Messdaghi.
Meanwhile, Clements likened the incident to a reported attack earlier this year against Canon. “Due to a cyberattack, users lost access to photos stored on Canon systems for several days and many lost older photos completely," he said. "In this latest instance, it appears the Barnes & Noble outage prevented users from accessing eBooks purchased due to [digital rights management] restrictions. If accessing digital content requires checking in with the provider to validate licensed content, any disruption in connecting to the provider can prevent users from accessing content they have purchased."
An email notification sent to customers noted that the attack “resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems” and exposed personal information, including email, bill and shipping addresses, and telephone numbers.
Messdaghi gave Barnes & Noble a mixed review for its public incident response so far, noting that “it’s helpful that B&N informed us that... payment info was encrypted and not exposed,” but “I wish they had also offered some valuable advice that most consumers probably don’t already know.” For instance, Messdaghi said the retailer’s notification did not advise customers to change their account passwords, which she found to be “a bit curious.”