Economic Reality Hits Stores
In a series of high-profile attacks, cybercriminals have targeted virtualisation infrastructure, exploiting predictable vulnerabilities in help-desk processes to gain access to sensitive data and disrupt operations.
The group behind these attacks, UNC3944, has been linked to incidents affecting MGM and Caesars casinos, as well as major retailers and UK-based companies such as Marks & Spencer, Co-op, and Harrods.
The attacks follow a familiar pattern. Attackers pose as staff, using publicly available information and social cues to trick help-desk agents into resetting credentials. Once inside, they aim for domain control, primarily targeting Active Directory's core database, NTDS.dit, for privileged access.
The mindset of secure-by-design involves building systems to resist compromise by default, removing implicit trust, segmenting access, reducing privilege, and treating administrative operations with high scrutiny. However, structural flaws in critical systems persist, making them prone to help-desk impersonation attacks.
Common flaws include uniform and insecure help-desk processes, overreliance on single-factor or weak identity verification, insufficient multi-layered verification on privileged changes, vulnerability to social engineering, and poor monitoring and auditing of help-desk activity.
To address these flaws, less insecure design is required. This includes implementing multiple, robust identity verification steps before credential or MFA resets, differentiating processes based on account privilege level, training and supporting help-desk staff continuously, monitoring and auditing all help-desk interactions involving privileged changes, and limiting external domain trust.
Moreover, behavioural-based endpoint detection and response (EDR/XDR) platforms can detect anomalous activities post-compromise early, minimising attack impact once initial impersonation succeeds.
The attacks on retail brands, including Marks & Spencer, have resulted in significant financial and operational losses. Marks & Spencer took the hardest operational hit, with estimated financial losses of £30 million and ongoing revenue losses of up to £15 million per week. Harrods, on the other hand, detected the attack early and cut off internet access as a precaution, avoiding significant operational or reputational damage so far.
These attacks are predictable and preventable, highlighting the need for less insecure design and a shift towards secure architecture, including zero trust, least privilege, or good engineering, which includes redesigning help-desk flows to verify identity properly.
In essence, securing critical systems against help-desk impersonation attacks requires structural procedural changes that go beyond technical controls to include human factors, training, and continuous monitoring—thereby mitigating the predictable weaknesses attackers exploit in current help-desk designs.
Cybersecurity measures should be integrated with technology solutions to improve the security of help-desk processes, as these are commonly exploited by attackers like UNC3944. This may involve implementing multiple identity verification steps, differentiating processes based on account privilege level, and monitoring all help-desk interactions involving privileged changes to reduce the risk of help-desk impersonation attacks.
Expanding cybersecurity efforts beyond technical controls is essential, as securing critical systems against help-desk impersonation attacks requires structural procedural changes that include human factors, continuous training, and continuous monitoring—addressing predictable weaknesses that attackers often exploit in current help-desk designs.
