IKEA is a Swedish-origin Dutch-headquartered multinational conglomerate that designs and sells ready-to-assemble furniture, kitchen appliances and home accessories, among other goods and home services.
On the 26 November IKEA confirmed that they were battling through a cyberattack that has caused, and is continuing to cause, ongoing malware spreading from device to device, and from employee to employee.
The internal phishing campaign gained access, and then control of servers to create a campaign where employees were receiving trojanized, internal emails causing chaos and havoc.
Domino Effect
Known as a reply-chain attack, whereby cybercriminals take command and control (C2) of servers and can capture, alter and adapt emails and plant malicious code and documents that can then install malware on recipients’ devices ready for totally unsuspecting recipients. Think of this nightmare as a line of perfectly formed dominos, one by one they will fall and in the case of IKEA’s network, all are aligned and connected.
The chaos caused was similar to the cyberattack only weeks ago at Media Markt where staff were told to unplug everything from the internet after also suffering digital infiltration of their servers.
Furthermore, only two weeks ago, the FBI sent around one hundred thousand emails to organizations warning them of a cyberattack in flight. The only thing is, the FBI didn’t actually send them, although they did indeed come from the FBI. They had been sent by cybercriminals masquerading as the FBI in a phishing campaign. This was made possible due to the fact the FBI themselves had also overlooked, and negligently left insecure subdomains and servers exposed that were then easily exploited by cybercriminals who gained C2.
Spreading Like a Virus
IKEA confirmed; “There is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organizations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA,” explained an internal email sent to IKEA employees. The cyberattack is potentially on a pandemic scale and will not just cause chaos and disruption internally but spread to a much wider ecosystem of suppliers, partners and even customers.
It would be incredibly naïve to think that customers’ data and personally identifiable information (PII) will not also be compromised in the attack as the connectivity between servers, departments and stores are all seemingly adversely affected as part of this attack.
But how does this digital infiltration happen?
With cyberattacks increasing exponentially throughout the 2000s, tech giants finally realized that security required upgrading. Unbelievably, as with all things security focussed, it took many, many years to start taking security seriously, and arguably it still isn’t. However, in 2018, after many years of pushing for increased security, Google, Mozilla and all other Internet Service Providers (ISPs) agreed that HTTP (Hypertext Transfer Protocol) had been so easily broken, that now all websites should require HTTPS, the S standing for secure. Google went further, suggesting that the dreaded Not Secure text in the address bar would shame all companies to comply and migrate to HTTPS. It did not go so well, and still doesn’t as the attached Not Secure IKEA subdomain confirms.
Spot the Difference
Let’s confirm the difference between using HTTPS and HTTP. HTTPS means the website and organization are using the latest security features of encryption. It also means the website is authenticated and belongs to the domain and not a copy or shadow website that often are stood up to look like a company to trick visitors out of money or that prized PII data to then commoditize for illegal purposes. It also means the data, both at rest and in flight, is encrypted. Sadly, this alone does not confirm the overall security of the website, however, it is a good start.
When a website is not using HTTPS, it could be the website is a spoof website because it cannot be authenticated. The data lacks integrity and can be tampered with, and data in flight is unencrypted. That is to say it is in plain text form and not encrypted or cipher text. When such a situation occurs, it creates a massive cybercriminal draw since infiltrating plain text data and exfiltrating it is easy and criminals do not even need to bother trying to decrypt it. Yet, it may include highly sensitive information including PII data such as names, addresses, credit card numbers, codes and so on.
What the tech giants enforced in 2018 required mass migration to HTTPS. Those that overlooked, forgot or simply were negligent, were caught, often unknowingly, in the Not Secure trap. It may actually perversely be that 2018 marked the largest single internet security event, but also created the single largest increase in identifying exposed and insecure websites, servers and companies. We have witnessed increases in cyber and ransomware attacks go from around $1 trillion in 2018 to $6 trillion in 2021. We suggest this vast increase and loss is, in part, a direct result of these changes.
As we can see from IKEA’s domino effect cyberattack, servers are connected. They are connected to each other to share information and data to avoid multiple entries for staff and customers. They collect, collate and share data, often to external parties for payment. Customers’ spending and buying habits could be monitored, along with targeted campaigns, offers and so forth.
We launched a Website and Internet Threat Analysis (WITA) on the same day as the announcement of the ongoing cyberattack and found a plethora of IKEA insecure and Not Secure websites and servers. One such website, http://onlinecatalogue.ikea.com, has been maintained as a Not Secure website since at least 2018 as it has never used HTTPS and the dates for the digital certificate confirm this.
The below Cyber Rated Index (CRI) confirms the F and 0 rating which is the worst possible rating and score meaning that this particular website is exposed, vulnerable and exploitable. It may prove to be the initial access point for the intrusion and access to the servers. Even the lay person can understand that an online catalogue, enabling customers to browse, select and buy IKEA goods meaning the transition and journey from visitor, to customer, along with providing PII data has commenced, from the outset, as an insecure and exposed and exploitable position.
IKEA’s security oversight and negligence has been exposed and its fragile and lax position exploited. Undoubtedly IKEA are completely responsible for this and any further intrusions due to the lack of all basic and fundamental security.
Lessons Unlearned
Lessons need to be learned, however as Churchill famously said: ‘’I love learning but loathe to be taught’’ Sadly far too many organizations, and even governments, continue maintaining their insecure positions literally inviting cybercriminal activity and the chaos that it causes.
We teach children that fire burns and they should not go near it, in the adult, digital world, the equivalent warning should be, insecure websites and servers cause cyberattacks. IKEA, Media Markt, SunWater, GoDaddy and the FBI have all acted like belligerent children and got burned.