Three main British retailers not too long ago attacked, leading to large injury. Now the self-same scum’s spotlighting shops in the States.
Google’s Mandiant menace intelligence group issued this dire warning yesterday. The scrotes look like UNC3944, a/okay/a “Scattered Spider,” an informal confederacy of criminals wielding DragonForce ransomware.
“Shields up, U.S. retailers,” quipped Mandiant’s chief analyst. In immediately’s SB Blogwatch, we hail the Kobayashi Maru.
Your humble weblogwatcher curated these bloggy bits in your entertainment. To not point out: Frogs.
Arachnid Alarm
What’s the craic? Alexander Martin studies: Google says hackers behind UK retail cyber marketing campaign now additionally focusing on US
“Latest incidents affecting Marks & Spencer”
A hacking group suspected of conducting a sequence of disruptive cyberattacks on retailers in the UK has now turned its consideration to related corporations in the USA. … UNC3944, also referred to as Scattered Spider [is] used to trace a loosely affiliated cybercriminal group beforehand described by the FBI as an offshoot of a bigger prison subculture calling itself “the Group,” or “the Com.”
…
It follows latest incidents affecting Marks & Spencer, the Co-op, and luxurious retailer Harrods. The group behind these assaults is reported to have tried to monetize its entry to the victims’ networks utilizing the DragonForce ransomware. … The broader Scattered Spider group is believed to be accountable for ransomware assaults two years in the past on on line casino giants MGM Resorts and Caesars Leisure, prompting a warning from U.S. cybersecurity officers in regards to the criminals’ SIM-swapping and social engineering actions.
M&S, the Co-op and Harrods are large manufacturers within the UK. Sergiu Gatlan provides: Hackers behind UK retail assaults now focusing on US corporations
“Subtle social engineering”
The DragonForce ransomware operation has claimed all three assaults. … The attackers who orchestrated them have used the identical social engineering ways linked to Scattered Spider menace actors. DragonForce surfaced in December 2023 and has not too long ago begun promoting a brand new service designed to permit different cybercrime teams to white-label their providers.
…
“Scattered Spider” … refers to a loosely-knit group of menace actors who use particular ways throughout their assaults. … Additionally tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra, [it’s] a fluid collective of menace actors recognized for breaching many high-profile organizations worldwide in subtle social engineering assaults that additionally contain phishing, SIM swapping, multi-factor authentication (MFA) bombing. … They’ve additionally acted as associates for varied different ransomware operations, together with RansomHub, Qilin, and, now, DragonForce.
Horse’s mouth? Google/Mandiant’s John Hultquist: Shields up, US retailers. They’re right here.
“US retailers ought to take be aware”
The US retail sector is at present being focused in ransomware and extortion operations that we suspect are linked to UNC3944. … The actor, which has reportedly focused retail within the UK following an extended hiatus, has a historical past of focusing their efforts on a single sector at a time, and we anticipate they’ll proceed to focus on the sector.
…
US retailers ought to take be aware. … These actors are aggressive, inventive, and significantly efficient at circumventing mature safety applications. They’ve had lots of success with social engineering and leveraging third events to realize entry to their targets.
Social engineering, you say? Kevin Beaumont explains:
Attackers are … impersonating employees calling in to the IT assist desks. [It’s] youngsters phoning helpdesks and pretending to be the CISO: … They often outsource their Service Desk to someplace low-cost offshore who don’t know the org employees, and whenever you name and say your identify, they usually put massive all caps daring purple warning if the particular person is a VIP, e.g., C suite, in order that they get VIP service — i.e., something goes.
…
All M&S recruitment continues to be stopped, [22] days in. … I believe Co-op could have stopped recruitment too. … Co-op say dwelling addresses of shoppers have been exfiltrated. … Co-op is member (buyer) owned, so the individuals’s knowledge Co-op had stolen are successfully the shareholders. [It] reinvests all income again into the enterprise.
…
M&S verify … a major quantity of buyer and employees knowledge was stolen. They’ve recognized for weeks however opted to not inform anyone.
Identified for weeks, you say? This Nameless Coward offers a **** about that:
I don’t actually give a **** that they acquired hacked. … The factor that I do give a **** about is them not working towards the artwork of full disclosure and telling us what occurred, in full.
Relax. However Gravis Zero is equally potty-mouthed:
**** ’em. These are the identical corporations that lied about theft being an enormous downside so they might have mass layoffs with out the blowback. In the event that they fall sufferer then it’s as a result of they didn’t spend money on safety as a result of revenue was extra vital than anything. **** ’em.
Fascinating level. One other Nameless Coward agrees:
The worst factor about this: A password/person mixture alone shouldn’t provide you with entry to ****. We reside within the age of FIDO, gadget compliance, gadget certificates, non-phishable MFA, so-on and so-forth. [WTH] is happening when a significant grocery store isn’t working towards primary safety rules?
What do the hackers should say for themselves? Two individuals claiming to have hacked M&S and the Co-op contacted Aunty Beeb’s Joe Tidy below the Blacklist‑y pseudonyms Raymond Reddington and Dembe Zuma:
Co-op’s community by no means ever suffered ransomware. They yanked their very own plug — tanking gross sales, burning logistics, and torching shareholder worth.
In the meantime, Mirnotoriety laughs at M&S’s PR calling the hack “subtle:”
Somebody with full admin to the corporate’s Lively Listing clicked on a malicious net hyperlink.
And Lastly:
In case your frog is wonky, it’s most likely due to this
You could have been studying SB Blogwatch by Richi Jennings. Richi curates one of the best bloggy bits, best boards, and bizarreest netwebsites—so that you don’t should. Hate mail could also be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your physician earlier than studying. Your mileage could range. Previous performance isn’t any guarantee of future outcomes. Don’t stare into laser with remaining eye. E&OE. 30.
Picture sauce: Aritras Saha (by way of Unsplash; leveled and cropped)
