Warning to US Retail: ‘Scattered Spider’ Targets YOU (with DragonForce Ransomware)
Three major British retailers recently attacked, resulting in huge damage. Now the self-same scum’s spotlighting stores in the States.
Google’s Mandiant threat intelligence team issued this dire warning yesterday. The scrotes appear to be UNC3944, a/k/a “Scattered Spider,” a casual confederacy of criminals wielding DragonForce ransomware.
“Shields up, U.S. retailers,” quipped Mandiant’s chief analyst. In today’s SB Blogwatch, we hail the Kobayashi Maru.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Frogs.
Arachnid Alarm
What’s the craic? Alexander Martin reports: Google says hackers behind UK retail cyber campaign now also targeting US
“Recent incidents affecting Marks & Spencer”
A hacking group suspected of conducting a series of disruptive cyberattacks on retailers in the United Kingdom has now turned its attention to similar companies in the United States. … UNC3944, also known as Scattered Spider [is] used to track a loosely affiliated cybercriminal group previously described by the FBI as an offshoot of a larger criminal subculture calling itself “the Community,” or “the Com.”
…
It follows recent incidents affecting Marks & Spencer, the Co-op, and luxury retailer Harrods. The group behind these attacks is reported to have attempted to monetize its access to the victims’ networks using the DragonForce ransomware. … The broader Scattered Spider group is believed to be responsible for ransomware attacks two years ago on casino giants MGM Resorts and Caesars Entertainment, prompting a warning from U.S. cybersecurity officials about the criminals’ SIM-swapping and social engineering activities.
M&S, the Co-op and Harrods are huge brands in the UK. Sergiu Gatlan adds: Hackers behind UK retail attacks now targeting US companies
“Sophisticated social engineering”
The DragonForce ransomware operation has claimed all three attacks. … The attackers who orchestrated them have used the same social engineering tactics linked to Scattered Spider threat actors. DragonForce surfaced in December 2023 and has recently begun advertising a new service designed to allow other cybercrime groups to white-label their services.
…
“Scattered Spider” … refers to a loosely-knit group of threat actors who use specific tactics during their attacks. … Also tracked as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra, [it’s] a fluid collective of threat actors known for breaching many high-profile organizations worldwide in sophisticated social engineering attacks that also involve phishing, SIM swapping, multi-factor authentication (MFA) bombing. … They’ve also acted as affiliates for various other ransomware operations, including RansomHub, Qilin, and, now, DragonForce.
Horse’s mouth? Google/Mandiant’s John Hultquist: Shields up, US retailers. They’re here.
“US retailers should take note”
The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944. … The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector.
…
US retailers should take note. … These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets.
Social engineering, you say? Kevin Beaumont explains:
Attackers are … impersonating staff calling in to the IT help desks. [It’s] teenagers phoning helpdesks and pretending to be the CISO: … They usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, e.g., C suite, so they get VIP service — i.e., anything goes.
…
All M&S recruitment is still stopped, [22] days in. … I think Co-op may have stopped recruitment too. … Co-op say home addresses of customers were exfiltrated. … Co-op is member (customer) owned, so the people’s data Co-op had stolen are effectively the shareholders. [It] reinvests all profits back into the business.
…
M&S confirm … a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody.
Known for weeks, you say? This Anonymous Coward gives a **** about that:
I don’t really give a **** that they got hacked. … The thing that I do give a **** about is them not practicing the art of full disclosure and telling us what happened, in full.
Calm down. But Gravis Zero is similarly potty-mouthed:
**** ’em. These are the same companies that lied about theft being a huge problem so they could have mass layoffs without the blowback. If they fall victim then it’s because they didn’t invest in security because profit was more important than anything else. **** ’em.
Interesting point. Another Anonymous Coward agrees:
The worst thing about this: A password/user combination alone shouldn’t give you access to ****. We live in the age of FIDO, device compliance, device certificates, non-phishable MFA, so-on and so-forth. [WTH] is going on when a major supermarket isn’t practicing basic security principles?
What do the hackers have to say for themselves? Two people claiming to have hacked M&S and the Co-op contacted Aunty Beeb’s Joe Tidy under the Blacklist‑y pseudonyms Raymond Reddington and Dembe Zuma:
Co-op’s network never ever suffered ransomware. They yanked their own plug — tanking sales, burning logistics, and torching shareholder value.
Meanwhile, Mirnotoriety laughs at M&S’s PR calling the hack “sophisticated:”
Someone with full admin to the company’s Active Directory clicked on a malicious web link.
And Finally:
If your frog is wonky, it’s probably because of this
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Aritras Saha (via Unsplash; leveled and cropped)
