The bank Holiday Weekend Saw Continuing Disruption from a Series of Cyber Attacks on the UK Retail Sector That Have Unfolded Over the Past Fortnight, with Gaps Appearing on Shelvesing on Shelves at marks and spencer (m & s) and co-op,
In a further update over the weekend, co-op ceo shirine khoury-haq told customers via email that the cyber criminals behind the attack was “highly sophisticated” Multiple Services Must Remain Suspended.
Khoury-heq reiterated that customer data has been impacted in the attack. “This is obvious extramely distressing for our colleagues and members, and I am very sorry this happy. Seriously, particularly as a member-ovned Organization, ”She said.
The impacted data on co-op members appears to include names, dates of birth and contact information, but not passwords, financial details, or any information on members Interactions with the Organization.
Dragonforce, The White-Label Ransomware-A-A-Service Group Claiming Responsibility With the bbc And told reporters that other uk retailers were on a blacklist.
Meanwhile, M&S Insides – Speaking to Sky News – Reveled How it Staff has been forced to sleep over in the office amid the chaos. The Employees Described How a Lack of Planning for Such a Scenario Had LED to Chaos Within M & S, and Said Its it could be a significant length of time before
The National Cyber Security Center's (NCSC) Jonathan Ellion and Ollye Whitehouse, Director of National Resilience and Chief Technology Officer Respectly, Said: “The NCSC is work with Organizations Affected by the Recent Incidents Understand the nature of the attackers and to minimise the harm by them, and providing advice to the wider sector and economy.
Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor, or where there is no link beene shem at all. The Victims and Law Enforcement Colleagues to Ascertain that, “They said.
“We are also sharing what we know with the companies involved and the wider sector-through our sector-focused Trust Groups Run by the NCSC-And Encouraging Companies to Share Their Experiences and Mitigies With Each other, “Added Ellison and Whitehouse.
What is Dragonforce?
Sentinelone Senior Threat Researcher Jim Walter Said Dragonforce Had Started Out as a Malaysia-Based Hacktivist Network Supporting Palestinian Causes, but Since Its Its Emergence in the Summer of 2023 It HAS 2023 It Has Pivoted to A Hybrid model of political hacktivism and ransomware-enabled extraction.
It has targeted multiple government bodies in israel, India, saudi arabia and the uk, as well as commercial businesses and organisations aligned with specific political causes.
The wave of attacks against uk businesses highlights the ongoing need for strong cyber security practices and politicalies, along with well-deeveloped Incident Response Prose
Jim walter, syntinelone
Walters said that Although some components of the attributes had been attributed to an affiliate, there was a lac of strong technical evidence in this region, akhre was cleared behavior and ownership Characteristics Consistent with Attacks By Scatted Spider and the com.
“While Dragonforce Continues to Blur The Line Between Hacktivism and Financial Motivation, its Recent Targeting Sugges The Group is Increashly Motivated by Financial Rewards,” in a blog post,
“Although dragonforce's large-speculation cardel is not the first of its Kind, its current successes and the recent demise of rival operations of rival operations Orphaned ransomware actors and more Resourced Groups Looking to Thrive in an Increasing Competitive Space.
“The wave of attacks against uk businesses in recent weeks highlights the Ongoing Need for Strong Cyber Security Practices and Policies, Along with Well-Develooped Incident Response.”
Dragonforce, or its affiliates, typically Gain access to their victim environments using a combination of targeted phishing emails and exploitation of known vulnerability. They have favorite seveal 'hardy perennials', including log4j and high-profile ivanti ivanti vulnerabilites.
It is also known to use stolen credentials – this may have been in the case in the m & s incidence, and or credential stuffing attacks against remote desktop protocol (Vpns).
Typically, it uses cobalt strike and similar tools to run its campaigns, and remote management tools such as mimikatz, advanced ip scanner and pingcast to Conduct Lateral Movement, Establish Persistent Elevate their privilege. These are all highly typical behavioors for ransomware gangs.
The ransomware payload, which was initially book Lockbit 3.0/Black LockerHas of late evolved into a bespoke branded ransomware with more roots in Conti's codebaseIts encryption features are a little out of the order Algorithm.
Affiliates can take advantage of various tools to build new payloads and manage campaigns, with targeted variants for platforms such as linux, vmware esxi and windows. The payloads can also be hevily customized in their behavior, so affiliates can dictate, for example, what examples, they want to append, Different Command Line Scripts, and Danny List File Encryption. They can even set up delayed execution if they wish.
For data exfiltration, multiple options are possible, and affiliates can also set up collaborative teams with the ransomware control panel, enabling them to more effective work toge and community Coordinate with Victims
More recently, dragonforce has introduced a new white-labelling service that lets affiliates wrap the ransomware in their own branding for an additional fee, expanding into Explained walters.
