Chaos Spreads at Co-op and M&S Following DragonForce Attacks

The bank holiday weekend has brought more disruption to the UK retail sector, with the ongoing saga of cyber attacks unfolding over the past fortnight. The latest waves of attacks have left gaps on shelves at Marks and Spencer (M&S) and Co-op, two major retailers that have been affected by the DragonForce ransomware-as-a-service (RaaS) operation.

The Attacks: A Growing Concern

The attacks, which began over the Easter weekend, have been claimed by representatives of the DragonForce RaaS operation. However, experts point out that there is still a lack of strong technical evidence to link the attacks to the group. Despite this, Co-op CEO Shirine Khoury-Haq has confirmed that the cyber criminals behind the attack were "highly sophisticated" and that managing its severity meant multiple services must remain suspended.

Impacted Data Revealed

In a concerning development, Co-op members' data has been impacted in the attack. The affected data includes names, dates of birth, and contact information. However, it's worth noting that passwords, financial details, and other sensitive information were not compromised. Khoury-Haq expressed her apologies for the incident, stating that the organisation takes its obligations to protect customer data seriously.

Inside the Chaos at M&S

Insiders at Marks and Spencer (M&S) have revealed how IT staff have been forced to sleep over in the office amid the chaos. The employees described a lack of planning for such a scenario, which has led to significant disruption within the company. It's unclear when things will return to normal, but experts warn that the ongoing need for strong cyber security practices and policies cannot be overstated.

A Growing Threat: DragonForce

Senior threat researcher Jim Walter has shed light on the growing threat posed by DragonForce. The group started out as a Malaysia-based hacktivist network supporting Palestinian causes, but it has pivoted to a hybrid model of political hacktivism and ransomware-enabled extortion. Walters noted that although some components of the attacks have been attributed to an affiliate, there is still a lack of strong technical evidence.

The Future of Ransomware: A Hybrid Threat

Walter warned that DragonForce's large-scale cartel model is becoming increasingly attractive to orphaned ransomware actors and more resourced groups looking to thrive in the competitive space. The group's recent targeting suggests that it is increasingly motivated by financial rewards, blurring the line between hacktivism and financial motivation.

How the Attacks Happen

So, how do these attacks happen? According to Walters, DragonForce typically gains access to their victim environments using a combination of targeted phishing emails and exploitation of known vulnerabilities. They have favored several "hardy perennials," including Log4j and high-profile Ivanti vulnerabilities. The group also uses stolen credentials – possibly in the M&S incident – and credential stuffing attacks against remote desktop protocol (RDP) services or virtual private networks (VPNs).

The Tools of the Trade

DragonForce's toolkit includes Cobalt Strike and similar tools to run its campaigns, as well as remote management tools like mimikatz, Advanced IP Scanner, and PingCastle. The ransomware payload has evolved into a bespoke branded ransomware with roots in Conti's codebase. Affiliates can customize their payloads, using various tools to build new variants for platforms such as Linux, VMware ESXi, and Windows.

A New White-Labelling Service

More recently, DragonForce has introduced a new white-labelling service that lets affiliates wrap the ransomware in their own branding for an additional fee. This expansion into a more active cartel-type service is a significant development in the group's tactics.

The Ongoing Need for Cyber Security Awareness

As the attacks continue to unfold, experts stress the importance of cyber security awareness and preparation. Harrods has become the latest UK retailer to fall victim to a cyber attack, highlighting the ongoing threat posed by ransomware gangs.

A Word from the Experts

Scattered Spider is on the hook for M&S' cyber attack, while new Qilin tactics have emerged as a "bonus multiplier" for ransomware chaos. Ransomware gangs are exploiting ConnectWise ScreenConnect flaws to gain access to their victims' networks. The ongoing saga serves as a stark reminder of the need for vigilance and preparation in the face of these emerging threats.

The Bottom Line

The bank holiday weekend has brought more disruption to the UK retail sector, with the ongoing saga of cyber attacks leaving gaps on shelves at Marks and Spencer (M&S) and Co-op. The DragonForce RaaS operation is a growing concern, with experts warning of the increasing threat posed by this group's hybrid model of political hacktivism and ransomware-enabled extortion.

A Call to Action

As the situation continues to unfold, it's clear that the ongoing need for strong cyber security practices and policies cannot be overstated. Experts urge retailers and individuals alike to remain vigilant and prepared in the face of these emerging threats.