Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Retail. Show all posts
Vulnerability
Breach Cyber Security Data DragonForce MSP Ransomware Retail SimpleHelp Sophos Vulnerability

DragonForce Targets MSPs Using SimpleHelp Exploit, Expands Ransomware Reach

 


The DragonForce ransomware group has breached a managed service provider (MSP) and leveraged its SimpleHelp remote monitoring and management (RMM) tool to exfiltrate data and launch ransomware attacks on downstream clients.

Cybersecurity firm Sophos, which was brought in to assess the situation, believes that attackers exploited a set of older vulnerabilities in SimpleHelp—specifically CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726—to gain unauthorized access.

SimpleHelp is widely adopted by MSPs to deliver remote support and manage software deployment across client networks. According to Sophos, DragonForce initially used the compromised tool to perform system reconnaissance—gathering details such as device configurations, user accounts, and network connections from the MSP's customers.

The attackers then moved to extract sensitive data and execute encryption routines. While Sophos’ endpoint protection successfully blocked the deployment on one customer's network, others were not as fortunate. Multiple systems were encrypted, and data was stolen to support double-extortion tactics.

In response, Sophos has released indicators of compromise (IOCs) to help other organizations defend against similar intrusions.

MSPs have consistently been attractive targets for ransomware groups due to the potential for broad, multi-company impact from a single entry point. Some threat actors have even tailored their tools and exploits around platforms commonly used by MSPs, including SimpleHelp, ConnectWise ScreenConnect, and Kaseya. This trend has previously led to large-scale incidents, such as the REvil ransomware attack on Kaseya that affected over 1,000 businesses.

DragonForce's Expanding Threat Profile

The DragonForce group is gaining prominence following a string of attacks on major UK retailers. Their tactics reportedly resemble those of Scattered Spider, a well-known cybercrime group.

As first reported by BleepingComputer, DragonForce ransomware was used in an attack on Marks & Spencer. Shortly after, the same group targeted another UK retailer, Co-op, where a substantial volume of customer data was compromised.

BleepingComputer had earlier noted that DragonForce is positioning itself as a leader in the ransomware-as-a-service (RaaS) space, offering a white-label version of its encryptor for affiliates.

With a rapidly expanding victim list and a business model that appeals to affiliates, DragonForce is cementing its status as a rising and formidable presence in the global ransomware ecosystem.
Read more »
ScatteredSpider
Cyberattack Cybersecurity Data Breach DragonForce Extortion Hacking Ransomware Retail ScatteredSpider

Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider

 

Marks & Spencer is facing prolonged disruption after falling victim to a large-scale cyberattack. Experts warn that restoring normal operations could take months, highlighting a growing trend of sophisticated breaches targeting major retailers. This incident follows a wave of cyber intrusions, including those at Co-op and Harrods, allegedly orchestrated by the same hacking collective — Scattered Spider.

Described by ITPro as “the name on every security practitioner's mind right now,” Scattered Spider has gained notoriety for its aggressive tactics and global reach.

“Scattered Spider is one of the most dangerous and active hacking groups we are monitoring,” said Graeme Stewart of Check Point to Sky News.

Believed to be composed mainly of young, English-speaking individuals based in the UK and US, the group has reportedly executed over 100 cyberattacks since emerging in 2022. These attacks span sectors like telecommunications, finance, retail, and gaming.

One of their most prominent exploits occurred in 2023, when they severely disrupted two leading casino operators. Caesars Entertainment reportedly paid about $15 million to recover access, while MGM Resorts suffered estimated damages of around $100 million due to compromised customer data.

What makes Scattered Spider particularly elusive is its decentralized structure and independence from state backing. “They operate more like an organised criminal network, decentralised and adaptive,” Stewart added. Even after multiple arrests in the US and Europe, the group continues to rebound swiftly. “This is not a loose group of opportunistic hackers,” he emphasized.

Rather than relying solely on software flaws, Scattered Spider frequently exploits human error. The M&S and Co-op attacks, for example, were the result of “social engineering,” where attackers manipulated employees into revealing credentials.

Their tactics include mimicking corporate emails, sim swapping (cloning a phone number to hijack accounts), and building convincing fake login portals. “This is akin to ‘breaking down the front door’ of networks,” Paul Cashmore, CEO of Solace Cyber, told The Times. Once inside, Scattered Spider typically partners with ransomware gangs to carry out the final blow.

In these recent cases, the group appears to have collaborated with DragonForce, a ransomware cartel. Initially known as a pro-Palestinian hacktivist group based in Malaysia, DragonForce now operates a “ransomware-as-a-service” model. According to Bleeping Computer, they allow affiliates to use their tools and infrastructure in exchange for 20-30% of ransom payments.

The core motivation is financial gain. DragonForce reportedly reached out to the BBC claiming the Co-op breach was more severe than disclosed, hinting at an extortion attempt.

Organizations like the Co-op, which house personal data of millions, are prime targets. Once a system is locked, hackers demand large ransoms in return for decryption tools and promises to delete stolen data. “If a ransom is not paid, the ransomware operation typically publishes the stolen data on their dark web data leak site,” Bleeping Computer explained.

Whether or not to pay remains a complex dilemma. “Paying may provide a quick way to restore operations, protect customer data and limit immediate financial and reputational damage,” noted The Times. However, it also risks emboldening cybercriminals and marking companies as future targets.
Read more »
Supermarket
Cybersecurity Data Breach Ransomware Retail Supermarket

Ahold Delhaize Confirms Data Breach Following Cyberattack in U.S. Operations

 

Ahold Delhaize, one of the globe’s leading food retail giants, has officially acknowledged a data breach involving sensitive information from its U.S. operations following a cyberattack in November 2024.

The confirmation followed after ransomware group INC Ransom listed the company on its leak site, sharing alleged stolen documents as proof of the breach.

"Based on our investigation to date, certain files were taken from some of our internal U.S. business systems," a spokesperson for Ahold Delhaize told BleepingComputer. "Since the incident was detected, our teams have been working diligently to determine what information may have been affected."

In November 2024, Ahold Delhaize had disclosed a cybersecurity breach that prompted the temporary shutdown of segments within its IT infrastructure. The disruption impacted some of its U.S. brands and services, including pharmacies and e-commerce operations.

"This issue and subsequent mitigating actions have affected certain Ahold Delhaize USA brands and services including a number of pharmacies and certain e-commerce operations," the company stated at the time.

The investigation remains ongoing. The company has assured that if any personal data is confirmed to be compromised, affected individuals will be notified accordingly.

"If we determine that personal data was impacted, we will notify affected individuals as appropriate. In addition, we have notified and updated law enforcement," Ahold Delhaize added.

While the full impact is yet to be determined, the company emphasized that all stores and online platforms are functioning normally. The spokesperson confirmed that customers should not expect any disruptions as a result of the breach.

As a Dutch-Belgian multinational with over 7,900 stores across Europe, the U.S., and Indonesia, Ahold Delhaize caters to around 72 million shoppers each week, making the protection of customer data critical.
Read more »
Subscribe to: Posts (Atom)