Marks & Spencer breach linked to Scattered Spider ransomware attack
Original Source: Bleeping Computer
Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources.
Marks & Spencer (M&S) is a British multinational retailer that employs 64,000 employees and sells various products, including clothing, food, and home goods in over 1,400 stores worldwide.
Last Tuesday, M&S confirmed it suffered a cyberattack that caused widespread disruption, including to its contactless payment system and online ordering. Today, Sky News reported that the disruption continues, with around 200 warehouse workers told to stay home as the company responds to the attack.
BleepingComputer has now learned that the ongoing outages are caused by a ransomware attack that encrypted the company's servers.
The threat actors are believed to have first breached M&S as early as February, when they reportedly stole the Windows domain's NTDS.dit file.
An NTDS.dit file is the main database for Active Directory Services running on a Windows domain controller. This file contains the password hashes for Windows accounts, which can be extracted by threat actors and cracked offline to gain access to associated plain-text passwords.
Using these credentials, a threat actor can then laterally spread throughout the Windows domain, while stealing data from network devices and servers.
Sources told BleepingComputer that the threat actors ultimately deployed the DragonForce encryptor to VMware ESXi hosts on April 24th to encrypt virtual machines.
BleepingComputer has learned that Marks and Spencer asked for help from CrowdStrike, Microsoft, and Fenix24 to investigate and respond to the attack.
The investigation so far indicates that the hacking collective known as Scattered Spider, or as Microsoft calls them, Octo Tempest, is behind the attack.
When contacted with this information, M&S said that they could not go into details about the cyber incident.
Source URL: https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/
Author: