Post AxCywpU20YxgAmk6q0 by dr2chase@ohai.social
(DIR) More posts by dr2chase@ohai.social
(DIR) Post #AtjEvodSiLX8kOsGLQ by GossiTheDog@cyberplace.social
2025-05-02T16:56:56Z
0 likes, 1 repeats
DragonForce Ransomware Cartel are claiming credit for attacks on Marks and Spencer, Co-op and Harrods and say more victim orgs are coming https://www.bloomberg.com/news/articles/2025-05-02/-dragonforce-hacking-gang-takes-credit-for-uk-retail-attacks#threatintel #ransomware
(DIR) Post #AtjEvpNtvggF4QbLjE by GossiTheDog@cyberplace.social
2025-05-02T17:13:18Z
1 likes, 0 repeats
I'm going to make this the new ongoing megathread for DragonForce Ransomware Cartel's attack on UK retailers as they're all connected.Why it matters: these are some of the UK's largest retailers, think Target or some such in a US sense.Prior threadsM&S: https://cyberplace.social/@GossiTheDog/114381946765071799Co-op: https://cyberplace.social/@GossiTheDog/114426688834113446Harrods:https://cyberplace.social/@GossiTheDog/114433519351165250
(DIR) Post #AtjEvq6vEIh1K3fIu0 by GossiTheDog@cyberplace.social
2025-05-02T17:17:15Z
1 likes, 0 repeats
The individuals operating under the DragonForce banner are using social engineering for entry. Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it's a repeat of the 2022-2023 activity. Links: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdfhttps://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdfI would also suggest these NCSC guides on incident management: https://www.ncsc.gov.uk/collection/incident-managementand effective cyber crisis comms: https://www.ncsc.gov.uk/guidance/effective-communications-in-a-cyber-incident
(DIR) Post #AtjEvqdXH2mSxCvLjk by GossiTheDog@cyberplace.social
2025-05-02T17:51:34Z
1 likes, 0 repeats
Co-op Group have now admitted a significant amount of member (customer) information has been stolen by DragonForce Ransomware Cartel, saying they "accessed data relating to a significant number of our current and past members" - around 20 million people. The Membership database, basically. That includes home addresses and phone numbers etc.Up until now Co-op hadn't even used the words cyber or threat actor, referring to an "IT issue" and "third party" in comms.https://www.bbc.co.uk/news/articles/crkx3vy54nzo
(DIR) Post #AtjEvrNGX1MPF2Js12 by GossiTheDog@cyberplace.social
2025-05-02T18:33:10Z
0 likes, 0 repeats
New by me - breaking down the attacks on UK highstreet retailershttps://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-street-retailers-walking-in-the-front-door-52ed8ba68534
(DIR) Post #AtjEvs4VwDxHPAYPQW by GossiTheDog@cyberplace.social
2025-05-02T19:49:46Z
0 likes, 0 repeats
Regarding IOCs around the UK retailer activity - there’s loads doing the rounds, and they’re almost all not useful. Eg hundreds of dynamic VPN IPs from 2022. If you google them you’ll find them on vendor blogs from years ago for Scattered Spider - people are recycling in panic and passing around in panic. Don’t hunt on random IOCs. IP addresses change. Strengthen foundational controls. Review sign in logs for abnormal activity etc.
(DIR) Post #AtjEvss8xhebt5m2me by GossiTheDog@cyberplace.social
2025-05-02T19:53:27Z
0 likes, 0 repeats
Pass the bong
(DIR) Post #AtjEvtLZCJBpMLXXe4 by GossiTheDog@cyberplace.social
2025-05-02T19:58:23Z
0 likes, 0 repeats
Bleeping Computer have more on the Co-op breach https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/#threatintel #ransomware
(DIR) Post #AtjEvtnvUrsImIoBqi by GossiTheDog@cyberplace.social
2025-05-02T23:24:45Z
0 likes, 0 repeats
One of M&S’ biggest suppliers have said they have reverted to pen and paper for orders due to M&S lacking IT. Additionally, M&S staff are raising concern about how they will be paid due to lack of IT systems. M&S are over a week into a ransomware incident and still don’t have their online store working. https://www.bbc.com/news/articles/cvgnyplvdv8o #threatintel #ransomware
(DIR) Post #AtjEvuLFUyWuReOnmy by GossiTheDog@cyberplace.social
2025-05-02T23:26:54Z
0 likes, 0 repeats
By the way, this is absolutely terrible advice for dealing with a major and high visibility ransomware incident.
(DIR) Post #AtjEvusDWOtw5tp8Ay by GossiTheDog@cyberplace.social
2025-05-03T16:27:51Z
0 likes, 0 repeats
There's a report on ITV News that Co-op member data is available on the Dark Web(tm), but as far as I know this isn't accurate. DragonForce's portal hasn't been available for over a week.
(DIR) Post #AtjEvvKvndrzWxG3vs by GossiTheDog@cyberplace.social
2025-05-03T16:52:07Z
0 likes, 0 repeats
Here's the ITV News report anyhoo, logline: "ITV News understands the the ongoing cyberattack faced by the supermarket has worsened since Friday, impacting the ordering system, drivers and warehouse staff."https://www.itv.com/news/2025-05-03/worsening-cyberattack-shuts-down-co-op-orders-itv-news-understands
(DIR) Post #AtjEvvmEA9hitc1rTk by GossiTheDog@cyberplace.social
2025-05-03T20:56:03Z
0 likes, 0 repeats
Sunday Times has a piece looking into ransomware incident at Marks and Spencer. It's pretty good, goes into their contain and eradicate focus."By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off."One error in the article - lack of recovery doesn't mean no ransomware paid. Paying is not quick restoration.https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6
(DIR) Post #AtoaB3IHZBW9NgsEQi by GossiTheDog@cyberplace.social
2025-05-04T11:16:59Z
0 likes, 0 repeats
A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7
(DIR) Post #AtoaB3gO7YneaS9U0G by GossiTheDog@cyberplace.social
2025-05-04T18:40:10Z
0 likes, 0 repeats
Great NCSC piece by @ollie_whitehouse I’d add - block by Entra policy specifically High risk logins (below is too FP prone), and SOC monitor them. SOC playbook = account probably compromised. How? https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers
(DIR) Post #AtoaB4D0AIt6DbPWq0 by GossiTheDog@cyberplace.social
2025-05-05T05:33:55Z
0 likes, 0 repeats
Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp. M&S dispute this, saying they have robust business continuity plans. https://news.sky.com/story/amp/mands-had-no-plan-for-cyber-attacks-insider-reveals-with-staff-left-sleeping-in-the-office-amid-paranoia-and-chaos-13361359
(DIR) Post #AtoaB4YGtDtxHZMVzU by GossiTheDog@cyberplace.social
2025-05-05T14:18:45Z
0 likes, 0 repeats
BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o
(DIR) Post #AtoaB50HD6IqgQSsds by GossiTheDog@cyberplace.social
2025-05-05T14:32:41Z
0 likes, 0 repeats
One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.
(DIR) Post #AtoaB598g9ON7ubxSK by GossiTheDog@cyberplace.social
2025-05-05T16:21:58Z
0 likes, 0 repeats
Co-op Group appear to be trying to course correct with their cyber incident comms. They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should). Edit: they’ve started emailing members. https://www.coop.co.uk/cyber-incident
(DIR) Post #AtoaB5pK9J8VEkLeD2 by GossiTheDog@cyberplace.social
2025-05-06T10:21:14Z
0 likes, 0 repeats
It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/
(DIR) Post #AtoaB5zFYP4ljWzZgG by WiteWulf@cyberplace.social
2025-05-06T10:36:44Z
0 likes, 0 repeats
@GossiTheDog voluntarily, or has their card processing company got twitchy?
(DIR) Post #AtoaB6KWHK5cnUwYpk by GossiTheDog@cyberplace.social
2025-05-06T10:42:42Z
0 likes, 0 repeats
@WiteWulf no idea. Card payment is entirely separate to the point of sale devices, I forget the term for it but it's all handled by a hardware device so the card number never touches the PoS OS
(DIR) Post #AtoaB6YLRv9HUNPbNo by piggo@piggo.space
2025-05-06T10:44:02.582463Z
0 likes, 0 repeats
@GossiTheDog @WiteWulf arent the cards running some cursed version of java? imagine a malware spreading through people using the card ...
(DIR) Post #AtoaB6ty9WRiZRWs5Y by sun@shitposter.world
2025-05-06T10:49:01.408805Z
0 likes, 1 repeats
@piggo @GossiTheDog @WiteWulf it's basically just branding, java on smartcards is only superficially similar to regular java. really fundamental stuff is different. the security record of the smartcards is pretty good I think, but it's only as strong as the applet on the card
(DIR) Post #AtoaBJOtgMJdKq5jxg by GossiTheDog@cyberplace.social
2025-05-06T10:40:19Z
0 likes, 0 repeats
People are also taking to social media to post pictures of apparently emptying store shelves.The Co-op website claims it is down to "technical issues".
(DIR) Post #AvsGPPwBAep8VMWlsm by GossiTheDog@cyberplace.social
2025-05-06T14:52:01Z
0 likes, 0 repeats
Contactless payment has been fixed at all Co-op Group stores.
(DIR) Post #AvsGPQFg0AQ5TpeLGy by GossiTheDog@cyberplace.social
2025-05-07T11:55:01Z
0 likes, 0 repeats
One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.
(DIR) Post #AvsGPQZApg12SIlufA by GossiTheDog@cyberplace.social
2025-05-07T15:59:29Z
0 likes, 0 repeats
Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages. The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/
(DIR) Post #AvsGPQu5ZukJVAYcGO by GossiTheDog@cyberplace.social
2025-05-07T16:49:39Z
0 likes, 0 repeats
I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/
(DIR) Post #AvsGPRooB27GL55ufg by GossiTheDog@cyberplace.social
2025-05-07T16:54:18Z
0 likes, 0 repeats
If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.Online orders are still not working, and the store stock checker is disabled now.
(DIR) Post #AvsGPS43GMJF6ME5Qm by GossiTheDog@cyberplace.social
2025-05-08T13:41:20Z
0 likes, 0 repeats
Co-op have paused all non-essential products in stores https://www.retailgazette.co.uk/blog/2025/05/co-op-non-essential/
(DIR) Post #AvsGPSLQDmChyELxVQ by GossiTheDog@cyberplace.social
2025-05-08T16:45:56Z
0 likes, 0 repeats
Every detail in this article is wrong. The M&S incident had nothing to do with hybrid working.
(DIR) Post #AvsGPSjskplnC5nUdE by GossiTheDog@cyberplace.social
2025-05-09T08:22:25Z
0 likes, 0 repeats
Marks and Spencer’s online shopping is still offline 3 weeks later. It is thought they have lost around £63m so far, excluding IR, BCP and ransom payment costs. https://www.drapersonline.com/news/ms-online-shopping-outage-enters-third-week
(DIR) Post #AvsGPTK2aOh30EiMzY by GossiTheDog@cyberplace.social
2025-05-09T08:57:50Z
0 likes, 0 repeats
M&S had a significant amount of data stolen btw, but they’ve opted not to tell customers or staff.
(DIR) Post #AvsGPTpwfmDKbBdqim by GossiTheDog@cyberplace.social
2025-05-09T15:56:11Z
0 likes, 0 repeats
The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group. They expect customers to start to see availability issues on shelves in the coming days. https://www.thegrocer.co.uk/news/co-op-societies-hit-by-availability-issues-amid-ongoing-cyberattack-on-co-op-group/704305.article
(DIR) Post #AvsGPUKmp6ss8q4TnE by GossiTheDog@cyberplace.social
2025-05-09T17:33:06Z
0 likes, 0 repeats
For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
(DIR) Post #AvsGPUpcyRYPgUV6rg by GossiTheDog@cyberplace.social
2025-05-09T17:45:53Z
0 likes, 0 repeats
For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.
(DIR) Post #AvsGPVAXigHgjMHoSu by GossiTheDog@cyberplace.social
2025-05-10T08:40:27Z
0 likes, 0 repeats
Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html
(DIR) Post #AvsGPVScdSkJdQkFe4 by GossiTheDog@cyberplace.social
2025-05-10T08:46:05Z
0 likes, 0 repeats
Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island): “From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo
(DIR) Post #AvsGPVnBP1C0fCMfh2 by GossiTheDog@cyberplace.social
2025-05-10T20:14:16Z
0 likes, 0 repeats
DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.
(DIR) Post #AvsGPW1iWyopOHAHLc by GossiTheDog@cyberplace.social
2025-05-12T05:50:42Z
0 likes, 0 repeats
All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/
(DIR) Post #AvsGPWVUkGdcsd63lI by GossiTheDog@cyberplace.social
2025-05-12T06:10:58Z
0 likes, 0 repeats
I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.
(DIR) Post #AvsGPX12qxsKSTrFwG by GossiTheDog@cyberplace.social
2025-05-12T12:44:17Z
0 likes, 0 repeats
The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system
(DIR) Post #AvsGPX9CMeOgrlfleC by GossiTheDog@cyberplace.social
2025-05-12T16:25:40Z
0 likes, 0 repeats
Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack
(DIR) Post #AvsGPXxBMoNbMn3gYa by GossiTheDog@cyberplace.social
2025-05-12T16:28:09Z
0 likes, 0 repeats
People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434
(DIR) Post #AvsGPYDUOBQKBMghyS by GossiTheDog@cyberplace.social
2025-05-12T16:33:24Z
0 likes, 0 repeats
Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.
(DIR) Post #AvsGPYUrLbJn3Eoa36 by GossiTheDog@cyberplace.social
2025-05-12T19:04:42Z
0 likes, 0 repeats
This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authenticationThey also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.
(DIR) Post #AvsGPZ2BLhyOiaPBzM by GossiTheDog@cyberplace.social
2025-05-12T21:55:31Z
0 likes, 0 repeats
If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.Co-op's VDE environment is still down, too. https://cyberplace.social/@GossiTheDog/114399017367179104
(DIR) Post #AvsGPZGMUzJdQZ2W5g by GossiTheDog@cyberplace.social
2025-05-13T08:02:04Z
0 likes, 0 repeats
M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o
(DIR) Post #AvsGPZfsy5jShiytsG by GossiTheDog@cyberplace.social
2025-05-13T12:09:49Z
0 likes, 0 repeats
Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database). This one dates back to my May 2nd toot upthread re home addresses - at the time, they didn't specify home addresses.
(DIR) Post #AvsGPa5PRC9HysvHeq by GossiTheDog@cyberplace.social
2025-05-13T12:18:07Z
0 likes, 0 repeats
Co-op Group have 5 open jobs left, with nothing posted for 11 days.
(DIR) Post #AvsGPaTryFiNCkMome by GossiTheDog@cyberplace.social
2025-05-13T12:25:23Z
0 likes, 0 repeats
Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.
(DIR) Post #AvsGPalEvfbq4cUgrI by GossiTheDog@cyberplace.social
2025-05-13T14:17:50Z
0 likes, 0 repeats
The Channel Islands Coop, which is different to Co-op Group, has been able to restock shelves by moving away from Co-op Group for supply distribution and moving to local suppliers. https://www.bbc.co.uk/news/articles/c3d4xvg3x1do
(DIR) Post #AvsGPb7DbxBrAmmF7I by GossiTheDog@cyberplace.social
2025-05-13T14:23:08Z
0 likes, 0 repeats
The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.“It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article
(DIR) Post #AvsGPbbhmbZohL2adU by GossiTheDog@cyberplace.social
2025-05-13T14:32:13Z
0 likes, 0 repeats
A look at supplies in stores today, after Co-op told ITV yesterday that stores were restocked 😅
(DIR) Post #AvsGPbsMmeu7X0ptbc by GossiTheDog@cyberplace.social
2025-05-13T14:32:29Z
0 likes, 0 repeats
And a video
(DIR) Post #AvsGPcBrcAV4VTxSzo by GossiTheDog@cyberplace.social
2025-05-13T16:30:12Z
0 likes, 0 repeats
Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article
(DIR) Post #AvsGPcfzo8bS0w3Wxk by GossiTheDog@cyberplace.social
2025-05-13T17:02:23Z
0 likes, 0 repeats
Harrods say they are not asking customers to do anything differently at this point.
(DIR) Post #AvsGPd6EEbaRKIKTqq by GossiTheDog@cyberplace.social
2025-05-14T11:49:59Z
0 likes, 0 repeats
Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
(DIR) Post #AvsGPdMXFydA8rxVGi by GossiTheDog@cyberplace.social
2025-05-14T12:01:39Z
0 likes, 0 repeats
Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekendMarks and Spencer are still in containment If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.In terms of external assistance, Co-op have Microsoft Incident Response (DART), KPMG and crisis comms. M&S have CrowdStrike, Microsoft, Fenix and crisis comms.
(DIR) Post #AvsGPdnpcUStVWjIoa by GossiTheDog@cyberplace.social
2025-05-15T07:11:58Z
0 likes, 0 repeats
The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do. While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%. https://www.bbc.co.uk/news/articles/cwy382w9eglo
(DIR) Post #AvsGPe5YYadwOV1SRU by GossiTheDog@cyberplace.social
2025-05-15T14:07:15Z
0 likes, 0 repeats
Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs
(DIR) Post #AvsGPeOhPPxJLrykHQ by GossiTheDog@cyberplace.social
2025-05-15T14:11:45Z
0 likes, 0 repeats
Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/
(DIR) Post #AvsGPegQLW8MEqGtuK by GossiTheDog@cyberplace.social
2025-05-16T11:06:20Z
0 likes, 0 repeats
27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.
(DIR) Post #AvsGPezDDfA9B73uC0 by GossiTheDog@cyberplace.social
2025-05-16T18:22:09Z
0 likes, 0 repeats
M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/You may notice I said they had staff data stolen on May 9th in this thread.
(DIR) Post #AvsGPfUlKMOqkxp6My by GossiTheDog@cyberplace.social
2025-05-16T18:28:49Z
0 likes, 0 repeats
For the record, the tools listed in this article aren't used by Co-op.https://www.computing.co.uk/news/2025/security/five-cyber-tools-co-op-used-to-defeat-ransomware-attackThe link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.Google AI has ingested the article and now uses it to claim Co-op Group use the tools.
(DIR) Post #AvsGPfqO1xhHq1wN4i by GossiTheDog@cyberplace.social
2025-05-16T18:33:55Z
0 likes, 0 repeats
M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.
(DIR) Post #AvsGPgDmcyPd0at3Xk by GossiTheDog@cyberplace.social
2025-05-17T12:29:27Z
0 likes, 0 repeats
Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e
(DIR) Post #AvsGPgXdRAIA0AAuUC by GossiTheDog@cyberplace.social
2025-05-17T12:39:04Z
0 likes, 0 repeats
The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk). The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted). M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice. https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds
(DIR) Post #AvsGPgyDqJYjKcc8vY by GossiTheDog@cyberplace.social
2025-05-17T17:29:06Z
0 likes, 0 repeats
M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3poBoth M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.
(DIR) Post #AvsGPh8VE5mZqVQLx2 by GossiTheDog@cyberplace.social
2025-05-17T17:43:06Z
0 likes, 0 repeats
There's nothing to suggest TCS itself have a breach btw. Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.
(DIR) Post #AvsGPhZ5dF39AxraOO by GossiTheDog@cyberplace.social
2025-05-19T09:21:28Z
0 likes, 0 repeats
The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/
(DIR) Post #AvsGPhrsVO4w7Eeag4 by GossiTheDog@cyberplace.social
2025-05-19T17:48:56Z
0 likes, 0 repeats
"Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption. https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19/
(DIR) Post #AvsGPiNQc5Jdh5Pmr2 by GossiTheDog@cyberplace.social
2025-05-19T17:52:57Z
0 likes, 0 repeats
There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"
(DIR) Post #AvsGPicJijE2RGNg3s by GossiTheDog@cyberplace.social
2025-05-20T21:13:19Z
0 likes, 0 repeats
Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day. Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.
(DIR) Post #AvsGPiu2epP5KEfpgm by GossiTheDog@cyberplace.social
2025-05-20T21:36:39Z
0 likes, 0 repeats
TCS have been linked to the Marks and Spencer breach, at least in part.https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19/
(DIR) Post #AvsGPjAhesjO9uT8eu by GossiTheDog@cyberplace.social
2025-05-20T21:46:00Z
0 likes, 0 repeats
I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.
(DIR) Post #AvsGPjWKMU1pEyaPMe by GossiTheDog@cyberplace.social
2025-05-21T07:39:50Z
0 likes, 0 repeats
M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o
(DIR) Post #AvsGPjuQurJKRjrewC by GossiTheDog@cyberplace.social
2025-05-21T07:44:25Z
0 likes, 0 repeats
Their CEO has commented they’ve drawn a line under the hack, without recovering, which has a bit of this energy honestly
(DIR) Post #AvsGPkH7YVSVa6TmIi by GossiTheDog@cyberplace.social
2025-05-21T08:02:34Z
0 likes, 0 repeats
The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t. https://www.bbc.co.uk/news/articles/ckgnndrgxv3o
(DIR) Post #AvsGPkes8CSQllakK0 by GossiTheDog@cyberplace.social
2025-05-21T08:54:55Z
0 likes, 0 repeats
The CEO of M&S has declined to comment if they have paid a ransom. For the record: I’ve heard they have, in secret, via their insurance. https://www.reuters.com/business/retail-consumer/ms-says-cyber-attack-was-result-human-error-declines-comment-ransom-2025-05-21/
(DIR) Post #AvsGPl3KfG1Vzd2HRo by GossiTheDog@cyberplace.social
2025-05-23T12:23:57Z
0 likes, 0 repeats
Co-op Group announces it's getting rid of paper prices in stores, going to electric displays. Good luck during a ransomware incident 😒
(DIR) Post #AvsGPlR5Ex1RBI9FT6 by GossiTheDog@cyberplace.social
2025-05-23T12:32:59Z
0 likes, 0 repeats
TCS has a security incident running around the M&S breach.Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk, and my team (SecOps) after I left.https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0
(DIR) Post #AvsGPlvZPbPOhqPazI by GossiTheDog@cyberplace.social
2025-05-24T08:10:55Z
0 likes, 0 repeats
Insurance Insider say Co-op Group have no cyber insurance policy. It’s got the insurance industry hard as they think they can ambulance chase other orgs with it. https://www.insuranceinsider.com/article/2eu3sto6ggpzewrryexog/lines-of-business/cyber/m-s-attacks-could-be-the-key-to-winning-new-cyber-business
(DIR) Post #AvsGPmCwN1IrZiXT3w by GossiTheDog@cyberplace.social
2025-05-28T18:18:10Z
0 likes, 0 repeats
Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.
(DIR) Post #AvsGPmUfJ7TuSgpcgq by GossiTheDog@cyberplace.social
2025-05-31T22:07:31Z
0 likes, 0 repeats
While Co-op have restored every customer facing system and internal systems like recruitment and remote working, M&S still don't even have recruitment back.I'm reliably told they paid the ransom, so they'll be target #1 basically forever with other ransomware groups now due to resiliency woes and willingness to pay.
(DIR) Post #AvsGPmnSBGVhOxccyW by GossiTheDog@cyberplace.social
2025-06-02T13:25:57Z
0 likes, 0 repeats
Marks and Spencer's remuneration committee have opted not to dock the CEOs pay as expected and prior reported over the cyber incident, but instead increased it by £2m. https://www.bbc.co.uk/news/articles/c23mz5eg091o
(DIR) Post #AvsGPmuXkuBJkwwI1g by GossiTheDog@cyberplace.social
2025-06-03T12:10:47Z
0 likes, 0 repeats
Marks & Spencer is holding walk-in in-store recruitment open days to fill vacant roles while its online hiring system remains offline following its ransomware attack in April. https://www.thegrocer.co.uk/news/mands-stores-staging-walk-in-recruitment-open-days-amid-cyberattack-disruption/705189.article
(DIR) Post #AvsGPnOJyC07FIs4RM by GossiTheDog@cyberplace.social
2025-06-03T12:15:38Z
0 likes, 0 repeats
This Daily Mail piece about security leaders thinking work-from-home means they will be crippled is horseshit, I'm not linking it. They've taken a survey about how security people think their businesses couldn't survive ransomware, and linked it to working from home. WFH isn't the problem: business IT and resilience being built on quicksand is the problem.
(DIR) Post #AvsGPnjwfnIYKMzL96 by GossiTheDog@cyberplace.social
2025-06-05T10:43:33Z
0 likes, 0 repeats
Co-op say they have largely completed recovery, and have removed the cyber attack banner and statement from their website https://www.retailgazette.co.uk/blog/2025/06/co-op-cyber-attack/I think they did a great job. They do call it a "highly sophisticated attack", which, frankly.. isn't true and may come out in open court later if the suspects are ever caught.6 weeks from containment to "near full" recovery, for statto nerds like me who track this stuff.
(DIR) Post #AvsGPo0xeWuRB8wvfU by GossiTheDog@cyberplace.social
2025-06-06T06:57:33Z
0 likes, 0 repeats
M&S had their ransomware incident communicated via internal email - from the account of a staff member who works for TCS. The way TCS work is you give them accounts on your AD. https://www.bbc.co.uk/news/articles/cr58pqjlnjlo
(DIR) Post #AvsGPoU1uSA4dIY8ye by GossiTheDog@cyberplace.social
2025-06-10T08:56:20Z
0 likes, 0 repeats
Marks and Spencer have started partial online shopping again.For statto nerds, around 7 weeks from containment to partial recovery https://www.bbc.co.uk/news/articles/c4gevk2x03go
(DIR) Post #AvsGPomSnuuHYTAri4 by GossiTheDog@cyberplace.social
2025-06-20T13:11:37Z
0 likes, 0 repeats
M&S still have no recruitment system, two months in.
(DIR) Post #AvsGPp4XihMuSXdItE by GossiTheDog@cyberplace.social
2025-06-21T20:17:20Z
0 likes, 0 repeats
TCS have told shareholders their systems were not compromised in the hack of M&S.As an explainer here (not in the article): TCS IT systems weren't compromised. Their helpdesk service (they're AD admins at M&S) was used to gain access to M&S. They manage M&S IT systems.https://www.reuters.com/business/media-telecom/indias-tcs-says-none-its-systems-were-compromised-ms-hack-2025-06-19/
(DIR) Post #AvsGPpWu1G3NsUtx5s by GossiTheDog@cyberplace.social
2025-06-24T21:13:24Z
1 likes, 0 repeats
Latest Marks and Spencer update is pretty crazy.M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/
(DIR) Post #AvsGPpl5AXOcaTXHCC by GossiTheDog@cyberplace.social
2025-06-27T13:43:51Z
1 likes, 0 repeats
Ultra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
(DIR) Post #AvsGPy5EDWGSPH1Thw by GossiTheDog@cyberplace.social
2025-07-01T12:56:48Z
1 likes, 0 repeats
Marks and Spencer’s CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks. They are also rebuilding internal systems and hope a majority of that will be done by August. Lesson: mass contain early. M&S didn’t. Co-op did. https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/
(DIR) Post #AvuryoWponp9WqKnFw by penguin42@mastodon.org.uk
2025-07-07T12:36:31Z
0 likes, 0 repeats
@GossiTheDog It was a lot easier for the IT folk in The Co-op to make that call to pull the plug after they'd just seen what happened to M&S!
(DIR) Post #Avus3lrLAbdmhLI0LA by resuna@ohai.social
2025-07-07T10:52:54Z
0 likes, 0 repeats
@GossiTheDog Why does an offshore call center even have access to administrator passwords?
(DIR) Post #Avus3mx36rnk5Ky4sS by GossiTheDog@cyberplace.social
2025-07-07T12:03:35Z
1 likes, 0 repeats
@resuna they run the IT for M&S and Co-op, it’s outsourced
(DIR) Post #AxCyNlFJlpRItb8f4q by GossiTheDog@cyberplace.social
2025-07-10T11:17:17Z
0 likes, 0 repeats
17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman. Pretend to be surprised. https://www.bbc.com/news/articles/cwykgrv374eo
(DIR) Post #AxCyNmYqsgeuyTHmAC by GossiTheDog@cyberplace.social
2025-07-10T16:58:28Z
0 likes, 0 repeats
If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.
(DIR) Post #AxCyNn56wkSmaWNXRg by GossiTheDog@cyberplace.social
2025-07-10T17:10:53Z
0 likes, 0 repeats
After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.
(DIR) Post #AxCyNnfyjfxCQrcyuW by GossiTheDog@cyberplace.social
2025-07-10T21:07:55Z
0 likes, 0 repeats
. @briankrebs has broken the story that the key member (and teenager) of LAPSUS$ runs Scattered Spider https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/
(DIR) Post #AxCyNokyiZXzmeyULI by GossiTheDog@cyberplace.social
2025-07-16T08:47:29Z
0 likes, 0 repeats
Co-op finally admitted the entire membership database was stolen I had this in the thread months ago, they originally tried to deny it entirely then tried to say ‘some’ data was accessed when they knew it was the whole thing. https://www.bbc.co.uk/news/articles/cql0ple066po
(DIR) Post #AxCyNpLUWokpbu3eFs by GossiTheDog@cyberplace.social
2025-07-16T08:58:23Z
0 likes, 0 repeats
Personally I think Co-op did a really good job getting out of that situation and minimising impact. I definitely think if you have a LAPSUS$ style advanced persistent teenagers situation, tilt towards open and honest comms as those kids will use secrecy against ya. It’s 2025, it’s okay to say you got hacked, people largely understand. Also, in IR, lawyers are usually stuck in 1980 advice - it’s just advice, they ain’t yo boss.
(DIR) Post #AxCyNq7Let2G0KRrqi by GossiTheDog@cyberplace.social
2025-07-17T13:07:57Z
0 likes, 0 repeats
The people arrested as part of the Co-op and M&S hack investigation have been released on bail.https://nation.cymru/news/four-people-bailed-after-arrests-over-cyber-attacks-on-ms-co-op-and-harrods/Previously when this happened with LAPSUS$, they just continued hacking stuff.
(DIR) Post #AxCyNqs8quSwLSLEmm by GossiTheDog@cyberplace.social
2025-08-11T09:03:08Z
0 likes, 0 repeats
I understand the people released have not been charged.
(DIR) Post #AxCyNrU4Zso6F65WuO by GossiTheDog@cyberplace.social
2025-08-11T09:03:53Z
0 likes, 1 repeats
M&S still working on system recovery. https://www.bbc.com/news/articles/cewyyjdzql4o
(DIR) Post #AxCywpU20YxgAmk6q0 by dr2chase@ohai.social
2025-07-16T12:58:04Z
1 likes, 0 repeats
@sheogorath @tigerhiddenadam @david_chisnall @GossiTheDog the main problems with this are that- cars mostly need to withstand random events (acts of nature, stupid humans) while internet-exposed software needs to withstand clever adversaries.- we have no particular separation between software that is "internet-certified" and not, nor do we separate developers into such classes.- we have near-term cost pressures to cut corners; to use unsafe languages, to write unsafe code, "for performance".
(DIR) Post #AyFeGGwvOZV4yyiWXY by GossiTheDog@cyberplace.social
2025-09-15T17:30:14Z
0 likes, 0 repeats
Marks and Spencer CTO leaves, CISO still in role. It’s difficult to see what happened as her fault - eg the decision to outsource the frontline IT helpdesk that did the password resets dates 5 years before she joined. https://www.computerweekly.com/news/366630565/MS-parts-ways-with-CTO-after-cyber-attack
(DIR) Post #AyFeGHTtPzs6dE8qvY by Cyberoutsider@infosec.exchange
2025-09-15T17:39:42Z
1 likes, 0 repeats
@GossiTheDog Hmmm... I dunno about the "things are amicable". I've seen a CTO go under similar circumstances in a similar org.The rumour from that example was that the CTO was adamant that roughly the same thing would happen again if the outsourcer wasn't booted soon/significant moves were made to start relying less on them... and the rest of the Board (essentially CEO + CFO) told them that wasn't an option.
(DIR) Post #AyFeGI5TAHvgVlirUu by masek@infosec.exchange
2025-09-15T17:59:57Z
1 likes, 0 repeats
@GossiTheDog Usually it’s the „Cyber Incident Sacrificial Offer (CISO)“ that has to go 😏.
(DIR) Post #AyFeGKA9RqrYwrvd4a by Walker@infosec.exchange
2025-09-15T18:00:15Z
1 likes, 0 repeats
@GossiTheDog That is the number one reason why I never wanted to be a CISO. I have worked for multiple companies where the CISOs / upper management got fired for incidents beyond their control. The board needed a scapegoat and the CISO was it.They should add a section to the CISSP about having a backup / exit plan in case something goes wrong.
(DIR) Post #AyRrDVWDnFciwkybNQ by GossiTheDog@cyberplace.social
2025-09-18T13:22:10Z
0 likes, 1 repeats
Suspect arrested for M&S hack have been rearrested (again), this time for Transport for London hack last year. Also charged for it: https://therecord.media/scattered-spider-teenage-suspects-arrested-britain-ncaPrior reported arrest over M&S: https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/
(DIR) Post #AyRrDdcteJiU5mA2tM by GossiTheDog@cyberplace.social
2025-09-18T13:24:01Z
0 likes, 0 repeats
I believe this is the fourth time Thalha Jubair has been arrested btw.
(DIR) Post #AyRrDm2MNWq2B48Ugy by GossiTheDog@cyberplace.social
2025-09-18T14:56:19Z
0 likes, 0 repeats
Justice.gov are pissed at Thalha Jubair and have also charged him, he faces 95 years of jail in the US.https://www.justice.gov/opa/pr/united-kingdom-national-charged-connection-multiple-cyber-attacks-including-critical"From as early as May 2022 to as recently as September 2025, Jubair and his associates were involved in approximately 120 network intrusions, including accessing the computer networks of at least 47 U.S.-based victims. Collectively, victims paid more than $115 million to Jubair and his associates in efforts to recover their data and prevent its disclosure. "
(DIR) Post #AyRrDtjVlUVy2vNYQK by GossiTheDog@cyberplace.social
2025-09-18T14:59:00Z
0 likes, 0 repeats
Thalha Jubair (a teen) is reportedly behind LAPSUS$/Scattered Spider/ShinyHunters and allegedly big cyber incidents of the past 5 years. https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/He's been running rings around everybody since he was 14 apparently.
(DIR) Post #AyRrE0xwsDDqTjBgOm by GossiTheDog@cyberplace.social
2025-09-18T15:03:13Z
0 likes, 0 repeats
"In October 2024 and January 2025, Jubair participated in a scheme to gain unauthorized access to the networks of a U.S.-based critical infrastructure company and the U.S. Courts."Related: not very stealthy, they posted screenshots of their access this week. 🤦♂️https://databreaches.net/2025/09/15/hackers-claim-access-to-law-enforcement-portals-but-do-they-really-have-access/
(DIR) Post #AyRrE888EkWkhL0Pk8 by GossiTheDog@cyberplace.social
2025-09-18T18:36:55Z
0 likes, 0 repeats
Achievement unlocked for LAPSUS$, got a court drawing
(DIR) Post #AyRrEFLVPQNt4qJh3o by GossiTheDog@cyberplace.social
2025-09-18T18:42:57Z
0 likes, 0 repeats
What's also shocking from their arrest and appearance in court today and the US charges is the allegation businesses paid them 9 figures (!) in ransoms to avoid disclosure - the court was told today Thalha allegedly has $200m in cryptocurrency and Owen has $8m.How is it normal businesses are funding that?
(DIR) Post #AyRrENHtsiFnhygvYG by GossiTheDog@cyberplace.social
2025-09-18T19:01:53Z
0 likes, 0 repeats
I've made the point before btw but I lost the toot (@metacurity remembers) - if you're a teen getting into cybersecurity, you can get a £30k a year SOC analyst job in London... or make millions ransoming companies by phoning them up and... asking for access.It isn't normal that extortion payment is being allowed like this, primarily to cover up data loss - often with the NCA in the room, who have a memorandum of understanding they won't tell the ICO (the regulator).M&S paid, for example.