Strategic intelligence insights amid growing threats

You will be aware of just how prevalent cyber attacks on UK high street retailers are becoming, particularly due to the extensive media coverage highlighting not only the seriousness, but also how sophisticated the criminals cyber-attack techniques are becoming.

These more recent breaches are more than the average hack attempts, these attacks are leaking massive amounts of sensitive data, shutting down services and seriously damaing the reputation of the organisation’s reputation and customer trust.

But, what’s more important is that it’s not just retailers who are at risk, it’s organisations across all sectors that are at risk.

Especially when there are many organisations who are still relying on legacy IT systems and infrastructure, or those still awaiting adoption of strong cybersecurity measures, which is unfortunately making them sitting ducks for exploitation from attackers and their constantly evolving tactics.

What’s good to know is that alongside our partners and their 24/7 Security Operations Centre (SOC) a close watch has been kept on both the recent activity and the evolving threat landscape, with in depth monitoring of the incidents, to figure out exactly what methods are being used to carry out these attacks.

So, who’s behind these attacks?

Our latest threat intelligence points to a group called Scattered Spider, who’ve been using a ransomware strain called DragonForce.

If the name sounds familiar, it’s probably because they made headlines back in 2023 after launching ransomware attacks on Caesars Entertainment and MGM Resorts in Las Vegas. Reports suggest they walked away with about $15 million in ransom payments from those incidents.

They’ve also been linked to the Snowflake breach, which exposed the personal data of millions of users — further proof that these guys know what they’re doing, and they’re not slowing down.

Several key Indicators of Compromise (IOCs) linked to the group include:

  • Advanced social engineering techniques, such as spear-phishing emails or manipulating individuals into disclosing confidential information
  • Impersonating legitimate users to initiate password reset procedures
  • Multi-Factor Authentication (MFA) fatigue attacks, where users are repeatedly flooded with MFA prompts until they approve one out of frustration or confusion
  • SIM swapping, which involves deceiving mobile service providers into transferring a victim’s phone number to a SIM card controlled by the attacker
  • Exploiting unpatched vulnerabilities, such as CVE-2015-2291—a flaw in Intel’s Ethernet drivers

While these attacks were often highly sophisticated, they were largely preventable through proper controls, continuous monitoring, and increased employee awareness.

Below is some guidance on actions that you can take and it is crucial that your organisation is regularly reviewing, testing, and updating your disaster recovery, business continuity, and cyber incident response plans to ensure preparedness and resilience against cyber threats.

The UK’s National Cyber Security Centre (NCSC) has issued guidance regarding these attacks, additionally here are some actions you can take:

Deploy multi-factor authentication (MFA): Comprehensively across all accounts and services. Modern phishing resistant method are advised. 

Improve monitoring for unauthorised account activity: Such as identifying risky sign-ins using Microsoft Entra ID Protection, particularly those flagged by Microsoft Entra Threat Intelligence.

Review and audit high-privilege accounts: Such as Domain Admin, Enterprise Admin, and Cloud Admin accounts, ensuring all access is legitimate.

Enhance detection capabilities within your Security Operations Centre: To identify logins from atypical sources (e.g., VPNs using residential IP ranges) through source enrichment and related methods.

Enhance detection capabilities within your Security Operations Centre: Particularly verifying staff credentials before processing requests for accounts with elevated privileges.

Establish processes to rapidly ingest and respond to threat intelligence: Particularly regarding evolving tactics, techniques, and procedures (TTPs).

We’re always here to help you with any of your cybersecurity needs, so if you would like any support or to discuss your current strategy please don’t hesitate to contact us on 01274 869 099 or fill out our contact form here.