Latest news with #TimMitchell
Yahoo
08-05-2025
- Business
- Yahoo
M&S cyber-attack linked to hacking group Scattered Spider
A major cyber-attack on Marks & Spencer has been linked to a hacking collective known as Scattered Spider, which is previously thought to have hit MGM Resorts and the US casino operator Caesars. The group, which has previously been found to include people in their 20s from the UK and the US – some of whom faced charges over attempts to steal cryptocurrency via phishing attacks in the US – are reported to have encrypted key M&S systems using ransomware, according to the technology specialist site BleepingComputer. The reports emerged as online sales at M&S – which account for an average £3.8m a day – were suspended for a fifth day. The disruption caused by the hack – and uncertainty over when it will end – has wiped more than £500m off the stock market value of M&S in the past week as experts said it had clearly suffered a cyber-attack on a huge scale. Industry insiders said it was rumoured that the attack had originated at one of M&S's service suppliers and it was not clear if the company had been directly targeted. M&S said: 'As you would expect, we cannot share the details of this cyber incident.' BleepingComputer reported the hackers had stolen M&S data as early as February that could have helped them gain access to key systems. It said the hackers had then encrypted access to a server using software from the ransomware operator DragonForce last week. Tim Mitchell, a senior security researcher at Secureworks, said that while it was impossible for outsiders to confirm who the hackers were, the extent of the disruption caused to M&S indicated it had been subject to a ransomware attack. These attacks encrypt access to important systems and demand a ransom in return for a key to unlock them. He said Scattered Spider, also known as Octo Tempest, appeared to be 'quite unusual' as a hacking group in that they were largely English-speaking – unlike the majority of such groups, which are based in places such as Russia, where there is a more 'permissive environment' where they have more freedom to operate. He added: 'Their motivation appears to be as much about bragging rights on those channels [where they communicate] as about money.' He said the hackers could have used phishing emails, gained control of a company phone number or rung up help services pretending to be M&S employees to gain access to systems. Julius Černiauskas, the chief executive of the web intelligence experts Oxylabs, said: 'Following the M&S cyber-attack and the potential involvement of hacking group Scattered Spider, all major UK retailers will be seriously worried if they'll be tangled in the web next. The impact on the M&S share price shows the damage these attacks can do and will have many corporate retailers working day and night to ensure they do not suffer a similar fate. 'Ransomware gangs typically target companies like M&S with the aim of causing maximum disruption to force a quick payout. Their goal is simple: the greater the disruption, the greater the pressure on the company to pay the ransom.' Shoppers are still able to browse online and shop in M&S's physical stores using cash or cards, but some difficulties continue in stores, with gift cards not currently being accepted. Returning goods is only possible at tills in clothing and homeware stores or via post. Food stores are not currently able to accept returns.
Al Jazeera
02-05-2025
- Business
- Al Jazeera
Harrods, M&S hit by cyberattack: What happened, who's behind it?
British retail giant Marks & Spencer (M&S) and the iconic Knightsbridge department store, Harrods, have become the latest to be hit by cyberattacks in the UK. Online orders at M&S, one of the United Kingdom's most prominent high-street stores, remain paused and the attack has already cost the company millions of pounds in lost revenues. Here is what we know about the incident, its effect and where things stand. M&S's online services have not fully resumed. Customers can browse online but they cannot complete purchases. Some difficulties also continue in stores, with gift cards not currently being accepted. The company has not provided a timeline for recovery. Although M&S has not confirmed the type of cyberattack it suffered, experts say the company's shutdown of systems points to a likely ransomware incident. Ransomware is a type of malicious software which blocks access to files or systems until a ransom has been paid – usually in cryptocurrency. This sort of software can shut down operations and hold critical data hostage. Harrods has not shared details about its cyberattack, but experts believe the incidents may be connected. Both the Metropolitan Police and the National Cyber Security Centre (NCSC) are investigating the cyber attacks. The NCSC has urged all retailers to tighten their cybersecurity and advised consumers to check bank activity and update passwords. The attack on M&S has been linked by cybersecurity observers to a group called Scattered Spider, which is also known as Octo Tempest. This is a loose network of mostly young, English-speaking hackers who use tricks like phishing (messages through which criminals trick recipients into handing over sensitive information such as login details), SIM swapping (taking control of someone's phone number) and Multi-Factor Authentication fatigue (sending repeated login requests until someone accidentally approves one) to break into company systems. Scattered Spider is believed to have accessed M&S systems using ransomware called DragonForce. One of the most common ways ransomware infiltrates a system is through phishing emails, according to cybersecurity firm Akamai. Common to all the methods is 'the aim of exploiting either a human error or a technical vulnerability', its website explains. Once inside, the malware spreads and encrypts important files, locking them so the company can't access or use them. The hackers then demand a ransom in exchange for a key to unlock the data. Tim Mitchell, a senior security researcher at Secureworks, told the UK's Guardian newspaper that Scattered Spider is an unusual hacking group because most cybercriminal networks tend to operate out of countries like Russia, where looser enforcement provides a more 'permissive environment' for cybercrime. The World Cybercrime Index ranks Russia as the country posing the highest cybercrime threat, followed by Ukraine, China, the United States, Nigeria and Romania. Since the attack, more than 700 million pounds ($930m) has been wiped off Marks & Spencer's market value, with its share price falling 6.5 percent – including a 2.2 percent drop on the first day of disruptions alone. Online shopping, which makes up about one-third of M&S's clothing and home sales, generates roughly 3.8 million pounds ($5.05m) in daily revenue – a stream now halted due to the ongoing shutdown. The company has also paused recruitment, removing nearly 200 job listings from its website. Harrods, meanwhile, has not disclosed any financial losses. As a privately held company, it does not have a stock price and typically does not make its financial information public. M&S initially responded promptly to the cyberattack, informing customers of the breach and pausing affected services early on. However, communication has since stalled, with only two official statements released – the last on April 25. The retailer confirmed it took systems offline 'as a precaution', affecting both in-store stock and logistics. Harrods, meanwhile, has not disclosed any financial losses. A spokesperson said Harrods is 'working closely with leading cybersecurity experts and law enforcement to investigate the incident and ensure the integrity of our systems'. Yes. M&S and Harrods are the latest in the UK to be affected by cyberattacks. Co-operative Group (Co-op), a British consumer cooperative that operates food stores, funeral services and other businesses, also faced an attempted breach the same week. It shut down parts of its IT system, affecting back-office and call centre functions. Stores remained open. Synnovis, a partner of the UK's National Health Service, was hit by a ransomware attack in June 2024, delaying more than 11,000 medical appointments while patient data it relied on was locked. The Russian-linked cybercriminal group, Qilin, demanded $50m to restore access, but Synnovis refused to pay, adhering to the UK government's policy against paying cybercriminals. In response, the group posted the stolen data online including names, dates of birth, NHS numbers and details of blood test results. According to the UK government's Cyber Security Breaches Survey, 74 percent of large businesses were targeted in cyberattacks in 2024. The Information Commissioner's Office also recorded a 40 percent rise in data breaches in the retail sector in 2023 alone.
The Guardian
29-04-2025
- Business
- The Guardian
M&S cyber-attack linked to hacking group Scattered Spider
A major cyber-attack on Marks & Spencer has been linked to a hacking collective known as Scattered Spider, which is previously thought to have hit MGM Resorts and the US casino operator Caesars. The group, which has previously been found to include people in their 20s from the UK and the US – some of whom faced charges over attempts to steal cryptocurrency via phishing attacks in the US – are reported to have encrypted key M&S systems using ransomware, according to the technology specialist site BleepingComputer. The reports emerged as online sales at M&S – which account for an average £3.8m a day – were suspended for a fifth day. The disruption caused by the hack – and uncertainty over when it will end – has wiped more than £500m off the stock market value of M&S in the past week as experts said it had clearly suffered a cyber-attack on a huge scale. Industry insiders said it was rumoured that the attack had originated at one of M&S's service suppliers and it was not clear if the company had been directly targeted. M&S said: 'As you would expect, we cannot share the details of this cyber incident.' BleepingComputer reported the hackers had stolen M&S data as early as February that could have helped them gain access to key systems. It said the hackers had then encrypted access to a server using software from the ransomware operator DragonForce last week. Tim Mitchell, a senior threat researcher at SecureWorks, said that while it was impossible for outsiders to confirm who the hackers were, the extent of the disruption caused to M&S indicated it had been subject to a ransomware attack. These attacks encrypt access to important systems and demand a ransom in return for a key to unlock them. He said Scattered Spider, also known as Octo Tempest, appeared to be 'quite unusual' as a hacking group in that they were largely English-speaking – unlike the majority of such groups, which are based in places such as Russia, where there is a more 'permissive environment' where they have more freedom to operate. He added: 'Their motivation appears to be as much about bragging rights on those channels [where they communicate] as about money.' Sign up to Business Today Get set for the working day – we'll point you to all the business news and analysis you need every morning after newsletter promotion He said the hackers could have used phishing emails, gained control of a company phone number or rung up help services pretending to be M&S employees to gain access to systems. Julius Černiauskas, the chief executive of the web intelligence experts Oxylabs, added: 'Following the M&S cyber-attack and the potential involvement of hacking group, Scattered Spider, all major UK retailers will be seriously worried if they'll be tangled in the web next. The impact on the M&S share price shows the damage these attacks can do and will have many corporate retailers working day and night to ensure they do not suffer a similar fate. 'Ransomware gangs typically target companies like M&S with the aim of causing maximum disruption to force a quick payout. Their goal is simple: the greater the disruption, the greater the pressure on the company to pay the ransom.' Shoppers are still able to browse online and shop in M&S's physical stores using cash or cards, but some difficulties continue in stores, with gift cards not currently being accepted. Returning goods is only possible at tills in clothing and homeware stores or via post. Food stores are not currently able to accept returns.
Forbes
24-03-2025
- Forbes
Attack Update—FBI Warns Email And VPN Users Activate 2FA Now
As Medusa strikes, FBI issues stark warning. Update, March 24, 2025: This story, originally published March 22, has been updated with news of another ransomware-as-a-service threat actor and more information from security professionals regarding the Medusa campaign following the FBI enable 2FA now warning. The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency recently issued a joint advisory warning that two-factor authentication needed to be activated for all webmail and VPN accounts as a matter of urgency. That public alert came in the wake of ongoing attacks using Medusa malware, a dangerous ransomware-as-a-service platform enabling cyber criminals to carry out highly effective campaigns against enterprises. Now, security researchers have uncovered a vital component of those attacks, used to disable anti-malware protections. Despite this new revelation, which hopefully may help in the fight against the Medusa threat, enterprises are advised to stick to the FBI 2FA advice when it comes to webmail and VPN services. Medusa is a well-known, and seemingly commonly deployed, ransomware-as-a-service provider. Ransomware as a what? Sadly, just like many other criminal activities such as phishing attacks and infostealer campaigns, ransomware threats can effectively be rented out to anyone who is willing to pay the fee. No great technical skill is required, no genius coder to recruit, and no criminal masterminds are needed. Just the money and malicious will to attack innocent parties for profit. The FBI warning came in response to more than 300 victims falling to Medusa attacks since they started in 2021. FBI investigations in recent months into ongoing attacks revealed a 'dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.' All of which led to the public cybersecurity advisory AA25-071A, which urged all organizations to require two-factor authentication for all services where possible, in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems. Although Medusa was viewed as a more minor, lower-profile ransomware operation when it was first seen in June 2021, everything changed in 2023 when the cybercrime group opened a dedicated leak site. Every month since then new victims have been added to the site. 'Currently, the total number of victims listed stands at 410,' Tim Mitchell, a senior researcher at the Secureworks Counter Threat Unit, said, 'with February 2025 accounting for the highest number of victims listed in a month at 34.' As Mitchell went on to explain, however, leak site listings only present part of the ransomware story, providing a partial view of victim numbers. Remember that the FBI has confirmed that more than 300 of those victims sit in the critical infrastructure sector. 'The group operates a double extortion model and uses phone calls to pressurize victims to pay,' Mitchell warned. And paying the ransom is no guarantee that the extortion will stop, as Mitchell explained. 'In one incident, the victim, who had already paid a ransom, was contacted by a different Medusa threat actor,' Mitchell said, 'and asked to pay half of the ransom again because the negotiator had stolen the previous payment.' Elastic Security Labs has been monitoring a financially motivated threat campaign that deployed the Medusa ransomware in question, specifically using a heartcrypt-packed loader for these attacks. 'This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named Abyssworker,' Cyril François, a senior malware research engineer with the Elastic Security Labs Team, said 'which it installs on the victim machine and then uses to target and silence different endpoint detection and response vendors.' The methodology is what has become known as a bring-your-own-vulnerable driver attack that is designed to disable security protections. While being too technical for a news story such as this, I would recommend all enterprise defenders read the Elastic Security labs analysis and implement mitigations accordingly. All the time, of course, while still following the advice from that FBI warning. Medusa isn't the only ransomware-as-a-service that enterprises need to worry about. Hellcat is also making a name for itself, according to a warning from Nick Tausek, lead security automation architect at Swimlane, who told me that it's a 'pretty polished ransomware-as-a-service operator, with an established dark web presence and recruiting operations.' Known for their unique ransom notes which take cultural references into account and often use humor in order to attract as much media attention as possible, Hellcat isn't a threat you can laugh off. 'Hellcat is also known for targeting the highest-value data for encryption, ransom, sale, and release,' Tausek said, 'maximizing impact while minimizing the chances of early detection.' Just like the FBI, Tausek recommended that enterprises should use the strongest authentication methods available and ensure that 2FA is enabled where possible. 'As long as outdated credentials remain valid and third-party platforms are overlooked,' Tausek concluded, 'attackers like Hellcat will continue to exploit these oversights with devastating consequences.'
Yahoo
29-01-2025
- Business
- Yahoo
Residents submit objections to park and ride plans
Residents have lodged objections against a proposal for a park and ride site on the northern outskirts of Hull. The plans for the Kingswood park and ride development at the Dunswell roundabout on the A1079 were submitted by Hull-based construction company Ashcourt Group last year. Tim Mitchell, who lives near the proposed site, said it would "cause chaos" and would be "unworkable for everybody who lives nearby". Ashcourt Group has been approached for comment. The plans include a bus depot, a waiting area, a petrol station and shop, a car wash, electric vehicle charging bays and three drive-through restaurants. The proposal submitted to East Riding of Yorkshire Council said the site would be designed to be as "visually unintrusive as possible". A covering letter submitted by Ashcourt Group's agent said the development would "reduce congestion and improve public transport take-up in the area". It added that the project would "bring economic growth and jobs to the area" as well as "encouraging more sustainable travel". But Hull City Council member David McCobb said the scheme would have a "huge impact" on traffic on Beverley Road. Mr Mitchell said residents were also concerned about the potential noise, light and air pollution. "We feel like it would be better located in a more industrial location – maybe on certain fields or somewhere where there is already an existing industrial site and not much housing," he said. One of the local objectors said: "The field floods very regularly and quite deeply. If they're going to concrete the whole place, I'm not quite sure where the water is going to go." Yorkshire Water has also shared its concerns about the plans, saying that the proposed positioning of the buildings could "seriously jeopardise" its "ability to maintain the public water network and is not acceptable". Listen to highlights from Hull and East Yorkshire on BBC Sounds, watch the latest episode of Look North or tell us about a story you think we should be covering here. City's new park and ride plans submitted Ashcourt Group East Riding of Yorkshire Council
