Scott Schober, Cyber Expert, Author of "Hacked Again," and CEO of Berkeley Varitronics Systems, sits down with host David Braue to discuss the ransomware attack that recently hit Marks & Spencer.
The podcast can be listened to in its entirety below.
Welcome to the Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing forensic information on all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can learn more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
David: Joining us today is Scott Schober, cyber expert and author of the popular books, "Hacked Again" and "Senior Cyber". Scott, thanks for joining me today.
Scott: Yeah, it's great to be here with you again, David.
David: So we've come together today to talk about one of these very interesting breaches that's been going on recently. It's bigger than most and seems to be more problematic than most. The target here is Marks & Spencer, which is a British big department store. It's been around for a while, and it's having some problems. Tell us about what's going on.
Scott: Yeah, absolutely. They were hit by a ransomware attack, and it was kind of an interesting hacking group, I guess, behind it. They're called the Scattered Spider Hacking Group, which I guess is not necessarily a single gang that targeted them, but they're really, they kind of define it as a loose network of young English-speaking hackers that are really skilled in social engineering.
So these are hacking groups that will really focus on and target specific companies, such as Marks & Spencer. In this case, they were the victims, and what they did was the hackers actually infiltrated Marks & Spencer's systems back in February, sometime of this year, and they got in and stole Windows domain credentials and then took it really from there. And it kind of exploded more and more as you start learning about what happened there, and they use social engineering tactics and techniques to really gain access, and, as they say, kind of move laterally through the network, so they could really scarf more and more information. And it got to the point where they actually had to bring in outside help, which is kind of common with large companies, and they got the help of the likes of Crowdstrike and Microsoft, and another one. I think it's Phoenix24 to help investigate and figure out. Hey, what really happened here? How bad was the damage? And things like that. So, pretty significant breach here. And I guess that's part of the reason why we're talking about it, because it affects such a large company that's been around for a very long time. As we were talking before, I think it was founded back in the late 1800s, which is still making my head wonder. Wow! They have been around a really long time, but we were kind of joking, but nobody's really safe from cyber breaches these days, no matter how old you are or how experienced you are. If they want to target you, they're going to get you.
David: This is the thing. If they've been around for 140 years, you'd think they've been doing something right here. I mean, they've survived wars, for you know, and much theoretically worse things than a few guys going at their directory services. But this seems to have been pretty catastrophic for them. The costs have been estimated at around 300 million British pounds or 400 million US dollars. I mean, this is not a small blast radius. How bad could something like this potentially get?
Scott: Pretty bad. I mean, just when you kind of post-breach, look back and say, well, so really, what was the true damage and impact? Well, from the initial findings in the investigation, we see that they experienced widespread outages. It affected their contactless payments, their online orders, even their warehouse operations, and they've got, I think, over 200 warehouse workers; they were basically told to stay home because of all this disruption that was going on there, and the attack affected the critical systems within the company that they were encrypted, but they mentioned there in the story that it led to significant business interruption. There were compromised password hashes, allowing them to gain even further unauthorized access across multiple systems. So it tells us, not only they get in. A lot of times, companies get hacked, and they'll report it, and you go. Oh, no! And they stop it right there. They got in and they dug in deeper and had access to more things. And I think it's a little more alarming when those types of things happen, because you realize the extent that they got in. It wasn't just a willy-nilly type of hack. They must have planned this a little bit and had some possible help from the inside. Possible compromised credentials, maybe to get some level of access to the things that they really got into, which is something that's concerning, I think. And they're probably going to unfold a lot more as this investigation continues on.
David: Well, this is the problem, isn't it? Because you find out that they've done something, but then they take a fair bit of time to figure out exactly what they've been doing all that time. I mean, it started with Active Directory Services. This is the database that stores all the credentials about users, about devices, about their permissions, and everything. This seems like a pretty logical place for hackers to target. Isn't this stuff supposed to be a bit more secure than that, though?
Scott: Yeah, absolutely. Unfortunately, it's not always that secure. And once they find a vulnerability, a means of exploiting, and they can get in there, they can do amazing things. And part of the challenge, if you look back, even I did a little research because I was curious about this Scattered Spider Hacking Group. They've been around a while. Even if you go back, say, 2-3 years, there was a large MGM Resorts breach, and there, Scattered Spider, they actually impersonated IT staff and they deployed Black Cat Ransomware. So they kind of use some different tricks and disguise themselves. So if you think about if they're impersonating the IT staff, they may have done that in this breach, too. It looks like normal things going on within the network. So there's people that are monitoring network activity. Obviously. And then there's also some automated systems that are looking for patterns and anomaly detection and other things that will raise the red flag. If there is something that is a little out of the ordinary, they can instantly investigate it and put a stop to it before somebody can get deeper into the system. Well, apparently, they've bypassed a lot of these things, and based upon their track record of the past, and they've done a lot of interesting things, some of their tactics that I did research on. They've done SIM swapping, lots of phishing campaigns, impersonation, even real-time coordination, using secure platforms, such as Telegram and Discord, and other things like that. So it's well orchestrated, these hacking groups, so they could get in there and get as much information out and cause as much damage as they possibly can.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now back to the podcast.
David: Now, this isn't the first retailer that they've targeted. I understand one of their other victims was Neiman Marcus. They've hit places like AT&T and Ticketmaster, and they have a track record of doing this sort of thing. After a while, I should say the M.O. almost becomes second nature for them. You'd think that companies, maybe, would take that as a cue that, you know, we should review the security around this stuff. Let's check our directory services. Make sure that we're not vulnerable to this.
Scott: Yeah, that's a really good point. And I think, especially in the retail sector. And I've been doing research on retail back since, I think it was about 2013, with the first Target breach and then subsequent Home Depot and everybody else down the road. It hasn't stopped. It still is constantly targeted, and they find ways of getting into these large retailers, and I think partly in part, is the sheer scope of the size when you have that many computers and that large of a network, and that many payment terminals. You've got so many entry points that all you need is one vulnerable point that they can exploit and chip away to find a way to get in. Once they do that, and it could be again, a disgruntled employee. It could be a remote worker that left their credentials and left the company or sold them, or something, you know, really dubious. We don't know. There's lots of ways of doing it. That's the problem. And the larger the company, probably the more vulnerabilities. And those what do they say? You always got to plug up all the holes in the dam there to keep it from leaking all the water out. That's kind of a similar analogy here when you've got these giant networks that really are extremely vulnerable.
It's going to keep happening, in other words, so to your point, yes, especially in the retail sector, they got to step it up. They got to protect the active directories. They got to use common-sense things that we've always talked about, but being vigilant with phishing emails, not having MFA-fatigue, and making sure that all employees are using multi-factor authentication. That's really important, and monitoring financial accounts and any unusual activity, they should obviously audit Active Directory, and kind of limit the administration privileges, segmenting networks so they could really contain lateral movement. These are all the basic things that the IT team and the cybersecurity teams should have in place. However, we back up from stories like this and many other companies. They're all not doing it. And that's really, fundamentally what's wrong.
David: Well, everybody's leaving themselves open to exactly this sort of thing. If they don't approach that carefully and meticulously, I think. One of the attack elements that's been identified is the use of social engineering here. Is this a deficiency in terms of the training that companies are giving to people to not be socially engineered? Or is it just, we're people, I guess there's always a chance this can happen. Isn't there?
Scott: True. I think if I were a cyber criminal, or were to think like a cyber criminal, one of the most important pieces of the puzzle I would use is social engineering.
Why? Because we're creatures of habit. When I say we're people—people in general, because we're emotional.
And once we read one or two things from an individual that sound familiar, we tend to cave and give in easily, and you know, if you talk authoritatively and you say, "Hey, I'm from your bank, whatever Bank XYZ and Mr. Schober, you still reside at 123 Boulevard. Correct?" Yeah. And you know those types of things. Break down your hesitation to divulge information. Now, if they tell me, "Hey, you know, just confirming for your security, your last 4 digits of your social security number are 1234. We want to verify the whole thing to make sure you weren't compromised." Many people just on something that's stupid will say, "Oh, sure, my social security number is blah, blah blah."
Those types of things are part of the problem. And that's true with passwords, too. When I talk to companies that do vulnerability assessments, penetration testing, it's funny. I was hoping for some deep technical dive. How do they break into a company? And they say, well, to be honest, it's kind of underwhelming. On the first day, we go to their parking lot and sit in an old car with a laptop, and we call the receptionist, and we tell them that we simply want to deliver an important document to Mr. So and so and please don't tell him about it. We just need the Wi-fi password, so we can get it to him quickly, and the receptionist goes, "Oh, sure, the Wi-fi password is password123." They said, "Thank you so much, really appreciate it. Again, please don't tell anyone."
Now they're into the network. So sometimes it's something that simple to start something that ends up being this bad.
David: Well, that's the snowball effect, isn't it?
Now I want to talk about something really important about this case, and that is what's going on with these hacker groups, names? Scattered Spider. I'm not sure who gave them this name. I mean, they've got an official one. It's UNC3944, but that hasn't got really the ring to it. Apparently some other names that people have used for this group include Starfraud, Octo Tempest, Scatter Swine, and Muddled Libra.
What's going on here? Like this is, I mean, this, this is just weird stuff. Really?
Scott: Yeah, I think a lot of it is they kind of want to call it street credit here, or whatever they want to be able to brag a little bit about they got the cool name, and who hacked what. Because, again, Scattered Spider is not a single entity hacking group. It's as mentioned earlier. It's a bunch of young, loosely tied network of young English-speaking hackers that are really good at social engineering.
And they also have close ties and affiliations with other well-known ransomware-as-a-service groups. Ransom Hub is one that you may have heard of, Killin, Dragonforest, these are other groups that have been very successful in the campaign ransomware-as-a-service. So to be successful, it's not a single company ever. A lot of times, it's their partners that they're training that are buying these ransomware kits.
And obviously, they get a cut of the action. So it takes a lot of companies doing illegal activity, working together, and sharing information to be successful. So I think that's part of the success of Scattered Spider and some of these crazy names going on.
David: Well, we are seeing that more and more, and I think this really plays into the idea that cybercrime has become an ecosystem. It's not just these random people somewhere. They're working together. They're borrowing tools, I mean, at the end, after they had breached the network and stolen all this information, they actually use DragonForce to encrypt the VMware hosts. And that's I mean, VMware is so fundamental to the way that nearly any company operates these days. If you start encrypting those hosts, you've got major problems, and that seems to be what's happened with Marks & Spencer.
Scott: Yeah, that certainly is the case. So this probably will not be the last of many large retailers that have been attacked and targeted by this group, as well as a sloth of others that are all vying to say, "Hey, I really want to take credit for taking down the big fish."
David: Retail tends to be a pretty open target, doesn't it? Because there's so much supply chain interdependency they're working with, you know, thousands of companies that they have to exchange information with. There are electronic networks. There's logistics as well. There are issues operating a sort of retail network and all the employment systems. I mean, I can only imagine how much is going on in the background behind one of these retail storefronts.
Scott: Sure, and I think to add to the challenges, the retail industry requires many bodies to stock shelves, to pack, to run the cash registers for physical brick and mortar stores. But that's even true with the online stores. It requires bodies in a warehouse. Sometimes retail does not pay enough for their employees, which makes it very tempting. If a Scattered Spider was willing to pay you a little bribe to disclose, maybe some credentials, or turn your head to this or that, to get access to things. That's often how it works, what I kind of classify as an insider job, because employees get disgruntled. And there's also a very high turnover ratio in the retail sector.
So new body in, new training, new exposure to passwords in the systems. A month from now, a year from now, they're out the door, disgruntled for whatever reason, that could work against a company, too. So it makes it challenging.
David: That's a really good point, because, particularly in the retail industry, that wage issue is always there for companies. And how much are you paying? Is it enough to convince people to really do the right thing, or do they just not care too much if the whole company is brought down?
Scott: Yeah. And sometimes it's even truly intentional that somebody says, "I hate this company. I hate my boss. I was taken advantage of, I felt," whatever the case may be, we don't know, and they really go to the dark side, as it were, and work with Scattered Spider or some of these other crazy groups, just for payback. Some people even go to the extent, and I've heard this. They'll go on the dark web, and they will hire groups to then go and target certain companies because they're disgruntled. So it's a tough job to retail and keep safe.
David: So maybe they should be looking at its competitors and start casting a web. Who knows where this has been directed by, and how far the conspiracy goes, and how deep it goes?
Scott: Yeah. I often wonder sometimes, is it a competitor going after a competitor? You know that type of scenario by hiring somebody? It could be. It's very easy to do, it's wrong. I would never do it personally as a business owner.
I would never hire somebody to go hold my number one competitor hostage with ransomware, this or that.
But, boy, in the back of your mind, one might sit there and say, boy, imagine the advantage one could take in the event that something like that could happen, and that's all it takes.
David: I have this feeling that the flowers and chocolates are going to start showing up at your door pretty soon. "Hi, Scott. We love you. Please don't have us hacked."
Scott: "Please, please don't."
David: It's interesting times, and Marks & Spencer is working overtime to try and get themselves back online and function as they have been for so very, very long. It's an interesting example, yet again, of how badly things can go when people get hacked.
Scott: Yeah, that's so true. Maybe in one final point, I was just thinking, I neglected to say.
I was thinking about for a company like this, that's been around since the late 1800s. I think it was founded in 1884, if I recall. They've worked so hard to build their brand, and how quickly that brand could be tarnished just by something like this. So it's good advice for all of us as business owners to really take the necessary precautions on a regular basis and kind of clean house, and make sure that everybody's properly trained and doing the cyber basics and good cyber hygiene. So we're not victims like this.
David: So very, very important as always. Scott, thanks again, as always for your time. It's great to chat.
Scott: Great to be with you. Stay safe, everyone.
Joining us today was Scott Schober, cyber expert and author of the popular books, "Hacked Again" and "Senior Cyber."
The Data Security Podcast is sponsored by Cimcor.
Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
To hear our other podcasts and to watch our videos, visit us at cybercrimemagazine.com.
