Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 01:57:10 JST Kevin Beaumont

   DragonForce Ransomware Cartel are claiming credit for attacks on Marks and Spencer, Co-op and Harrods and say more are coming https://www.bloomberg.com/news/articles/2025-05-02/-dragonforce-hacking-gang-takes-credit-for-uk-retail-attacks

   • Minoru Saba repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 02:13:35 JST Kevin Beaumont

     in reply to

     I'm going to make this the new ongoing megathread for DragonForce Ransomware Cartel's attack on UK retailers as they're all connected.

     Why it matters: these are some of the UK's largest retailers, think Target or some such in a US sense.

     Prior threads

     M&S: https://cyberplace.social/@GossiTheDog/114381946765071799

     Co-op: https://cyberplace.social/@GossiTheDog/114426688834113446

     Harrods:
     https://cyberplace.social/@GossiTheDog/114433519351165250

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 02:17:30 JST Kevin Beaumont

     in reply to

     The individuals operating under the DragonForce banner are using social engineering for entry.

     Defenders should urgently make sure they have read the CISA briefs on Scattered Spider and LAPSUS$ as it's a repeat of the 2022-2023 activity.

     Links: https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

     https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider_0.pdf

     I would also suggest these NCSC guides on incident management: https://www.ncsc.gov.uk/collection/incident-management

     and effective cyber crisis comms: https://www.ncsc.gov.uk/guidance/effective-communications-in-a-cyber-incident

   • Embed this notice
     PhreakByte (nieldk@infosec.exchange)'s status on Saturday, 03-May-2025 02:18:08 JST PhreakByte

     in reply to

     @GossiTheDog what’s your thoughts on this claim? I have noticed that Akira gang have been mentioned also…

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 02:51:47 JST Kevin Beaumont

     in reply to

     Co-op Group have now admitted a significant amount of member (customer) information has been stolen by DragonForce Ransomware Cartel, saying they "accessed data relating to a significant number of our current and past members" - around 20 million people. The Member database, basically.

     Up until now Co-op hadn't even used the words cyber or threat actor, referring to an "IT issue" and "third party" in comms.

     https://www.bbc.co.uk/news/articles/crkx3vy54nzo

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 03:33:23 JST Kevin Beaumont

     in reply to

     New by me - breaking down the attacks on UK highstreet retailers

     https://doublepulsar.com/dragonforce-ransomware-cartel-attacks-on-uk-high-street-retailers-walking-in-the-front-door-52ed8ba68534

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 04:50:00 JST Kevin Beaumont

     in reply to

     Regarding IOCs around the UK retailer activity - there’s loads doing the rounds, and they’re almost all not useful.

     Eg hundreds of dynamic VPN IPs from 2022. If you google them you’ll find them on vendor blogs from years ago for Scattered Spider - people are recycling in panic and passing around in panic.

     Don’t hunt on random IOCs. IP addresses change. Strengthen foundational controls. Review sign in logs for abnormal activity etc.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 04:53:41 JST Kevin Beaumont

     in reply to

     Pass the bong

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 04:58:55 JST Kevin Beaumont

     in reply to

     Bleeping Computer have more on the Co-op breach https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/

     #threatintel #ransomware

   • Embed this notice
     Linus Lagerhjelm (linuslagerhjelm@infosec.exchange)'s status on Saturday, 03-May-2025 05:17:00 JST Linus Lagerhjelm

     in reply to

     @GossiTheDog for someone who is unfamiliar with the UK retail market, do you happen to know if Co-op is at all related to the Swedish company Coop that suffered from a major ransomware attack a couple of years ago?

     https://www.bbc.com/news/technology-57707530.amp

   • Embed this notice
     Snoop (snoop@cyberplace.social)'s status on Saturday, 03-May-2025 05:17:43 JST Snoop

     in reply to

     @GossiTheDog Orgs need to review their password reset process, share awareness to individuals who conduct password reset requests (IT helpdesk).

     No IOC will help you identify social engineering activity.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 08:24:57 JST Kevin Beaumont

     in reply to

     One of M&S’ biggest suppliers have said they have reverted to pen and paper for orders due to M&S lacking IT.

     Additionally, M&S staff are raising concern about how they will be paid due to lack of IT systems.

     M&S are over a week into a ransomware incident and still don’t have their online store working.

     https://www.bbc.com/news/articles/cvgnyplvdv8o

     #threatintel #ransomware

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 03-May-2025 08:27:07 JST Kevin Beaumont

     in reply to

     By the way, this is absolutely terrible advice for dealing with a major and high visibility ransomware incident.

   • Embed this notice
     vampirdaddy (vampirdaddy@chaos.social)'s status on Saturday, 03-May-2025 17:00:30 JST vampirdaddy

     in reply to

     @GossiTheDog

     Rebuilding business is prioritised by importance. If the online shop is a small side hustle compared to the brick&mortar ones (or is much slower), then it’s lower priority.

     Communicating the current status and expected progress is better, builds trust.

     Wages usually are handled as lump payment, i.e. the same sum as last mont - and corrected later when the HR systems are back online.

     The incidence response team should cover IT forensics, BCM and communication.

   • Embed this notice
     vampirdaddy (vampirdaddy@chaos.social)'s status on Saturday, 03-May-2025 17:46:44 JST vampirdaddy

     @GossiTheDog
     Online sales are (if I read the statistics correctly) ~120 million GBP per year, but that's just 1% of the total 13 billion.

     While 130mio is quite a sum,
     1% of your business is not.

     Plus the online shop probably cannot limp along with pen and paper, but probably needs the fully working IT.

     With proper BCM they probably concentrate on rebuildíng key servers (and pen&paper) to keep the business from sinking completely.

     Then the 1% online shop probably takes a back seat.

   • Embed this notice
     Gavin (_calmdowndear@mastodon.social)'s status on Saturday, 03-May-2025 19:38:44 JST Gavin

     • Linus Lagerhjelm

     @GossiTheDog @linuslagerhjelm and is this just the "main" (blue) Co-op, and not all the individual other things which use Co-op branding but are actually Central Co-op (yellow/green) round here but is somehow also part of (blue) Co-op?

     As they all have disparate loyalty membership schemes so some people might be safer than others depending which one they use?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 04-May-2025 01:28:04 JST Kevin Beaumont

     in reply to

     There's a report on ITV News that Co-op member data is available on the Dark Web(tm), but as far as I know this isn't accurate. DragonForce's portal hasn't been available for over a week.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 04-May-2025 01:52:22 JST Kevin Beaumont

     in reply to

     Here's the ITV News report anyhoo, logline: "ITV News understands the the ongoing cyberattack faced by the supermarket has worsened since Friday, impacting the ordering system, drivers and warehouse staff."

     https://www.itv.com/news/2025-05-03/worsening-cyberattack-shuts-down-co-op-orders-itv-news-understands

   • Embed this notice
     AnneH (annehargreaves@ioc.exchange)'s status on Sunday, 04-May-2025 02:41:22 JST AnneH

     in reply to

     @GossiTheDog I'm not sure people realise that "members" are mutual owners, but "customers" are anyone using co-op services, whether members or not. Not sure which are in the data breach - perhaps both? I think the members' db is probably separate.

   • Embed this notice
     George Lund (georgelund@urbanists.social)'s status on Sunday, 04-May-2025 02:53:37 JST George Lund

     in reply to

     • AnneH

     @annehargreaves @GossiTheDog it's very unlikely they hold a database of customers that aren't members, as they don't do online ordering. If you get their loyalty card, you're a member.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 04-May-2025 05:56:19 JST Kevin Beaumont

     in reply to

     Sunday Times has a piece looking into ransomware incident at Marks and Spencer. It's pretty good, goes into their contain and eradicate focus.

     "By shutting down parts of the IT estate, Higham’s team had worked to prevent the attack from spreading, but had also stopped parts of its digital operations from functioning. This was considered a worthy trade-off."

     One error in the article - lack of recovery doesn't mean no ransomware paid. Paying is not quick restoration.

     https://www.thetimes.com/business-money/companies/article/m-and-s-cyber-attack-ms-klrnxvwq6

   • Embed this notice
     craignicol (craignicol@glasgow.social)'s status on Sunday, 04-May-2025 06:07:29 JST craignicol

     in reply to

     @GossiTheDog is it just UK at the moment? Would that suggest someone in the UK is upset with them?

     (Mind you, I'm not sure if USA has the infrastructure right now to report anything)

   • Embed this notice
     DangerMouse (dangermouse@cyberplace.social)'s status on Sunday, 04-May-2025 19:52:26 JST DangerMouse

     in reply to

     @GossiTheDog "look for abnormal" ... Many IT teams can't define what's "normal" because they don't review their own logs. Expecting cybersecurity teams to spot abnormalities in that context is unrealistic. We need to stop pushing the message that monitoring is just the SOC’s job. Non-technical IT leaders see that messaging and shift responsibility wholly to the SOC who don’t understand the systems they're supposed to monitor.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 04-May-2025 20:17:12 JST Kevin Beaumont

     in reply to

     A wrote a piece about paying ransoms does not equal quick restoration - in fact, quite often it makes things worse. https://doublepulsar.com/big-game-ransomware-the-myths-experts-tell-board-members-03d5e1d1c4b7

   • Embed this notice
     DangerMouse (dangermouse@cyberplace.social)'s status on Sunday, 04-May-2025 20:24:43 JST DangerMouse

     @GossiTheDog TH, SOC, IR, TI, etc all are part of the infosec org, the actual IT systems & services are part of the IT org - this division in areas of responsibility & CxO level priorities is what drives time allocation for those two orgs (including time to partner).

   • Embed this notice
     VessOnSecurity (bontchev@infosec.exchange)'s status on Sunday, 04-May-2025 20:38:03 JST VessOnSecurity

     in reply to

     @GossiTheDog I agree with most of your arguments. (In fact, the only one I take exception with is comparing ransomware with climate change. Ransomware is a much more real and urgent problem.) Those are pretty much arguments I've used myself when advising customers hit by ransomware not to pay.

     But, ultimately, it's the company's decision. Even if the company makes the wrong decision, the government shouldn't be the one who decides for them.

     See also this:

     https://www.coveware.com/blog/2025/4/29/the-organizational-structure-of-ransomware-threat-actor-groups-is-evolving-before-our-eyes

     "Decryption tools are worse than they’ve ever been."

   • Embed this notice
     [realhackhistory@home]# (realhackhistory@chaos.social)'s status on Sunday, 04-May-2025 20:38:03 JST [realhackhistory@home]#

     in reply to

     • VessOnSecurity

     @GossiTheDog @bontchev was going to post that link, I believe it too. I remember even years ago the Irish Health Service was given decryption keys and still struggled for months and months to recover data.

   • Embed this notice
     dave (hologram@cyberplace.social)'s status on Sunday, 04-May-2025 21:18:05 JST dave

     in reply to

     @GossiTheDog I caught a typo similar to ones I make, hope this helps.
     "Travelex aren’t alone. When I covered the Capita ransomware, they paid quietly paid"
     maybe delete one of the "paid"s

   • Embed this notice
     dave (hologram@cyberplace.social)'s status on Sunday, 04-May-2025 21:27:06 JST dave

     in reply to

     @GossiTheDog My thought after reading this is very old school.
     When the first indication appears, shut everything down. I have seen banks do this, and watched tellers calmly tell customers "I'm sorry, but the system is temporarily shut down" and start from there.
     If the breach is stopped quickly enough, you may have a chance.
     Also, what about off site storage, that would not be accessible to the attacker?
     Ultimately, the decision is a risk management decision, to evaluate as quickly as you can

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-May-2025 03:40:23 JST Kevin Beaumont

     in reply to

     • Ollie Whitehouse

     Great NCSC piece by @ollie_whitehouse

     I’d add - block by Entra policy specifically High risk logins (below is too FP prone), and SOC monitor them. SOC playbook = account probably compromised. How?

     https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-May-2025 14:34:09 JST Kevin Beaumont

     in reply to

     Sky News quote a source in M&S head office saying Marks and Spencer have no ransomware incident plan so they are making it up as they go along apparently, with staff sleeping in the office and communicating via WhatsApp.

     M&S dispute this, saying they have robust business continuity plans.

     https://news.sky.com/story/amp/mands-had-no-plan-for-cyber-attacks-insider-reveals-with-staff-left-sleeping-in-the-office-amid-paranoia-and-chaos-13361359

   • Embed this notice
     Floating Onion (floatingonion@cyberplace.social)'s status on Monday, 05-May-2025 20:35:09 JST Floating Onion

     in reply to

     @GossiTheDog If you don’t test it properly, it doesn’t count. See also failover and backups.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-May-2025 23:19:01 JST Kevin Beaumont

     in reply to

     BBC News has a look at teenagers phoning helpdesks and pretending to be the CISO. https://www.bbc.com/news/articles/c4grn878712o

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 05-May-2025 23:32:58 JST Kevin Beaumont

     in reply to

     One of the points of exploitation of large orgs is they usually outsource their Service Desk to somewhere cheap offshore who don’t know the org staff, and when you call and say your name, they normally put big all caps bold red warning if the person is a VIP, eg C suite, so they get VIP service - ie anything goes.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-May-2025 01:22:11 JST Kevin Beaumont

     in reply to

     Co-op Group appear to be trying to course correct with their cyber incident comms.

     They’re calling it a cyber incident now, and have put a statement on the front page of their website, along with an FAQ. They haven’t yet emailed members (they should).

     https://www.coop.co.uk/cyber-incident

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Tuesday, 06-May-2025 02:35:24 JST Gary Parker :party_porg:

     in reply to

     @GossiTheDog I got an email (as a member) at about 16:20 this afternoon on the subject

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-May-2025 19:21:27 JST Kevin Beaumont

     in reply to

     It sounds like the situation at Co-op has got worse. They’ve stopped taking card payments, it’s cash only. https://www.telegraph.co.uk/business/2025/05/06/co-op-shops-stop-taking-card-payments-amid-cyber-attack/

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Tuesday, 06-May-2025 19:36:53 JST Gary Parker :party_porg:

     in reply to

     @GossiTheDog voluntarily, or has their card processing company got twitchy?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-May-2025 19:40:33 JST Kevin Beaumont

     in reply to

     People are also taking to social media to post pictures of apparently emptying store shelves.

     The Co-op website claims it is down to "technical issues".

   • Embed this notice
     Fish of Rage (sun@shitposter.world)'s status on Tuesday, 06-May-2025 19:49:04 JST Fish of Rage

     in reply to

     • Piggo :verified_horse:
     • Gary Parker :party_porg:
     @piggo @GossiTheDog @WiteWulf it's basically just branding, java on smartcards is only superficially similar to regular java. really fundamental stuff is different. the security record of the smartcards is pretty good I think, but it's only as strong as the applet on the card
   • Embed this notice
     Piggo :verified_horse: (piggo@piggo.space)'s status on Tuesday, 06-May-2025 19:49:05 JST Piggo :verified_horse:

     • Gary Parker :party_porg:
     @GossiTheDog @WiteWulf arent the cards running some cursed version of java? imagine a malware spreading through people using the card ...
   • Embed this notice
     Gavin (_calmdowndear@mastodon.social)'s status on Tuesday, 06-May-2025 19:49:10 JST Gavin

     • Gary Parker :party_porg:

     @GossiTheDog @WiteWulf I just used Apple Pay to buy lunch so no issues in mine. Apart from lack of decent choice of sandwiches. The shelves are pretty bare

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Tuesday, 06-May-2025 19:50:34 JST Gary Parker :party_porg:

     @GossiTheDog well, it's not *entirely* separate. The POS kit sits on the same LAN as the PDQ (card reader device) to tell it the transaction amount, and for the PDQ to signal whether the transaction was succesful or not. The traffic between the PDQ and the card processing company is encrypted, obvs, and typically transits the same local network as all the other devices in-store, and then over the public internet.

   • Embed this notice
     fay (fay@mas.to)'s status on Tuesday, 06-May-2025 20:00:23 JST fay

     in reply to

     @GossiTheDog have you absorbed all groceries with your huge open mouth! 😂

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 06-May-2025 23:52:16 JST Kevin Beaumont

     in reply to

     Contactless payment has been fixed at all Co-op Group stores.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 07-May-2025 20:55:15 JST Kevin Beaumont

     in reply to

     One thing for media covering the Co-op thing - attackers are not impersonating IT help desks to gain access. They’re impersonating *staff* calling in to the IT help desks - they’re different things.

   • Embed this notice
     Klaus Frank (agowa338@chaos.social)'s status on Wednesday, 07-May-2025 23:01:36 JST Klaus Frank

     in reply to

     @GossiTheDog Ehm, they're doing both things. The easiest way to get physical access to most companies is to pretend being an employee of their it service contractor. They often just open all of the doors and show you the way right into the server room or ask you if they should log out before you take over (followed by if you'd like tea or coffee). At most what you as an attacker risk is getting also tasked with fixing the printer or copy machine "now that you're already here"...

   • Embed this notice
     Geoffairey (geoffairey@mastodon.social)'s status on Thursday, 08-May-2025 00:57:53 JST Geoffairey

     in reply to

     • daveW

     @GossiTheDog @daveW I don’t knwo about this case, but both things happen

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-May-2025 00:59:45 JST Kevin Beaumont

     in reply to

     Co-op Group are redirecting supplies from their urban stores to remote and island locations due to stock shortages.

     The article mentions their EDI platform is suffering “technical issues”. https://www.retailgazette.co.uk/blog/2025/05/co-op-reroutes-stock/

   • Embed this notice
     Klaus Frank (agowa338@chaos.social)'s status on Thursday, 08-May-2025 01:22:46 JST Klaus Frank

     @GossiTheDog well wouldn't be surprised if someone is just calling them pretending to be from their IT department and instructing them to grant them access.

   • Embed this notice
     Landwomble (landwomble@mastodon.cloud)'s status on Thursday, 08-May-2025 01:44:25 JST Landwomble

     in reply to

     @GossiTheDog the Co-op really do try to do the right thing. Glad I'm not working in Co-op Food IS any more but their social mission is pretty darn solid.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-May-2025 01:49:53 JST Kevin Beaumont

     in reply to

     I just did a Shodan Safari on Co-op - basically all their Windows and Linux systems in their core DCs at network boundary are down, it's not just EDI. It's been like that for just under a week, prior to that things were still online.

     I feel really bad for them as it's a great org. Also their CEO is basically the only one who stood up like this for trans people.

     https://www.telegraph.co.uk/business/2025/05/04/ill-protect-trans-people-to-the-end-vows-co-op-boss/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-May-2025 01:54:32 JST Kevin Beaumont

     in reply to

     If you're wondering about Marks and Spencer - I just did a Shodan Safari of their network boundary, Palo-Alto GlobalProtect VPN remote access access is still offline, 15 days later.

     Online orders are still not working, and the store stock checker is disabled now.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 08-May-2025 22:41:35 JST Kevin Beaumont

     in reply to

     Co-op have paused all non-essential products in stores https://www.retailgazette.co.uk/blog/2025/05/co-op-non-essential/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-May-2025 01:46:11 JST Kevin Beaumont

     in reply to

     Every detail in this article is wrong. The M&S incident had nothing to do with hybrid working.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-May-2025 17:22:39 JST Kevin Beaumont

     in reply to

     Marks and Spencer’s online shopping is still offline 3 weeks later. It is thought they have lost around £63m so far, excluding IR and BCP costs. https://www.drapersonline.com/news/ms-online-shopping-outage-enters-third-week

   • Embed this notice
     Dave Dustin (venzann@mastodon.nz)'s status on Friday, 09-May-2025 17:55:00 JST Dave Dustin

     in reply to

     @GossiTheDog That value feels low or are M&S not huge online like other properties?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 09-May-2025 17:58:04 JST Kevin Beaumont

     in reply to

     M&S had a significant amount of data stolen btw, but they’ve opted not to tell customers or staff.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-May-2025 00:56:27 JST Kevin Beaumont

     in reply to

     The Grocer reports 4 regional Co-ops, who aren’t part of Co-op Group, are suffering stock shortages as they are supplied by Co-op Group.

     https://www.thegrocer.co.uk/news/co-op-societies-hit-by-availability-issues-amid-ongoing-cyberattack-on-co-op-group/704305.article

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-May-2025 02:33:26 JST Kevin Beaumont

     in reply to

     For orgs looking for defence tips for the attacks on UK retailers, this blog from 2022 about the UK teenagers in LAPSUS$ has relevance.

     As a plot twist - not documented anywhere online, but LAPSUS$ first attacks in 2021 were against UK high street retailers.

     https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-May-2025 02:46:08 JST Kevin Beaumont

     in reply to

     For anybody wondering what 'dial into the incident response bridge' means, it means they'll literally Teams call into cyber IR bridges as themselves and just extort you to your face. They'll also call CISOs etc. Bad Times at the El Royale.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-May-2025 17:40:42 JST Kevin Beaumont

     in reply to

     Marks & Spencer bureau de change staff are being forced to use pen and paper to serve customers as a result of the cyber attack on the retailer and cannot accept card payment. https://www.thisismoney.co.uk/money/markets/article-14696595/Hack-rocks-Marks-Spencer-bureau-change.html

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 10-May-2025 17:46:18 JST Kevin Beaumont

     in reply to

     Co-op Group have provided some more detail about what it’s doing about remote lifeline stores (ones where they’re the main/only retailer on an island):

     “From Monday, 12 of the most remote lifeline stores will receive treble the volume of available product, and another 20 lifeline stores will get double the volume.” https://www.bbc.com/news/articles/c071e7x80djo

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 11-May-2025 05:14:28 JST Kevin Beaumont

     in reply to

     DragonForce Ransomware Cartel’s portal is back online after a multi week outage. No sign of M&S or Co-op’s data.

   • Embed this notice
     Dave 🐶 (cyberoutsider@infosec.exchange)'s status on Sunday, 11-May-2025 07:00:21 JST Dave 🐶

     in reply to

     @GossiTheDog Did someone take their portal down, saying that they shouldn't "do crime"?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-May-2025 14:50:55 JST Kevin Beaumont

     in reply to

     All M&S recruitment is still stopped, 19 days in. https://jobs.marksandspencer.com/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-May-2025 15:11:11 JST Kevin Beaumont

     in reply to

     I think Co-op may have stopped recruitment too, they’re a big employer so usually have hundreds of open positions - currently they have 17, and most close today and the rest in a few days.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 12-May-2025 21:44:32 JST Kevin Beaumont

     in reply to

     The Record quotes a Co-op worker as saying they are operating at well below 20% of their normal capacity in depots. https://therecord.media/co-op-cyberattack-uk-company-fears-hackers-still-in-system

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 01:25:54 JST Kevin Beaumont

     in reply to

     Allianz supplies Marks and Spencer's cyber insurance, and will apparently suffer a full tower loss (i.e. it's going to be expensive) https://www.insuranceinsider.com/article/2esiwg4yv6p38pcf2pgxs/lines-of-business/cyber/allianz-leads-cyber-cover-for-m-s-ransomware-attack

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 01:28:27 JST Kevin Beaumont

     in reply to

     People in Machynlleth are apparently turning up at local farms in search of food due to lack of produce at Co-op https://www.cambrian-news.co.uk/news/cyber-attack-people-turning-up-at-farms-as-machynlleth-co-op-shelves-remain-bare-792434

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 01:34:03 JST Kevin Beaumont

     in reply to

     Co-op stores in Sheffield, Badenoch, Dunfermline and many other places are apparently running out of produce - it's not possible to keep up with the local media reports but they're basically bored reporters get sent out to photograph half empty fridges.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 04:04:56 JST Kevin Beaumont

     in reply to

     This ITV News report linking the Co-op and M&S breaches to SIM swapping is not accurate, no source given. https://www.itv.com/news/2025-05-12/sim-swap-fraud-rises-by-1000-as-criminals-exploit-two-factor-authentication

     They also have a report today saying Co-op stores are restocked, which is also not accurate - that one is sourced from Co-op, but obviously doesn’t stack up to looking in Co-op stores.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 06:55:45 JST Kevin Beaumont

     in reply to

     If anybody is wondering, all of Marks and Spencer's Palo-Alto GlobalProtect VPN boxes are still offline, 3 weeks later. Pretty good containment method to keep attackers out.

     Co-op's VDE environment is still down, too.
     https://cyberplace.social/@GossiTheDog/114399017367179104

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 17:02:17 JST Kevin Beaumont

     in reply to

     M&S confirm my toot from 3 days ago that a significant amount of customer and staff data was stolen. They’ve known for weeks but opted not to tell anybody. https://www.bbc.com/news/articles/c62v34zv828o

   • Embed this notice
     greem (greem@cyberplace.social)'s status on Tuesday, 13-May-2025 17:12:26 JST greem

     in reply to

     @GossiTheDog Incident response specialists the world over wince into their keyboards.

     This is another object lesson in how not to do it. It'll be taught to students in future.

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Tuesday, 13-May-2025 17:28:04 JST Gary Parker :party_porg:

     in reply to

     • greem

     @greem @GossiTheDog meanwhile, Co-Op are still sending me emails apologising for the lack of products on shelves, with no almost no mention of data loss/appropriation

   • Embed this notice
     Gavin (_calmdowndear@mastodon.social)'s status on Tuesday, 13-May-2025 17:58:50 JST Gavin

     • Gary Parker :party_porg:
     • greem

     @GossiTheDog @WiteWulf @greem the emails I’ve had about it are from Central Co-op specifically, “the green one”. Nothing from Co-op “the blue one”. Given your location you probably don’t have a Central Co-op membership?

     edit - which makes sense actually given your earlier context; Central Co-op may not have been breached directly so no data loss, but they do depend on the (breached) larger Co-op Group for logistics?

   • Embed this notice
     Gavin (_calmdowndear@mastodon.social)'s status on Tuesday, 13-May-2025 18:22:30 JST Gavin

     • Gary Parker :party_porg:
     • greem

     @GossiTheDog @WiteWulf @greem sorry, yes, what I'm trying to say is that Co-op Group may not be sending any emails as I haven't had any either. The only emails I have had are from Central Co-op, which (as Gary said) do not refer to data loss, only stock availability.

     One of the mails says:

     > There is no evidence that Central Co-op systems have been impacted and as a Society, we’re ever vigilant, maintaining a robust stance on cyber security

     As I've said before, the branding is confusing to me

   • Embed this notice
     shoaibusman88 (shoaibusman88@cyberplace.social)'s status on Tuesday, 13-May-2025 19:50:08 JST shoaibusman88

     in reply to

     @GossiTheDog Hey Kevin, How can we connect on message?

   • Embed this notice
     shoaibusman88 (shoaibusman88@cyberplace.social)'s status on Tuesday, 13-May-2025 21:01:24 JST shoaibusman88

     @GossiTheDog I am associated with a cybersecurity service, and had the idea of you reviewing the product, I found you on medium. Infact we have worked on something that I would love to share with you, if you can share some contact.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 21:10:05 JST Kevin Beaumont

     in reply to

     Re the Co-op Group breach, Co-op say home addresses of customers were exfiltrated (it was the membership database).

   • Embed this notice
     greem (greem@cyberplace.social)'s status on Tuesday, 13-May-2025 21:16:53 JST greem

     in reply to

     @GossiTheDog I've just had an email from M&S. It's a sort-of-nothing-really email.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 21:18:20 JST Kevin Beaumont

     in reply to

     Co-op Group have 5 open jobs left, with nothing posted for 11 days.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 21:25:37 JST Kevin Beaumont

     in reply to

     Co-op's AGM is this weekend, and M&S yearly results and investor contact are next week.

     Gonna be awkward for different reasons, e.g. Co-op is member (customer) owned, so the people's data Co-op had stolen are effectively the shareholders and are invited.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 23:18:04 JST Kevin Beaumont

     in reply to

     The Channel Islands Coop, which is different to Co-op Group, has been able to restock shelves by moving away from Co-op Group for supply distribution and moving to local suppliers. https://www.bbc.co.uk/news/articles/c3d4xvg3x1do

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 23:24:05 JST Kevin Beaumont

     in reply to

     The Grocer reports Nisa and Costcutter are running out of fruit & veg, fresh meat and poultry, dairy products, chilled ready meals, snacks and desserts.

     Nisa and Costcutter are supplied by Co-op Wholesale, which is dependent on Co-op Group.

     “It’s really poor. I feel bad for them but what makes it worse is their hush-hush mentality about it. There’s no proper level of communication and we get random updates.”

     Co-op Wholesale claim there are no problems. https://www.thegrocer.co.uk/news/nisa-and-costcutter-hit-by-stock-shortages-amid-co-op-cyberattack/704393.article

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 23:33:05 JST Kevin Beaumont

     in reply to

     And a video

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 13-May-2025 23:33:06 JST Kevin Beaumont

     in reply to

     A look at supplies in stores today, after Co-op told ITV yesterday that stores were restocked 😅

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-May-2025 01:30:28 JST Kevin Beaumont

     in reply to

     Co-op Group have told their suppliers that "systemic-based orders will resume for ambient, fresh, and frozen products commencing Wednesday 14 May". They say forecasting system will still be impacted.

     https://www.thegrocer.co.uk/news/co-op-to-get-systems-back-on-track-after-cyberattack/704425.article

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-May-2025 02:02:41 JST Kevin Beaumont

     in reply to

     Harrods say they are not asking customers to do anything differently at this point.

   • Embed this notice
     lambtor (lambtor@cyberplace.social)'s status on Wednesday, 14-May-2025 02:09:10 JST lambtor

     in reply to

     @GossiTheDog title sounds like a bad rap line.

   • Embed this notice
     Phil (h0ru2@cyberplace.social)'s status on Wednesday, 14-May-2025 03:04:33 JST Phil

     in reply to

     @GossiTheDog Wouldn't be surprised if customers demanded to keep local goods if restock is available again

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-May-2025 20:50:14 JST Kevin Beaumont

     in reply to

     Financial Times report Marks and Spencer expect to claim £100m on their cyber insurance, the maximum allowed, suggesting losses probably more. https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 14-May-2025 21:01:52 JST Kevin Beaumont

     in reply to

     Co-op Group say they have exited containment and begun recovery phase https://www.theguardian.com/business/2025/may/14/co-op-cyber-attack-stock-availability-in-stores-will-not-improve-until-weekend

     Marks and Spencer are still in containment

     If you want figures for your board to set expectations in big game ransomware incidents, Co-op containment just over 2 weeks, M&S just over 3 weeks so far - recovery comes after.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 15-May-2025 16:12:12 JST Kevin Beaumont

     in reply to

     The threat actor at Co-op says Co-op shut systems down, which appears to have really pissed off the threat actor. This was the right, and smart, thing to do.

     While I was at Co-op we did a rehearsal of ransomware deployment on point of sale devices with the retail team, and the outcome was a business ending event due to the inability to take payments for a prolonged period of time. So early intervention with containment was the right thing to do, 100%.

     https://www.bbc.co.uk/news/articles/cwy382w9eglo

   • Embed this notice
     Ben Hammond (benh@mastodon.scot)'s status on Thursday, 15-May-2025 17:02:25 JST Ben Hammond

     in reply to

     @GossiTheDog

     The quote

     > They torched shareholder value

     made me laugh

     they have no idea what the Coop is

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 15-May-2025 23:07:31 JST Kevin Beaumont

     in reply to

     Co-op Group recruitment looks like it is starting again, first new roles in two weeks posted. https://hcnq.fa.em2.oraclecloud.com/hcmUI/CandidateExperience/en/sites/CX/jobs

   • Embed this notice
     Gary Parker :party_porg: (witewulf@cyberplace.social)'s status on Thursday, 15-May-2025 23:09:42 JST Gary Parker :party_porg:

     in reply to

     @GossiTheDog And I was expecting the first vacancy to be CTO 😆

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 15-May-2025 23:11:57 JST Kevin Beaumont

     in reply to

     Marks and Spencer say food distribution to their stores is returning to normal. It follows Co-op's announcement yesterday that food and drink distribution will begin to return to normal from the weekend. https://www.reuters.com/business/retail-consumer/uks-ms-says-food-availability-improving-every-day-2025-05-15/

   • Embed this notice
     Rob\ViewdataUK (robert@irrelevant.me.uk)'s status on Friday, 16-May-2025 00:17:18 JST Rob\ViewdataUK

     in reply to

     @GossiTheDog
     This was yesterday evening in my local co-op store (close to central Manchester.) Still lots of empty spaces on the shelves.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 16-May-2025 20:06:33 JST Kevin Beaumont

     in reply to

     27 new jobs at Co-op added today, and it's only midday. So recruitment was definitely paused for two weeks and now active again.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 17-May-2025 03:22:24 JST Kevin Beaumont

     in reply to

     M&S have finally told staff that data about themselves was stolen: https://www.telegraph.co.uk/business/2025/05/16/ms-staff-data-stolen-by-hackers-in-cyber-attack/

     You may notice I said they had staff data stolen on May 9th in this thread.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 17-May-2025 03:29:03 JST Kevin Beaumont

     in reply to

     For the record, the tools listed in this article aren't used by Co-op.

     https://www.computing.co.uk/news/2025/security/five-cyber-tools-co-op-used-to-defeat-ransomware-attack

     The link in the article to Vectra Cognito AI has a Coop Sweden logo on it, and the Coop Sweden CISO is named. Coop Sweden is different company. Coop Sweden went on to have a ransomware attack that crippled the org, including point of sale, so I don't think it's a good sales point. Same with Silverfort.

     Google AI has ingested the article and now uses it to claim Co-op Group use the tools.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 17-May-2025 03:34:10 JST Kevin Beaumont

     in reply to

     M&S recruitment is still fully stopped, almost a month in. Co-op opened 46 new vacancies today.

   • Embed this notice
     Adrian Sanabria (sawaba@infosec.exchange)'s status on Saturday, 17-May-2025 04:12:40 JST Adrian Sanabria

     in reply to

     @GossiTheDog to be fair, IIRC, Coop Sweden went down because their payment provider used Kaseya.

     So, it was ransomware on a fourth party, nothing Coop Sweden had any direct control over

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 17-May-2025 21:29:41 JST Kevin Beaumont

     in reply to

     Marks and Spencer’s CEO will lose a £1.1m share grant as a result of their cyber incident. https://www.ft.com/content/43531d25-4f7a-4d6e-b809-e85bb8f0033e

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 17-May-2025 21:39:19 JST Kevin Beaumont

     in reply to

     The Times reports M&S were breached through a contractor and that human error is to blame. (Both M&S and Co-op use TCS for their IT Service Desk).

     The threat actor went undetected for 52 hours. (I suspect detection was when their ESXi cluster got encrypted).

     M&S have told the Times they had no “direct” communication with DragonForce, which is code for they’re using a third party to negotiate - standard practice.

     https://www.thetimes.com/uk/technology-uk/article/m-and-s-boss-cyber-attack-7d9hvk6ds

   • Embed this notice
     John Kelly (combat_penguin@infosec.exchange)'s status on Sunday, 18-May-2025 00:33:54 JST John Kelly

     in reply to

     @GossiTheDog I have memories of those exercises 😅 (particularly logistics chiming in with 'erm, we'd need to kill all supplier orders asap' and the room going quiet 😳)
     Just glad some of the lessons sank in....

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-May-2025 02:29:19 JST Kevin Beaumont

     in reply to

     M&S looks to be moving to reposition their incident as a third party failure, which I imagine will help redirect some of the blame (they present their financial results during the week to investors): https://www.bbc.co.uk/news/articles/cpqe213vw3po

     Both M&S and Co-op outsourced their IT, including their Service Desk (helpdesk), to TCS (Tata) around 2018, as part of cost savings.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 18-May-2025 02:43:18 JST Kevin Beaumont

     in reply to

     There's nothing to suggest TCS itself have a breach btw.

     Basically, if you go for the lowest cost helpdesk - you might want to follow the NCSC advice on authenticating password and MFA token resets.

     I've put a 3 part deep dive blog series coming out probably next week called Living-Off-The-Company, which is about how teenagers have realised large orgs have outsourced to MSPs who follow the same format of SOP documentation, use of cloud services etc. Orgs have introduced commonality to surf.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 19-May-2025 18:21:49 JST Kevin Beaumont

     in reply to

     The Office of the Privacy Commissioner for Personal Data (PCPD) has confirmed that Marks and Spencer (M&S) Hong Kong has not informed it of a recent customer data leak, nor responded to its enquiries. https://hongkongfp.com/2025/05/19/ms-hong-kong-not-responding-to-privacy-commissioners-office-after-online-customer-data-breach/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-May-2025 02:49:10 JST Kevin Beaumont

     in reply to

     "Cyber analysts and retail executives said the company had been the victim of a ransomware attack, had refused to pay - following government advice - and was working to reinstall all of its computer systems."

     Not sure who those analysts are, but since DragonForce haven't released any data and M&S won't comment other than to say they haven't had any "direct" contact with DragonForce, I wouldn't make that assumption.

     https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 20-May-2025 02:53:14 JST Kevin Beaumont

     in reply to

     There's also a line in the article from an cyber industry person saying "if it can happen to M&S, it can happen to anyone" - it's ridiculous and defeatist given Marks and Spencer haven't shared any technical information about how it happened, other than to tell The Sunday Times it was "human error"

     The Air Safety version of cyber industry would be a plane crashing into 14 other planes, and industry air safety people going "Gosh, if that can happen to British Airways it could happen to anybody!"

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 06:13:32 JST Kevin Beaumont

     in reply to

     Tomorrow it’s one month since Marks and Spencer started containment, it’s also their financial results day.

     Online ordering still down, all recruitment stopped, Palo-Alto VPNs still offline.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 06:36:55 JST Kevin Beaumont

     in reply to

     TCS have been linked to the Marks and Spencer breach, at least in part.

     https://www.reuters.com/business/retail-consumer/ms-slow-recovery-cyberattack-puts-it-risk-lasting-damage-2025-05-19/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 06:46:14 JST Kevin Beaumont

     in reply to

     I made this point a few weeks ago, but... outsourcing all your IT, Networks, Service Desk (helpdesk) and operational cybersecurity is a temporary cost saving and basically paints a ticking timebomb on the org, IMHO.

   • Embed this notice
     Indieterminacy (indieterminacy@social.coop)'s status on Wednesday, 21-May-2025 07:10:41 JST Indieterminacy

     in reply to

     @GossiTheDog Its rather hypocritical that the Coop would be wading into the outsourcing game

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 16:40:03 JST Kevin Beaumont

     in reply to

     M&S say online ordering will be stopped until sometime in July, and it has taken a £300m hit, far higher than analysts had predicted. https://www.bbc.co.uk/news/articles/c93llkg4n51o

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 16:44:38 JST Kevin Beaumont

     in reply to

     Their CEO has commented they’ve drawn a line under the hack, without recovering, which has a bit of this energy honestly

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 17:02:49 JST Kevin Beaumont

     in reply to

     The NCA has confirmed on the record that the investigation into the M&S and Co-op hack is focused on English teenagers. I could toot the names of the people I think they’ll pick up, but won’t.

     https://www.bbc.co.uk/news/articles/ckgnndrgxv3o

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 21-May-2025 17:55:09 JST Kevin Beaumont

     in reply to

     The CEO of M&S has declined to comment if they have paid a ransom. For the record: I’ve heard they have, in secret, via their insurance. https://www.reuters.com/business/retail-consumer/ms-says-cyber-attack-was-result-human-error-declines-comment-ransom-2025-05-21/

     Rich Felker repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-May-2025 21:24:10 JST Kevin Beaumont

     in reply to

     Co-op Group announces it's getting rid of paper prices in stores, going to electric displays. Good luck during a ransomware incident 😒

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 23-May-2025 21:33:13 JST Kevin Beaumont

     in reply to

     TCS has a security incident running around the M&S breach.

     Interestingly the source claims TCS aren't involved in Co-op's IT - which is categorically false, they took over most of it while I worked there, including the helpdesk and SecOps.

     https://www.ft.com/content/c658645d-289d-49ee-bc1d-241c651516b0

   • Embed this notice
     ISO8601 (iso8601@cyberplace.social)'s status on Saturday, 24-May-2025 03:24:20 JST ISO8601

     in reply to

     @GossiTheDog e-paper price labels are apparently extremely common in mainland Europe. The UK is extremely slow to adopt things like this.

     *In theory*, during an incident, the labels would remain as-is until they receive a new price. So TAs would specifically need to target the pricing database prior to wiping.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 24-May-2025 17:11:07 JST Kevin Beaumont

     in reply to

     Insurance Insider say Co-op Group have no cyber insurance policy.

     It’s got the insurance industry hard as they think they can ambulance chase other orgs with it.

     https://www.insuranceinsider.com/article/2eu3sto6ggpzewrryexog/lines-of-business/cyber/m-s-attacks-could-be-the-key-to-winning-new-cyber-business

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 29-May-2025 03:18:26 JST Kevin Beaumont

     in reply to

     Seven weeks in, Marks and Spencer still have recruitment closed, online orders stopped and no Palo-Alto GlobalProtect VPN.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 29-May-2025 03:25:41 JST Kevin Beaumont

     in reply to

     • Emil 🇪🇺

     @se yeah, they shut down their GlobalProtect boxes back around April 20th and they never returned https://cyberplace.social/@GossiTheDog/114399017367179104

   • Embed this notice
     Emil 🇪🇺 (se@ieji.de)'s status on Thursday, 29-May-2025 03:25:42 JST Emil 🇪🇺

     in reply to

     @GossiTheDog what do you mean with GP here? Have they locked out all their staff from working remotely?

   • Embed this notice
     cybernerd (cybernerd@cyberplace.social)'s status on Thursday, 29-May-2025 04:39:54 JST cybernerd

     in reply to

     @GossiTheDog any indication that the Sophos report here: https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/ is linked to TCS?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 29-May-2025 05:17:01 JST Kevin Beaumont

     in reply to

     • cybernerd

     @cybernerd nope

   • Embed this notice
     cybernerd (cybernerd@cyberplace.social)'s status on Thursday, 29-May-2025 05:19:45 JST cybernerd

     in reply to

     @GossiTheDog thank you!