Kevin BeaumontApr 22
Marks and Spencer dealing with.. ransomware? https://infosec.exchange/@d4rkshell/114381922723370326
d4rkshell :verified: (@d4rkshell@infosec.exchange)

Attached: 1 image Cyber incident reported by Marks and Spencer

Infosec Exchange
Show threadKevin BeaumontApr 24
M&S still dealing with a major cyber incident https://www.bbc.co.uk/news/articles/cly802x1jz5o
Cyber attack causes further chaos for shoppers at M&S

Customers have reported problems with click and collect orders as well as card and contactless payments.

BBC News
Show threadKevin BeaumontApr 25
It looks like M&S may be in serious operational trouble, more services being contained. https://www.bbc.com/news/articles/cdxnkg7rln2o
M&S stops online orders and issues refunds after cyber attack

The firm has stopped taking orders on its website and apps, including for food and clothes.

Show threadKevin BeaumontApr 25
M&S use Palo-Alto GlobalProtect for VPN, they took all the endpoints offline days ago (usually first stage containment for ransomware/extortion groups).
Show threadKevin BeaumontApr 25

So from looking through their external services, it looks like M&S started containment between Sunday 20th-Tuesday 22nd of April.

They had inbound network activity from IPs associated with crimeware groups, but difficult to know which one due to shared infrastructure.

Show threadKevin BeaumontApr 26

The Sunday Times today back up my toot about VPN access to M&S being shut down, saying a source at the company says remote access has been “scaled back”: https://www.thetimes.com/business-money/companies/article/marks-and-spencer-shuts-out-wfh-staff-after-cyberattack-q2wwcjzl3

Additionally, the print version of The Telegraph says it is ransomware, citing somebody involved in containment. They say they believe they have locked the threat actor out of the network now and are working on restoration.

Marks & Spencer shuts out WFH staff after cyberattack

M&S cuts off remote access to some of its IT systems to stop spread of suspected ‘ransomware’ cyberattack that has disrupted online orders and hit M&S’s shares

The Sunday Times
Show threadKevin BeaumontApr 28
Marks and Spencer have told agency staff not to show up to shifts at its main distribution centre due to the ongoing cyber incident https://news.sky.com/story/flatplan-13357434
M&S tells agency workers to stay at home after cyberattack

Sky
Show threadKevin BeaumontApr 28
I just checked in on M&S, a large part of their network is still contained - they're on about day 9. Their GlobalProtect and another VPN are also still offline.
Show threadKevin BeaumontApr 28

Marks and Spencer cyber incident = ransomware.

It's DragonForce ransomware cartel, they have encrypted their VMware ESXi clusters. Lines up with network traffic I saw.

https://www.bleepingcomputer.com/news/security/marks-and-spencer-breach-linked-to-scattered-spider-ransomware-attack/

Marks & Spencer breach linked to Scattered Spider ransomware attack

Ongoing outages at British retail giant Marks & Spencer are caused by a ransomware attack believed to be conducted by a hacking collective known as "Scattered Spider" BleepingComputer has learned from multiple sources.

BleepingComputer
Show threadRairii   
@GossiTheDog through the marks and spencers
Apr 28 at 8:36pmWeb