CyberSecurity news

FlagThis - #datatheft

Kaspersky@Securelist //

Librarian Ghouls APT Steals Data at Night - The Librarian Ghouls APT group (Rare Werewolf) targets Russian entities with RAR archives, BAT scripts, and legitimate software via email, Facebook, and Telegram to deliver malicious payloads during night hours.
References: Securelist , Catalin Cimpanu
The Librarian Ghouls APT group, also known as Rare Werewolf, is actively targeting Russian entities, with additional victims reported in Belarus and Kazakhstan. According to a recent report by Kaspersky, this sophisticated threat actor employs a range of techniques to compromise systems, including the use of RAR archives and BAT scripts. The group leverages legitimate software and multiple communication channels like email, Facebook, and Telegram to deliver malicious payloads, often operating during night hours to minimize detection. The APT has been consistently targeting Russian companies, with attacks continuing almost unabated since 2024, with a slight decline in December followed by a new wave of attacks.

The primary initial infection vector for Librarian Ghouls involves targeted phishing emails containing password-protected archives with executable files inside. These malicious emails are typically disguised as messages from legitimate organizations, containing attachments that appear to be official documents or payment orders. Once the victim opens the archive and extracts the files, the infection process begins. The group's objective is to establish remote access to compromised hosts, steal credentials, and deploy the XMRig cryptocurrency miner.

Rare Werewolf stands out for its preference for legitimate third-party software over developing its own malicious binaries. For example, in some attacks, a legitimate tool called 4t Tray Minimizer is used. The malicious functionality is implemented through command files and PowerShell scripts. A salient aspect of their tactics is launching a PowerShell script that wakes up the victim system at 1 a.m. local time and allows the attackers remote access to it for a four-hour window via AnyDesk, before shutting down the machine at 5 a.m.

Recommended read:
References :
  • Securelist: Sleep with one eye open: how Librarian Ghouls steal data by night
  • Catalin Cimpanu: Mastodon post mentioning Librarian Ghouls Stealing data at night
@cyberpress.org //

Marks (and) Spencer Hit by DragonForce Ransomware - Marks & Spencer (M&S) suffered a ransomware attack by the DragonForce hacker group, disrupting online ordering and causing significant financial losses.
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.

An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales.

DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident.

Recommended read:
References :
  • www.bitdefender.com: Marks & Spencer’s ransomware nightmare – more details emerge
  • bsky.app: EXCLUSIVE: "We have mercilessly raped your company and encrypted all the servers" - the aggressive extortion email sent to the CEO of M&S has been revealed. The offensive blackmail note reveals lots of things about the nature of the attack, the timeline and the hackers
  • cyberpress.org: Reports over 120 victims have been compromised in the last year.
  • The Register - Security: M&S online ordering system operational 46 days after cyber shutdown
  • www.techradar.com: M&S online orders are back following cyberattack - here's what you need to know
  • www.cybersecuritydive.com: Marks & Spencer restores some online-order operations following cyberattack
  • www.techdigest.tv: M&S resumes online orders weeks after cyber attack
  • www.tripwire.com: Report on DragonForce's email to M&S CEO about taking responsibility for the attack.
  • bsky.app: DragonForce has started posting new victims to its darknet site. Two new orgs now being publicly extorted. Nothing yet on Co-op/M&S/ Harrods.
  • www.infosecworrier.dk: Details regarding the significant data breach and the ransomware attack targeting Marks & Spencer.
@cyberinsider.com //

Adidas Confirms Data Breach Via Third-Party Provider - Adidas has confirmed a data breach impacting customer data via a third-party customer service provider, compromising contact details of customers.
Adidas has confirmed a data breach impacting customer data via a third-party customer service provider. According to Adidas, the compromised data primarily consists of contact information of customers who had previously contacted their customer service help desk. The company assures that sensitive information like passwords, credit card, or any other payment-related information were not affected in the incident.

Adidas became aware that an unauthorized external party obtained certain consumer data through a third-party customer service provider. Adidas has immediately taken steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts. The company is currently notifying affected customers and is cooperating with data protection authorities and investigators as required by law.

This breach marks the third publicly acknowledged incident involving the sportswear giant’s customer service systems recently. The company is working to clarify the situation, reinforcing the importance of securing third-party providers to prevent them from becoming a gateway for attackers to access target systems. Adidas expressed that they remain fully committed to protecting the privacy and security of their consumers and sincerely regret any inconvenience or concern caused by this incident.

Recommended read:
References :
  • cyberinsider.com: Adidas Hit by Third Customer Data Breach Linked to Support Systems
  • The Register - Security: Adidas confirms criminals stole data from customer service provider
  • The420.in: Adidas Falls Victim to Cyberattack Amid Retail Industry Wave
  • BleepingComputer: Adidas warns of data breach after customer service provider hack
  • www.it-daily.net: Data leak at Adidas: contact data tapped via third-party providers
  • bsky.app: German sportswear giant Adidas disclosed a data breach after attackers hacked a customer service provider and stole some customers' data.
  • Graham Cluley: Adidas customers’ personal information at risk after data breach
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • hackread.com: Adidas Confirms Cyber Attack, Customer Data Stolen
  • www.bleepingcomputer.com: Adidas warns of data breach after customer service provider hack
  • Graham Cluley: Adidas customers' personal information at risk after third-party data breach.
  • bsky.app: Adidas customers' personal information at risk after third-party data breach.
  • techinformed.com: Adidas becomes latest consumer brand to be hit with a cyber breach
  • www.techradar.com: Adidas confirms customer data stolen in worrying cyberattack
  • www.techdigest.tv: Adidas customer data stolen in latest retail cyber attack
  • PCMag UK security: Adidas Confirms Data Breach, Customer Contact Details Exposed
  • Rescana: April 2025 Adidas Data Breach: Supply Chain Attack via Third-Party Customer Service Provider
  • ComputerWeekly.com: Adidas confirms customer data was accessed during cyber attack
MalBot@malware.news //

Fake DigiYatra Apps Target Indian Users - A fake website, digiyatra[.]in, is targeting Indian air travelers to steal financial data by impersonating the official DigiYatra Foundation.
A fraudulent website, digiyatra[.]in, is actively targeting Indian air travelers by impersonating the official DigiYatra Foundation. Threat actors are exploiting the trust placed in India's digital infrastructure by setting up this deceptive phishing site. The website, which remains live at the time of reporting, is designed to harvest personal user data under the guise of providing official services for air travelers, mirroring a legitimate flight booking portal with a flight search box and user forms requesting names, phone numbers, and email addresses.

Despite the appearance of a genuine booking platform, the website does not facilitate any actual ticket sales or transactions. Instead, its sole purpose is data harvesting, enticing users to input Personally Identifiable Information (PII) by imitating a legitimate service experience. The site uses a free SSL certificate from Let's Encrypt to enhance its perceived legitimacy, further deceiving unsuspecting users. The domain was registered under the name Ali Sajil from Kerala, India, and is accessible through both its domain name and IP address (167[.]172[.]151[.]164).

The discovery of this phishing site poses significant risks, including unauthorized data collection, public deception, and potential reputational damage to the DigiYatra initiative. The site's ability to deceive users stems from its strategic use of keywords and the appearance of security through HTTPS. In response to this threat, ThreatWatch360 has taken immediate action, escalating the matter to CERT-In and submitting a takedown request to the domain registrar. Furthermore, alerts have been shared with brand protection clients, and monitoring for similar fraudulent attempts is ongoing, with DNS-level blocks advised for the domain and its IP address to prevent further abuse.

Recommended read:
References :
  • gbhackers.com: Fake DigiYatra Apps Target Indian Users to Steal Financial Data
  • infosecwriteups.com: Fake DigiYatra Website Was Targeting Indian Flyers With Lookalike Portal
  • malware.news: Fake DigiYatra Apps Target Indian Users to Steal Financial Data
@cyble.com //

UK Retailers Hit by Cyberattacks and Disruptions - UK retailers were targeted by the DragonForce ransomware group, linked to UNC3944, using ransomware tactics and social engineering to compromise systems, resulting in disruptions and data breaches.
UK retailers have been targeted by a series of cyberattacks, prompting a national alert from the National Cyber Security Centre (NCSC). These attacks involved ransomware tactics and social engineering, leading to system disruptions and data breaches at several high-profile retail chains. The NCSC has issued a wake-up call to organizations, urging them to bolster their cybersecurity posture amid the growing threats. Attackers have also been impersonating IT helpdesks, tricking employees into handing over login credentials and security codes to gain access to company systems.

Marks & Spencer, Co-op, and Harrods have all been targeted recently, with DragonForce, an infamous ransomware group, claiming responsibility for the disruptions. The initial breach occurred at M&S, followed by an attempted hack at Harrods just days after the Co-op breach. Co-op revealed that its recent breach was more serious than initially reported, with a significant amount of data from current and former customers stolen. Attackers stole names and contact information in the Co-op breach but did not access passwords, payment data, or transaction histories. M&S has suspended online orders and is working to restore affected systems.

Mandiant has linked the DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub. UNC3944, also known as Scattered Spider, is a financially motivated threat actor known for its persistent use of social engineering and bold interactions with victims. DragonForce operates under a ransomware-as-a-service (RaaS) model, where affiliates carry out the attacks, keeping most of the ransom, while the group provides the tools and hosts leak sites. The NCSC warns organizations to remain vigilant, with DragonForce hinting at more attacks in the near future.

Recommended read:
References :
  • www.sentinelone.com: DragonForce Ransomware Gang | From Hacktivists to High Street Extortionists
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • securityaffairs.com: DragonForce group claims the theft of data after Co-op cyberattack
  • www.bleepingcomputer.com: Co-op confirms data theft after DragonForce ransomware claims attack
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • DataBreaches.Net: Co-op hackers boast of ‘stealing 20 million customers’ data’ – as retailer admits impacts of ‘significant’ attack
  • www.bbc.co.uk: BBC News reports on the Co-op cyberattack, confirming the theft of a 'significant' amount of data by the DragonForce hackers.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • arcticwolf.com: Uptick in Ransomware Threat Activity Targeting Retailers in the UK
  • CyberInsider: Co-op has officially confirmed that hackers accessed and exfiltrated member data in a recent cyberattack, marking a significant escalation in a wave of coordinated intrusions targeting UK retail giants.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • industrialcyber.co: Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub
  • phishingtackle.com: Rise In Cyberattacks On UK Retailers Sparks National Alert
  • www.cysecurity.news: UK Retail Sector Hit by String of Cyberattacks, NCSC Warns of Wake-Up Call
@cyble.com //

NCSC Issues Alert After Retail Cyberattacks - The UK's NCSC issued urgent guidance to organizations following cyberattacks on UK retailers, advising enhanced cyber resilience, multi-factor authentication, and improved monitoring against unauthorized account use.
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.

The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.

To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.

Recommended read:
References :
  • DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
  • Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
  • securityaffairs.com: Luxury department store Harrods suffered a cyberattack
  • The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
  • www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
  • Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
  • techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
  • www.bloomberg.com: DragonForce hacking gang takes credit for UK retail attacks
  • NCSC News Feed: NCSC statement: Incident impacting retailers
  • Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
  • Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
  • doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
  • Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
  • hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
  • NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
  • bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
  • www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
  • www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
  • www.bleepingcomputer.com: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
  • Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
  • DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
  • arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
  • Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
  • Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
  • arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
  • www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
  • cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
  • cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
  • www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
  • www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
  • cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
  • Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
  • www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
  • cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
  • www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
  • TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
  • techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
  • Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
  • www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
  • : Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
  • bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
  • www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.

Posts

Blogs

Research Tools