FlagThis - #dragonforce

Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.

An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales.

DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident.


References :

• www.bitdefender.com: Marks & Spencer’s ransomware nightmare – more details emerge
• bsky.app: EXCLUSIVE: "We have mercilessly raped your company and encrypted all the servers" - the aggressive extortion email sent to the CEO of M&S has been revealed. The offensive blackmail note reveals lots of things about the nature of the attack, the timeline and the hackers
• cyberpress.org: Reports over 120 victims have been compromised in the last year.
• The Register - Security: M&S online ordering system operational 46 days after cyber shutdown
• www.techradar.com: M&S online orders are back following cyberattack - here's what you need to know
• www.cybersecuritydive.com: Marks & Spencer restores some online-order operations following cyberattack
• www.techdigest.tv: M&S resumes online orders weeks after cyber attack
• www.tripwire.com: Report on DragonForce's email to M&S CEO about taking responsibility for the attack.
• bsky.app: DragonForce has started posting new victims to its darknet site. Two new orgs now being publicly extorted. Nothing yet on Co-op/M&S/ Harrods.
• www.infosecworrier.dk: Details regarding the significant data breach and the ransomware attack targeting Marks & Spencer.

Classification:

• HashTags: #Ransomware #DragonForce #DataTheft
• Company: Marks & Spencer (M&S)
• Target: Marks & Spencer (M&S)
• Attacker: DragonForce
• Feature: double extortion
• Type: Ransomware
• Severity: Major

DragonForce ransomware group has been actively exploiting vulnerabilities in SimpleHelp, a remote monitoring and management (RMM) software, to target managed service providers (MSPs) and their customers. This attack serves as a stark reminder of the supply chain risks inherent in relying on third-party software, particularly RMM tools which, if compromised, can grant attackers widespread access to numerous client systems. Sophos researchers uncovered that the DragonForce operator chained three specific SimpleHelp flaws, identified as CVE-2024-57727, CVE-2024-57728, and CVE-2024-57726, to breach an MSP. This breach resulted in data theft and the subsequent deployment of ransomware across the MSP's customer endpoints, causing significant disruption and potential financial losses.

The vulnerabilities exploited by DragonForce allowed the attackers to perform several malicious actions. CVE-2024-57727 enabled unauthorized remote attackers to download arbitrary files, including server configuration files containing sensitive secrets and hashed user passwords. CVE-2024-57728 permitted admin users to upload arbitrary files, leading to potential arbitrary code execution on the host. Furthermore, CVE-2024-57726 allowed low-privilege technicians to create API keys with excessive permissions, potentially enabling them to escalate privileges to the server administrator role. All of these vulnerabilities were present in SimpleHelp's remote support software version 5.5.7 and earlier, highlighting the critical importance of promptly applying security patches.

The DragonForce attack on the MSP via SimpleHelp illustrates a growing trend of cybercriminals targeting RMM and other remote tools to facilitate software supply chain attacks. By compromising a single MSP, attackers can gain access to a large number of downstream customers, amplifying the impact of their attacks. Security experts warn that MSPs must prioritize the security of their RMM software, including implementing robust patch management processes and closely monitoring for suspicious activity. This incident underscores the need for a proactive and vigilant approach to cybersecurity to mitigate the risk of ransomware and other threats exploiting channel vulnerabilities.


References :

• Sophos News: Ransomware actor exploited RMM to access multiple organizations; Sophos EDR blocked encryption on customer’s network
• bsky.app: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
• securityaffairs.com: Sophos researchers reported that a DragonForce ransomware operator exploited three chained vulnerabilities in SimpleHelp software to attack a managed service provider. SimpleHelp is a remote support and access software designed for IT professionals and support teams. It provides a streamlined way for IT teams to manage and monitor remote systems, making it a valuable tool for MSPs. However, the vulnerabilities exploited by DragonForce highlight the importance of keeping RMM software patched and up to date, as these tools can become attack vectors for ransomware and other threats.
• www.bleepingcomputer.com: The DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
• BleepingComputer: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
• BleepingComputer: DragonForce ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy encryptors on downstream customers' systems.
• The Register - Security: Updated DragonForce ransomware infected a managed service provider, and its customers, after attackers exploited security flaws in remote monitoring and management tool SimpleHelp.…
• www.helpnetsecurity.com: Attackers hit MSP, use its RMM software to deliver ransomware to clients
• Help Net Security: Attackers hit MSP, use its RMM software to deliver ransomware to clients
• www.techradar.com: DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
• ciso2ciso.com: DragonForce double-whammy: First hit an MSP, then use RMM software to push ransomware – Source: go.theregister.com
• Anonymous ???????? :af:: The ransomware operation successfully breached a managed service provider and used its SimpleHelp remote monitoring and management (RMM) platform to steal data
• MicroScope: Sophos warns MSPs over DragonForce threat
• Daily CyberSecurity: Details of RMM tool abused to spread DragonForce.
• MSSP feed for Latest: The bad actors exploited flaws in SimpleHelp's software to compromise the MSP and attack clients.
• The Hacker News: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints
• Tech Monitor: DragonForce exploits SimpleHelp in MSP breach
• www.bleepingcomputer.com: DragonForce ransomware abuses SimpleHelp in MSP supply chain attack
• ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
• Security Risk Advisors: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP
• www.sentinelone.com: Robbinhood operator pleads guilty, PumaBot hits IoT via SSH brute-force attacks, and DragonForce expands RMM exploits via an affiliate model.
• ciso2ciso.com: DragonForce Exploits SimpleHelp Flaws to Deploy Ransomware Across Customer Endpoints – Source:thehackernews.com
• news.sophos.com: Sophos Investigates DragonForce Ransomware Attack Exploiting SimpleHelp RMM Vulnerabilities Against MSP

Classification:

• HashTags: #DragonForce #Ransomware #SimpleHelp
• Company: SimpleHelp
• Target: MSPs and their clients
• Attacker: DragonForce
• Product: SimpleHelp
• Feature: RMM software
• Malware: DragonForce
• Type: Ransomware
• Severity: Major