There seems to be a new major player in the ransomware-as-a-service (RaaS) world, and it has an effective approach to social engineering IT help desks into resetting employee passwords for them.
A new warning and guidance issued by the National Cyber Security Centre (NCSC) advises all of the large businesses in the UK to prepare for possibly being targeted by “DragonForce,” a group that seems to have some links to the former Scattered Spider/Octo Tempest group that caused widespread havoc in 2023. Whether or not an organization is likely to be targeted, this is a good reminder to at minimum review the authentication processes of IT help desks and shore up vulnerable areas.
IT help desks struggling with common vulnerabilities
The DragonForce group appears to be a serious threat at this point, and has been in action since at least mid-2023. It began claiming it was doing “hacktivism” in support of Palestine but appears to have dropped the pretense and is now openly advertising itself on the dark web as a “ransomware-as-a-service” (RaaS) group.
The group claims that it does not have connections to Scattered Spider, but similarities in its approach and its custom ransomware have led some security researchers to suspect a connection. Scattered Spider was not broken up until mid-2024, when a wave of arrests scooped up a good deal of its young members across the US and UK, but it is possible that some remaining members migrated to the pre-existing DragonForce at some point. It could explain the group’s seeming shift in 2024 from claiming hacktivism to dealing openly in ransomware and using similar social engineering approaches on victims.
It is unclear exactly what the commonality is in the approach, but two of the three UK victims thus far report details that are very similar in how their IT help desks were convinced by a caller to reset an employee password. DragonForce has also claimed credit for the three attacks, all of which impacted major UK retailers: Marks & Spencer, Co-op, and Harrods.
It is also unclear if the group will continue with similar attacks, but the NCSC seems to think it will continue to target large UK businesses of all types. The list of recommendations it has published encompasses methods for reviewing the practices of IT help desks and bolstering general cybersecurity to thwart this group’s known approaches.
Social engineering tactics reminiscent of 2023 breaches
Marks & Spencer was attacked in late April, followed by Co-op, and Harrods. Marks & Spencer looks to be the hardest hit overall thus far, still dealing with ransomware that locked up their online ordering and in-store contactless payment systems for an extended period of time. The store has had to suspend online ordering of clothing and furniture for at least two weeks now and estimates it has lost some $30 million thus far.
The damage from the Co-op breach is less clear; the company has yet to release details, but the threat actors claim that they stole records of some 20 million of the store’s rewards program members. Harrods has only said that it contained its breach attempt and has not indicated any damage as of yet.
The incidents are very reminiscent of the breaches of MGM and Caesars in mid-2023, which both involved social engineering of IT help desks as an entry point. Caesars negotiated a ransom payment and came out relatively unscathed, while MGM refused to pay and then saw chaos erupt throughout its Vegas properties for about a week as it had to recover from a ransomware assault.
The two attacks that are known to have involved finessing the IT help desks are those on Co-op and Marks and Spencer; details about the Harrods incident are still thin. Those two attacks saw the hackers access the account of an employee with presumably elevated privileges and grab a Windows Active Directory Services database containing password hashes.
Regardless of the fine details of each incident, the DragonForce attacks raise serious questions about the ability of IT help desks to keep pace with sophisticated attackers. Automatic translations and related assistance from AI will only expand this field. The solution may lie in creative added layers of security, from behavioral analytics systems to implementing code words that employees must present to proceed with any change to their credentials.