-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
How Scattered Spider Exploited Weak Links in UK Retail Security
In recent months, a series of high-profile cyber attacks have hit the UK’s retail and automotive industries, targeting major companies like M&S, the Co-op, Harrods, and Jaguar Land Rover (JLR). Whilst these organisations operate in different sectors, a look into the incidents reveals a consistent pattern. Those who are responsible appear to be linked to group known as Scattered Spider (also called Octo Tempest or Muddled Libra). They do not rely on complex malware or novel technical exploits to compromise victims. Instead, their success is from highly effective social engineering targeting the victim’s people and identity infrastructure.
The Threat Actor: An Adaptive Cybercrime Alliance
Scattered Spider is not an isolated actor. They operate within a wider, adaptive cybercrime ecosystem known as “The Com” collective, actively collaborating or merging tactics with other (believed to be) UK groups like LAPSUS$ and ShinyHunters. This alliance combines their expertise to create a unified threat that prioritises compromising the user’s identity, a strategy appropriately described as “log in, not hack in.”
It appears to MDSec that all these attacks were similar in execution, leveraging human manipulation to successfully gain access into their intended victim’s environment to achieve their attack objectives.
Observed Tools, Techniques and Procedures (TTPs):
Initial Access via Social Engineering and Identity Theft
From our research, it appears that the primary entry point was not a network exploit but an identity compromise, facilitated by social engineering tactics used to gather key information
- Scattered Spider used vishing (voice phishing) to impersonate legitimate employees, often targeting internal IT helpdesks or outsourced third-party service providers. During these calls, the group would provide highly specific information which had been gathered during the reconnaissance phase. During these initial calls the group convince support staff to perform compromising actions, such as resetting passwords or registering new Multi-Factor Authentication (MFA) devices.
- The group is also known to use SIM swapping, a technique where they trick a mobile carrier into transferring a victim’s phone number to an attacker-controlled SIM card or device. This allows them to intercept SMS-based one-time passcodes and account recovery links.
- As confirmed in the M&S attack, it has been reported that the initial compromise began via a third-party IT helpdesk provider, their strategy effectively exploited the supply chain to bypass a victim’s internal perimeter controls.
Privilege Escalation and Advanced MFA Bypass
Once credentials are acquired, the group engages in persistence and lateral movement techniques:
- A core LAPSUS$ and Scattered Spider technique is MFA push bombing. This tactic floods a target’s mobile device with repeated MFA push notifications, exploiting human frustration until the victim hits ‘Approve’ to stop the alerts, granting the threat actor access to the victim’s account.
- Another approach observed is use of Adversary-in-the-Middle (AiTM) phishing pages or infostealer malware. These tools not only capture credentials but also extract SSO session cookies and OAuth tokens directly from the victim’s browser or memory. By injecting these artifacts into their own browser, the threat actors can hijack a legitimate, authenticated session, effectively bypassing all MFA and gaining access to the victim’s accounts across the targeted platforms.
- Once the threat actor gains successful access, they then move laterally using the stolen credentials to find and compromise privileged accounts, often focusing on Identity Providers (IdPs) like Okta or Azure Active Directory, or virtualisation environments like VMware ESXi to position themselves for maximum impact.
Impact, Data Exfiltration, and Ransomware Deployment
The final stage in the attack is the deployment of ransomware and exfiltration of data with the aim of ensuring that the victim organisation pays the ransom. This is also known as double extortion:
- The group performs data exfiltration, stealing information. This gives them a tool for extortion, threatening public release of the data if the ransom is not paid.
- The final phase involves deploying ransomware. Recently we have seen the group prefer the DragonForce variant, particularly targeting virtualised environments. This encrypts critical systems, resulting in severe operational disruption: point-of-sale system failures and payment disruptions at retailers, and production line shutdowns in the automotive sector (JLR).
These incidents highlight that even organisations with robust technical perimeter defences remain critically vulnerable to attacks that exploit human factors and external dependencies within the identity and access management layer.
Key Lessons Learned and Actionable Recommendations
Lesson 1: Phishable MFA is a False Sense of Security
The reliance on simple MFA push notifications or SMS codes presents a risk for privileged accounts. The attacker’s goal is to manipulate the human to bypass the control entirely.
- Action: Strengthen Basic MFA. For standard users still on authenticator apps, enforce number matching. This forces the user to type a code displayed on the login screen into their app, preventing accidental or frustrated approvals during an MFA fatigue attack.
- Action: Monitor Push Spam. Configure Identity Providers (IdP) to automatically block or alert on accounts that receive an excessive number of MFA requests in a short period (rate limiting).
Lesson 2: The Helpdesk is Your Most Critical Asset and Weakest Link
Social engineering (vishing) that targets IT helpdesks for password and MFA resets is the primary successful vector. The attacker’s ability to social engineer by sounding legitimate is the core vulnerability.
- Action: Harden Account Recovery with Zero Trust. Implement a rigorous, multi-step verification process for all privileged account recovery requests. This must include an out-of-band verification like calling the employee back on a pre-registered, HR-verified phone number (not a number provided by the caller).
- Action: Conduct Specialised Training. Move beyond email phishing tests. Conduct bespoke vishing simulation drills specifically targeting helpdesk staff. Train them to recognise the tactics of urgency, name-dropping, and external pressure that Scattered Spider employs. Also consider attacks where AI could be used to spoof a trusted user. Organisations need to have the ability to verify the user before performing privileged actions such as resetting passwords.
- Action: Restrict Reset Privileges. Ensure helpdesk staff only have the minimum privileges necessary to perform their job. The ability to reset the passwords for highly privileged accounts (such as Domain Administrators) or to add new MFA devices for senior executive and critical staff should require a secondary approval or a temporary elevation of access.
Lesson 3: “Always-On” Admin Access Enables Risk of Lateral Movement
Stolen credentials are most damaging when they provide “standing access,” giving the threat actor unlimited time to move laterally, find the Identity Provider (IdP), and locate high-value targets like VMware ESXi hosts for ransomware deployment.
- Action: Enforce Just-in-Time (JIT) Access. Use your IdP or Privileged Access Management (PAM) solution to automatically revoke privileged access (e.g., Domain Admin group membership) at the end of every day. Privileges should be granted just-in-time upon request, with an automated time limit and justification required for audit.
- Action: Isolate Critical Services. Ensure your most critical systems, such as Active Directory Domain Controllers, virtualisation hosts, and backup repositories are segmented on a network that no standard user or third-party vendor can reach directly. Limit all access to these zones strictly via monitored Just in time (JIT) sessions.
- Action: Control Third-Party Risk. Mandate that all your internal security standards are implemented by third-party vendors. If a vendor needs to access your network, they must use your dedicated accounts, which are enforced with your phishing-resistant MFA and JIT access controls.
The recent attacks on M&S, the Co-op, Harrods, and JLR were not isolated incidents but part of a coordinated campaign by a highly adaptive threat group. They serve as a powerful reminder that in today’s interconnected world, it is not a case of if but when. An effective incident response strategy is a must for every organisation. MDSec recommends that any IR plans are tested on a regular basis to ensure that staff know what their roles and responsibilities are if suspected incident is detected. Organisations need be proactive. A determined threat actors will always discover a way in to the environment, our job as defenders is to make it as difficult as possible so that we can detect and respond to incidents before damage is done.
