M&S Hackers Allegedly Utilize Employee Logins from Third-Party Consulting Firm

Context

Public reporting has emerged that claims ransomware group Scattered Spider gained initial access to Marks & Spencer’s (M&S) systems by compromising the login credentials of two employees from their third-party partner, Tata Consultancy Services (TCS). Cyber News reports that a source reportedly told news agencies “that at least two Tata Consultancy Services employees’ M&S logins were used as part of the breach.”

This aligns with warnings from the UK National Security Centre (NSC) regarding threat actors exploiting legitimate employee access and cloud services, and is particularly concerning as TCS also provides technology services to other affected UK retailers, including the Co-Op. And although the NSC said it is “not yet in a position to say if the attacks are linked,” it did warn retailers the importance of “detecting threat actors” who are either on your network, in your cloud services, or “using your employees’ legitimate access.”

The M&S incident has led to ongoing operational disruptions, stolen customer data, and significant financial losses. The ongoing attacks on M&S, Co-Op, and Harrods signify a broader targeting of the UK retail sector, with Scattered Spider explicitly claiming responsibility for the M&S and Co-Op incidents.

Recommendations

Microsoft recommends the following mitigations, based off their article, to reduce the impact of supply chain attacks on UK retail organizations.

• Follow Microsoft’s best practices for securing AD FS.
  • Implement the Azure Security Benchmark and general best practices for securing identity infrastructure. Create Conditional Access policies to allow or disallow access to the environment based on defined criteria.
  • Block legacy authentication with Azure AD by using Conditional Access. Legacy authentication protocols cannot enforce MFA, as legacy MFA (per-user MFA prompts) is susceptible to abuse.
• Secure accounts with credential hygiene: practice the principle of least privilege and audit privileged account activity in your Active Directory and Azure AD environments to slow and stop attackers. Turn on identity protection in Azure AD to monitor identity-based risks and create policies for risky sign-ins.
• Use Privileged Identity Managementto manage, control, and monitor access withing your Entra ID organization. For all critical roles, at minimum:
  • Implement role assignments as eligible rather than permanent.
  • Review and understand the role definition Actions and NotActions – ensure to select only the roles with actions that the user requires to do their role (least privileged access).
  • Configure these roles to be time-bound, deactivating after a specific timeframe.
  • Require users to perform MFA to elevate to the role.
  • Optionally require users to provide justification or a ticket number upon elevation.
  • Enable notifications for privileged role elevation to a subset of administrators.
  • Utilize PIM Access Reviews to reduce standing access in the organization on a periodic basis.
  • Every organization is different and, therefore, roles will be classified differently in terms of their criticality. Consider the scope of impact those roles might have on downstream resources, services, or identities in the event of compromise. For help desk administrators specifically, ensure to scope privilege to exclude administrative operations over Global Administrators. Consider implementing segregation strategies such as Microsoft Entra ID Administrative Units to segment administrative access over the tenant. For identities that leverage cross-service roles such as those that service the Microsoft Security Stack, consider implementing additional service-based granular access control to restrict the use of sensitive functionality, like Live Response and modification of indicators of compromise (IOC) allowlists.
• Disable federation trust relationships for authentication to Microsoft 365 when possible. This will help protect your Microsoft 365 cloud environment from on-premises compromise. Additionally, use cloud-only accounts for Entra ID and Microsoft 365 privileged roles. No on-premises accounts should have administrative privileges in the cloud environment.
• Turn on tenant-wide tamper protection features to prevent attackers from stopping security services or using antivirus exclusions. Without Tamper Protection, attackers can simply turn off Microsoft Defender Antivirus without the need to acquire higher privileges.
• For further recommendations for security hardening against ransomware attacks, refer to our ransomware as a service blog.

Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks:

• Block process creations originating from PsExec and WMI commands. Some organizations may experience compatibility issues with this rule on certain server systems but should deploy it to other systems to prevent lateral movement originating from PsExec and WMI.
• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Use advanced protection against ransomware
• Block credential stealing from the Windows local security authority subsystem (lsass.exe)