โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

ENQUIRY - Contact Popup DEPRECIATED (#3)

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

Santander, Ticketmaster & NHS attacks

Published: June 7, 2024
Updated: June 13, 2024
Expert: Sam Bracey
Role: SOC Team Lead
Specialises in: Security Operations
What you will learn:
This intel covers the recent cyber attacks the NHS, Santander, and Ticketmaster, providing a detailed look into the tactics and techniques used by cyber criminal groups like Qilin and Shiny Hunters. Youโ€™ll learn how these attacks were executed and uncover practical steps that could potentially enhance your organisations internal cyber security measures.
Consider the far-reaching impact of these attacks: hospitals canceling critical operations, millions of banking details exposed, and personal data sold on the dark web. These arenโ€™t just numbersโ€”they represent real people facing life-altering consequences. By understanding the methods behind these attacks and implementing robust cyber security practices, you can protect your organisation from similar threats.

As you may have heard, there have been a number of high-profile Cyber Attacks covered in the media recently  – Santander, Ticketmaster, and a selection of NHS trusts in London have all experienced large scale, targeted cyber attacks.  

Naturally, weโ€™ve had a fair amount of people asking for advice and as such, I wanted to collate some information for those that want to understand more, and potentially help a few of those that want to know what they should be doing to avoid falling victim.  

First, letโ€™s explore the attacks that have taken place on the NHS. 

Cyber Attacks on the NHS 

THE BACKGROUND

Two NHS trusts have had to cancel non-emergency operations after a ransomware gang targeted Synnovis, a third-party company that provides testing services for multiple hospitals.  

Synnovisโ€™ IT systems were completely locked out. It was theorised that Russian cyber-criminal gang โ€˜Qilin (Agenda)โ€™ were behind the attack, though initial access and a root cause has yet to be disclosed – see Synnovis Statement / The Standard – NCSC Statement

Qilin target a large variety of industries, โ€ฏManufacturing, Construction, News and Entertainment, Healthcare and more.  

THE TTPS

Their focus is generally on phishing emails that contain malicious links, after gaining initial access the threat group will move laterally through an environment searching for sensitive data locations to mark for encryption.  

During the encryption stage, the threat group places a ransomware note in each infected directory. This double extortion method causes mass disruption by locking data, providing more leverage when trying to extort victims for financial gain. See Source

This particular strain of ransomware targets VMware Esxi servers, which are used by many corporations for virtual machine hosting. A full analysis can be found here

high-level overview of the attack path: 

WHat could you do, to avoid falling victim?

  • Assess your VM infrastructure, even if you donโ€™t use VMware, targeting virtual machines is becoming more prolific amongst ransomware operators.  
  • Continuous phishing awareness training across your organisation. 
  • Offsite immutable backups โ€“ by securely backing up your data elsewhere, you remove the leverage of ransomware operators encrypting your data.  

cyber Attacks on Santander & Ticketmaster

Santander background

A group known as โ€˜Shiny Huntersโ€™ posted information on the dark web stating that they had collected data from 30 million individual bank accounts, which included account numbers, balances, credit card numbers and HR information for staff. See Source

Ticketmaster Background 

Again, โ€˜Shiny Huntersโ€™ have claimed to have stolen data including names, addresses, phone numbers and partial credit card details from end users. There is estimated to be around 1.3TB of data stolen, and the threat group is reportedly attempting to sell this information for $500,000 on breach forums. See Source

Both data breaches have been highlighted as having been from the same source, a cloud platform known as โ€˜Snowflakeโ€™ which is widely used for data storage, processing, and analytics.  

Snowflake, and their cyber security providers CrowdStrike and

Mandiant released the following statement regarding the breach:  

We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflakeโ€™s platform. 

We have not identified evidence suggesting this activity was caused by compromised credentials of current or former Snowflake personnel. 

This appears to be a targeted campaign directed at users with single factor authentication. 

As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through info stealing malware.”

“Credentials leveraged in the attack were previously purchased or obtained through info stealing malware, adding that Snowflake did find evidence that a threat actor obtained personal credentials to and accessed demo accounts belonging to a former employee.

See Source

Whilst we wonโ€™t know the exact attack vector until official reports are made available, based on public information itโ€™s likely that the data breach followed the following path:  

What could you do to avoid falling victim? 

  • Continued enforcement of MFA for ALL user accounts. It should be Mandatory. SMS MFA is okay and better than nothing, but number / geo matching should be the standard and enforced.  
  • Ongoing training regarding Phishing, Credential harvesting and Social Engineering, across your business.  
  • Robust third-party onboarding checks โ€“ DPIAs, TPRAs. Set a high standard of information governance and data protection to understand what data you are sharing and whether you are confident that the supplier can keep this data secure. Whilst this wonโ€™t stop a breach from occurring, itโ€™ll help reduce organisational risk and hold suppliers to account regarding their security posture and data processing standards.  

Looking for support?

So how exactly can th be done?

In light of the recent high-profile cyber attacks, it’s clear that robust cyber security measures are more critical than ever. At Stripe OLT, our Security Operations Center (SOC) operates 24/7 to ensure our clients are protected from these types of evolving threat.  

Using advanced threat intelligence and proactive threat hunting techniques, we block harmful content and intercept phishing attempts to safeguard our clients’ data. And crucially, our team continuously monitor identity assets to detect and respond to potential breaches as and when they happen.  

If this sounds like something youโ€™d benefit from, get in touch with our team today. 

Our latest expert Intel