Whole Foods faces supply chain disruption after cyber incident at distributor UNFI

Cyber Intelligence Briefing: 13 June 2025

Powered by S-RM, the Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends, and indicators, curated by intelligence specialists.

United Natural Foods, Inc. (UNFI), a major US health food wholesaler and primary distributor for Whole Foods, took some systems offline after a cyberattack caused temporary disruptions. Whole Foods customers have reported empty shelves and smaller deliveries whilst UNFI’s share value declined after the disclosure of the attack.

Separately, UK retailer Marks and Spencer have restarted their online operations after being disrupted for over six weeks due to a major ransomware attack in April.

[Researcher: Lawrence Copson, S-RM]

Assured’s vCISO reacts:

So what? UNFI likely maintained privileged integrations into Whole Foods’ supply chain systems (e.g., EDI, inventory APIs, logistics dashboards). An attack on UNFI that affects these links mimics insider-like abuse from an external origin:

1. M1018 – User Account Management. Eliminate persistent or overprivileged third-party accounts integrated into supply systems.

Disable interactive logon for vendor accounts:

GPO Path:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Setting: Deny log on locally
Value: <org> integration service accounts

Automatically expire dormant third-party accounts:
- ```
net user <org>_sync /expires:06/30/2025
```

2. M1026 – Privileged Account Management. Harden and contain elevated permissions used by third-party integrations:

Constrain logon times for integration accounts:
- - ```
  net user <org>_sync /times:M-F,06:00-20:00
```

Limit logon from specific IPs only (via Windows Firewall with Advanced Security):

GPO Path:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
Rule: Allow inbound traffic only from <org> IP ranges to port 443 (HTTPS)

3. M1047 – Audits. Track all actions taken by supply chain-linked service accounts.

Enable auditing of service account logon attempts:

Intune Settings Catalog:
Audit Logon Events → Configure "Success" and "Failure"

Include command-line in process creation auditing:

Intune Settings Catalog:
Setting: "Include command line in process creation events"
Value: Enabled

4. M1042 – Disable or Remove Feature or Program. Restrict ability of compromised third-party accounts to execute arbitrary tools.:

Set PowerShell policy to “AllSigned”:

Intune > Device Configuration Profile > PowerShell Execution Policy
Value: AllSigned

Block command-line tools for third-party accounts via AppLocker:

Rule: Deny > User: <org>_sync > Path: C:\Windows\System32\cmd.exe

5. M1038 – Execution Prevention. Prevent script execution from temp directories used in supply chain APIs or tooling:

Block scripts from %TEMP% for vendor accounts:

Intune > Device Configuration Profile > PowerShell Execution Policy
Value: AllSigned

Disable Office macros for shared Excel-based integration:

Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security]
"VBAWarnings"=dword:00000004

6. M1032 – Multi-factor Authentication. Protect integration dashboards and portals exposed to UNFI teams:

Enforce MFA for all vendor identities:

Conditional Access Policy:
Assign to: Group “UNFI_Accounts”
Control: Require MFA

Block legacy auth methods (POP, IMAP, etc):

Conditional Access → Client App Conditions → Block legacy authentication clients

NHS blood supplies still disrupted one year after Synnovis ransomware attack

Following a ransomware attack last year that disrupted pathology services at several London healthcare organisations, the NHS has urgently called for blood donors to come forward in England. The incident has resulted in hospitals reporting depleted reserves and seeking urgent donations of O-negative blood type, which can be received by all patients, due to difficulties in quickly matching patients’ blood types which led to the current shortage.

[Researcher: Aditya Ganjam Mahesh, S-RM]

Assured’s vCISO reacts:

So what? The shortage of blood has partly been blamed on the cyber attack on Synnovis back in 2024, reported to cost £32.7M. Its reported that Qilin Ransomware Gang was behind the attack. We’ve analysed their TTPs and picked a few controls to help protect against them.

1. Restrict Privileged Account Usage

Aligned TTPs:
- Qilin has been observed leveraging legitimate service accounts and RDP for lateral movement and execution.
- They exploit weak internal segmentation between privileged and standard access.
Justification:
- Blocking local and RDP logon for service accounts reduces lateral movement via hijacked credentials—a hallmark of Qilin’s tactics.

2. Implement Application Control Policies

Aligned TTPs:
- Qilin/Agenda often deploys customized payloads (e.g., Rust variants) that evade antivirus and execute from non-standard paths.
- Affiliates can compile binaries with varied configurations to bypass detection.
Justification:
- AppLocker and Controlled Folder Access stop unknown binaries and script execution, mitigating Qilin’s flexibility in payload delivery.

3. Enforce Multi-Factor Authentication

Aligned TTPs:
- Qilin targets exposed admin portals and VPNs with weak or single-factor auth for initial access or privilege escalation.
Justification:
- Enforcing MFA blocks a key entry path exploited by Qilin in hybrid IT environments.

4. Audit and Monitor Third-Party Access

Aligned TTPs:
- Qilin often abuses trusted third-party tooling (e.g., remote monitoring, IT support software) to gain and maintain access.
- Their use of legitimate credentials can evade immediate detection.
Justification:
- Detailed auditing surfaces misuse of remote access tools and provides visibility into compromised legitimate activity.

5. Restrict Use of Remote Management Tools

Aligned TTPs:
- They frequently use remote management tools (e.g., AnyDesk, ConnectWise) in their campaigns.
- Initial payloads sometimes include remote access trojans or legitimate remote desktop tools repurposed for control.
Justification:
- Blocking or monitoring known ports and disabling unused services curbs unauthorized remote access and C2 persistence.

6. Restrict Use of Remote Management Tools

Aligned TTPs:
- Qilin performs privilege escalation and token impersonation once inside, especially on flat or overprivileged networks.
Justification:
- Enforcing JIT and RBAC tightly limits escalation paths and minimizes blast radius post-compromise.

Filter articles

Whole Foods faces supply chain disruption after cyber incident at distributor UNFI | Cyber Intelligence Briefing: 13 June 2025

Cyber Intelligence Briefing: 13 June 2025