Caesars Entertainment has joined MGM Resorts in being pwned by hackers in a ransomware attack. This came to light in an SEC filing where they admitted to the pwnage:
As Bloomberg reports, citing sources close to the matter, the late-August attack left Caesars Entertainment forking over tens of millions of dollars to the hackers. The incident was described in an SEC filing published today, in which the company states that the breach occurred as the result of a “social engineering attack on an outsourced IT support vendor.” Sources told The Wall Street Journal that this social engineering attack involved a hacker posing as an employee to get the IT contractor to change a password. The hackers reportedly made off with the company’s loyalty program database, which contains a list of driver’s license numbers and Social Security numbers for a “significant number of members” within the database.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company wrote in the SEC filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program.”
Another example of a social engineering attack leading to epic pwnage. Just like the MGM attack. Which isn’t a surprise given that the same threat actors are behind both attacks. And if you read the statement, it sounds to me like they paid up but don’t know if this will guaranteed to stop the data from leaking. That’s not a good situation.
Here’s some commentary from some industry experts:
Drew Schmitt, Practice Lead, GuidePoint Research and Intelligence Team (GRIT) at GuidePoint Security:
Scattered Spider is well known for its affinity for large targets, and the victimization of MGM and Caesars proves that the group possesses the motivation and means to be successful in their operations targeting substantial organizations. Scattered Spider is well known for having very well-established social engineering capabilities that many groups do not, mainly because they are rumored to have a significant presence in the United States, a characteristic many other groups do not share. Scattered Spider is exceptionally persistent and technically competent at many techniques, including phishing, SMiShing, MFA bombing, and SIM swapping, which have all contributed to their successful social engineering campaigns. Recently, there have been increasing speculations that Scattered Spider has partnered with AlphV on several occasions to extort the organizations they have victimized successfully.
Regarding the MGM hack, there has been a lot of emphasis on the fact that a brief social engineering phone call resulted in widespread compromise within a huge organization. We currently do not have the complete picture, and although this method of intrusion highlights some potential gaps in cybersecurity processes, there is likely much more to this intrusion than meets the eye. Scattered Spider is highly determined and persistent in their operations; if it wasn’t for this social engineering attempt, it could have been another that relied on more technical means. Sometimes attackers get lucky, and this could be one of those times.
The reality of this situation is that Caesars and MGM were enormous organizations that became victims of ransomware. Still, so far in 2023, there have been over 2,800 public ransomware victims posted across leak sites belonging to more than 52 different threat actors. This number doesn’t include the victims that pay a ransom demand, a number which organizations like Caesars would belong to. The ransomware pandemic continues to be the most prolific threat that all industries and organizations, regardless of size, face. The Caesars and MGM hacks are a reminder that partnerships in intelligence sharing and investing in cybersecurity teams should be a significant topic of discussion for all organizations and that, as an industry, we need to continue moving fast to keep up with evolving threats.
Chris Denbigh-White, Chief Security Officer for Next DLP:
In the wake of these recent cyberattacks, which appear to have emanated from the exploitation of an external IT provider, it becomes evident that businesses must fortify not only their internal networks but also extend their cybersecurity vigilance to encompass third-party vendors and strategic partners. This underscores the imperative for a comprehensive approach to safeguarding digital assets. In short many organizations need to “lift their vision in order to protect their businesses.”
I note that in the mainstream discussion about the cyberattacks that hit both Caesars and MGM, the use of social engineering tactics seems to be taking center stage. However, it is crucial to bear in mind that social engineering represents just one “link” in the chain of a successful attack. In order to effect the level of impact that we have seen by these attacks many other information security controls must have failed.
Organizations seeking to implement learning from these disconcerting episodes should delve deeper, evaluating not only the robustness of their initial security layers but also the overall resilience of their security program. This holistic perspective is instrumental in averting scenarios wherein a single inadvertent user click could potentially jeopardize an entire corporate entity.
Mike Hamilton, Founder and CISO of Critical Insight:
- Caesar’s paid the extortion demand ($30M?) and are up and running
- That said, their loyalty program data was stolen and they’ve believed the promise to delete it
- MGM did not pay, and still have threat actor activity inside the network
- Apparently actors hit LinkedIn and gathered some employee names, then vished the help desk
- The ALPHV gang was seen bragging online that it took 12 minutes to go from initial access to full domain admin, and this suggests assistance from an insider
- MGM apparently having trouble making payroll, and employees are walking out:
I’ll add to this before closing. Besides apparently not being able to make payroll, this is also happening to MGM:
Clearly MGM has issues. Lots of issues.
UPDATE: Emily Phelps, Director, Cyware had this comment:
“If organizations take away anything from the Caesar’s ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn’t. Improving security awareness must be an ongoing effort, and it is only the beginning.
“To minimize social engineering risks, it’s important to also ensure you require multifactor authentication, ideally using different types of authentication such as a passphrase and an authenticator app. Threat intelligence is critical to recognizing potential risks before they can cause harm.
“Organizations must not only have access to reliable intel; they must also be able to operationalize intelligence quickly. If you aren’t taking action, you aren’t reducing risk. This is why security collaboration and trusted intelligence sharing are critical to enabling enterprises to rapidly act on context-rich insights, moving from a reactive to a proactive security posture.”
Dave Ratner, CEO, HYAS followed with this:
“Social engineering is one of the most successful ways bad actors breach an environment, and one of the hardest gaps to close. Continued user training is needed, but this must be complemented with defense-in-depth strategies that assume breaches will occur and detect the initial telltale signs of a breach, the digital exhaust indicating anomalous activity, so that the attack can be stopped before it expands and impacts operational resiliency.”
The National Student Clearinghouse Is The Latest Company To Be Pwned By MOVEit
Posted in Commentary with tags Hacked on September 26, 2023 by itnerdIn a breach notification letter, National Student Clearinghouse disclosed a data breach affecting 890 US schools using its services as part of the MOVEit campaign with stolen files containing a wide range of personal information.
Clearinghouse provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities that enroll roughly 97% of students.
Despite the widespread MOVEit victim pool we’ve seen over the past 4 months, researchers suggest that a limited number are likely to pay the ransom demand, but Clop the gang is still expected to collect about $75-100 million.
Steve Hahn, Executive VP, BullWall had this to say:
“Ransomware has taken a dark turn this year. Double extortion techniques now mean the threat actors have two ways to monetize the event. Pay to decrypt your data. Pay to not have them release sensitive information on the web. With that, once unheard of targets, children, elderly and the sick have become the prime targets. Just this year threat actors have hit a breast cancer treatment facility and released pictures of women in vulnerable states that were being treated at the facility. They’ve also released student records, grades, disciplinary records and information on students’ sexual activity and identity as part of this data theft.
“There is no bar too low for this new breed of criminals as we’ve seen the highest number of Ransomware Victims on record for Ransomware. Prevention just staves off the inevitable. Schools will be hit. They need a rapid containment strategy that can isolate those events once the attack begins unfolding. The only hope is to limit the damage and recover quickly when a determined threat actor is targeting these educational institutes. “
Emily Phelps, Director, Cyware follows with this:
“Pervasive MOVEit transfer attacks continue to impact major organizations across a variety of industries. While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a pivotal role in defense, organizations must do more to move to a proactive cybersecurity posture. Organizations need access to reliable threat intelligence that can be automatically routed to the right people to rapidly take the right actions.”
Al Martinek, Customer Threat Analyst, Horizon3.ai concludes with this:
“Over the past four months, the widely reported critical security flaw in the Progress MOVEit Transfer application (CVE-2023-34362) constantly reminds us of how important it is to remain vigilant in securing our IT infrastructure from potential cyber threat actors. CVE-2023-34362 poses a significant risk to all industries and sectors relying on MOVEit for file transfer operations. The active exploitation of this vulnerability by threat actors emphasizes the need for swift action. CL0P, for example, continues to exploit CVE-2023-34362 across a large array of organizations big or small.
“Notoriously known as a “Big Game” ransom hunter, CL0P also hones and sharpens their skills by targeting smaller organizations. Their main goals are to disrupt daily organizational cyber activity, stealing sensitive data (i.e. PII and PHI) and finding other opportunistic ways to disrupt or deploy further attacks. An attack targeting MOVEit’s web application could prove detrimental to any organization, because the application is responsible for interfacing with MySQL, Microsoft SQL Server, and Azure SQL database engines.
“It is becoming seemingly important for organizations, including educational institutions of all sizes, to shift their mindset regarding how they secure their systems and networks against cyber threat actors. Specifically, organizations must ask themselves whether paying millions of dollars in ransomware is worth not proactively investing in cybersecurity tools that would have alerted to and prevented such attacks and demand for money.
“Horizon3.ai proactively warns customers about potential zero-day and N-day ransomware attacks and impacts so that they take immediate action to fix potential vulnerabilities and mitigate possible threats. Exploitation by any cyber threat actor poses a significant risk to organizations (especially the Education sector) relying on the MOVEit web application for file transfer operations. Key Impacts on these organizations includes:
Mitigation and Recommendations:
“To mitigate these risks, organizations should promptly apply security patches, implement regular pentest cadence, implement intrusion detection and prevention systems, conduct regular security audits, and provide user awareness and training. By taking these proactive measures, organizations can enhance their security posture and minimize the potential impacts of CVE-2023-34362 and thwart possible attacks by groups such as CL0P. It is crucial for organizations to prioritize cybersecurity and remain vigilant in addressing vulnerabilities to protect their sensitive data and maintain the trust of stakeholders.”
Leave a comment »