The IT Nerd

In a breach notification letter, National Student Clearinghouse disclosed a data breach affecting 890 US schools using its services as part of the MOVEit campaign with stolen files containing a wide range of personal information.

“The relevant files obtained by the unauthorized third party included personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data). The data that was affected by this issue varies by individual,” the notice explained.

Clearinghouse provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities that enroll roughly 97% of students.

Despite the widespread MOVEit victim pool we’ve seen over the past 4 months, researchers suggest that a limited number are likely to pay the ransom demand, but Clop the gang is still expected to collect about $75-100 million.

Steve Hahn, Executive VP, BullWall had this to say:

   “Ransomware has taken a dark turn this year. Double extortion techniques now mean the threat actors have two ways to monetize the event. Pay to decrypt your data. Pay to not have them release sensitive information on the web. With that, once unheard of targets, children, elderly and the sick have become the prime targets. Just this year threat actors have hit a breast cancer treatment facility and released pictures of women in vulnerable states that were being treated at the facility. They’ve also released student records, grades, disciplinary records and information on students’ sexual activity and identity as part of this data theft.

   “There is no bar too low for this new breed of criminals as we’ve seen the highest number of Ransomware Victims on record for Ransomware. Prevention just staves off the inevitable. Schools will be hit. They need a rapid containment strategy that can isolate those events once the attack begins unfolding. The only hope is to limit the damage and recover quickly when a determined threat actor is targeting these educational institutes. “

Emily Phelps, Director, Cyware follows with this:

   “Pervasive MOVEit transfer attacks continue to impact major organizations across a variety of industries. While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a pivotal role in defense, organizations must do more to move to a proactive cybersecurity posture. Organizations need access to reliable threat intelligence that can be automatically routed to the right people to rapidly take the right actions.”

Al Martinek, Customer Threat Analyst, Horizon3.ai concludes with this:

   “Over the past four months, the widely reported critical security flaw in the Progress MOVEit Transfer application (CVE-2023-34362) constantly reminds us of how important it is to remain vigilant in securing our IT infrastructure from potential cyber threat actors. CVE-2023-34362 poses a significant risk to all industries and sectors relying on MOVEit for file transfer operations. The active exploitation of this vulnerability by threat actors emphasizes the need for swift action. CL0P, for example, continues to exploit CVE-2023-34362 across a large array of organizations big or small.  

   “Notoriously known as a “Big Game” ransom hunter, CL0P also hones and sharpens their skills by targeting smaller organizations. Their main goals are to disrupt daily organizational cyber activity, stealing sensitive data (i.e. PII and PHI) and finding other opportunistic ways to disrupt or deploy further attacks. An attack targeting MOVEit’s web application could prove detrimental to any organization, because the application is responsible for interfacing with MySQL, Microsoft SQL Server, and Azure SQL database engines.  

   “It is becoming seemingly important for organizations, including educational institutions of all sizes, to shift their mindset regarding how they secure their systems and networks against cyber threat actors. Specifically, organizations must ask themselves whether paying millions of dollars in ransomware is worth not proactively investing in cybersecurity tools that would have alerted to and prevented such attacks and demand for money.  

   “Horizon3.ai proactively warns customers about potential zero-day and N-day ransomware attacks and impacts so that they take immediate action to fix potential vulnerabilities and mitigate possible threats. Exploitation by any cyber threat actor poses a significant risk to organizations (especially the Education sector) relying on the MOVEit web application for file transfer operations. Key Impacts on these organizations includes:

• Data Breaches and Intellectual Property Theft (including current and former employee data)
• Operational Disruption and Downtime
• Manipulation of File Transfers
• Reputational Damage and Legal Consequences

Mitigation and Recommendations:

• Implement Regular Pentest Cadence (NodeZero)
• Apply Security Patches and Updates (Progress Security Advisory)
• Implement Intrusion Detection and Prevention Systems
• Conduct Regular Security Audits
• User Awareness and Training

   “To mitigate these risks, organizations should promptly apply security patches, implement regular pentest cadence, implement intrusion detection and prevention systems, conduct regular security audits, and provide user awareness and training. By taking these proactive measures, organizations can enhance their security posture and minimize the potential impacts of CVE-2023-34362 and thwart possible attacks by groups such as CL0P. It is crucial for organizations to prioritize cybersecurity and remain vigilant in addressing vulnerabilities to protect their sensitive data and maintain the trust of stakeholders.”

Over a month after the initial cyberattack, The Clorox Company said in its latest update to the SEC that it is still using a manual ordering process and doesn’t expect operations to return to normal until near the end of the month as it continues to untangle the disruption to operations.

“The cybersecurity attack damaged portions of the company’s IT infrastructure, which caused widescale disruption of Clorox’s operations. The company is repairing the infrastructure and is reintegrating the systems that were proactively taken offline,” the SEC filing adds.

Despite the ongoing interruption, Clorox does believe the intruders’ “activity is contained”, but the event will have considerable financial impact due to slower rate of order processing and product availability issues after manufacturing halts, the company warned.  

A return to normal automated order processing is scheduled for September 25th.

Willy Leichter, VP, Cyware had this to say:
 
   “The true costs of a breach and lingering business disruption can be much larger than many risk models assume. Maintaining business continuity requires a holistic approach: regular software patches and updates, multifactor authentication, ongoing security training, incident response planning, backups, and actionable threat intelligence. Cybersecurity is complex, and the importance of speed and accuracy cannot be overstated. IT and security teams must be empowered to collaborate so that the right intel gets to the right people to rapidly take the right actions.”

This has clearly been a nightmare for Clorox. This should illustrate why you need to take precautions to make sure that you don’t end up like Clorox.

Caesars Entertainment has joined MGM Resorts in being pwned by hackers in a ransomware attack. This came to light in an SEC filing where they admitted to the pwnage:

As Bloomberg reports, citing sources close to the matter, the late-August attack left Caesars Entertainment forking over tens of millions of dollars to the hackers. The incident was described in an SEC filing published today, in which the company states that the breach occurred as the result of a “social engineering attack on an outsourced IT support vendor.” Sources told The Wall Street Journal that this social engineering attack involved a hacker posing as an employee to get the IT contractor to change a password. The hackers reportedly made off with the company’s loyalty program database, which contains a list of driver’s license numbers and Social Security numbers for a “significant number of members” within the database. 

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company wrote in the SEC filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program.”

Another example of a social engineering attack leading to epic pwnage. Just like the MGM attack. Which isn’t a surprise given that the same threat actors are behind both attacks. And if you read the statement, it sounds to me like they paid up but don’t know if this will guaranteed to stop the data from leaking. That’s not a good situation.

Here’s some commentary from some industry experts:

Drew Schmitt, Practice Lead, GuidePoint Research and Intelligence Team (GRIT) at GuidePoint Security:

Scattered Spider is well known for its affinity for large targets, and the victimization of MGM and Caesars proves that the group possesses the motivation and means to be successful in their operations targeting substantial organizations. Scattered Spider is well known for having very well-established social engineering capabilities that many groups do not, mainly because they are rumored to have a significant presence in the United States, a characteristic many other groups do not share. Scattered Spider is exceptionally persistent and technically competent at many techniques, including phishing, SMiShing, MFA bombing, and SIM swapping, which have all contributed to their successful social engineering campaigns. Recently, there have been increasing speculations that Scattered Spider has partnered with AlphV on several occasions to extort the organizations they have victimized successfully.

Regarding the MGM hack, there has been a lot of emphasis on the fact that a brief social engineering phone call resulted in widespread compromise within a huge organization. We currently do not have the complete picture, and although this method of intrusion highlights some potential gaps in cybersecurity processes, there is likely much more to this intrusion than meets the eye. Scattered Spider is highly determined and persistent in their operations; if it wasn’t for this social engineering attempt, it could have been another that relied on more technical means. Sometimes attackers get lucky, and this could be one of those times. 

The reality of this situation is that Caesars and MGM were enormous organizations that became victims of ransomware. Still, so far in 2023, there have been over 2,800 public ransomware victims posted across leak sites belonging to more than 52 different threat actors. This number doesn’t include the victims that pay a ransom demand, a number which organizations like Caesars would belong to. The ransomware pandemic continues to be the most prolific threat that all industries and organizations, regardless of size, face. The Caesars and MGM hacks are a reminder that partnerships in intelligence sharing and investing in cybersecurity teams should be a significant topic of discussion for all organizations and that, as an industry, we need to continue moving fast to keep up with evolving threats.

Chris Denbigh-White, Chief Security Officer for Next DLP:

In the wake of these recent cyberattacks, which appear to have emanated from the exploitation of an external IT provider, it becomes evident that businesses must fortify not only their internal networks but also extend their cybersecurity vigilance to encompass third-party vendors and strategic partners. This underscores the imperative for a comprehensive approach to safeguarding digital assets. In short many organizations need to “lift their vision in order to protect their businesses.”

I note that in the mainstream discussion about the cyberattacks that hit both Caesars and MGM, the use of social engineering tactics seems to be taking center stage. However, it is crucial to bear in mind that social engineering represents just one “link” in the chain of a successful attack. In order to effect the level of impact that we have seen by these attacks many other information security controls must have failed.  

Organizations seeking to implement learning from these disconcerting episodes should delve deeper, evaluating not only the robustness of their initial security layers but also the overall resilience of their security program. This holistic perspective is instrumental in averting scenarios wherein a single inadvertent user click could potentially jeopardize an entire corporate entity.

Mike Hamilton, Founder and CISO of Critical Insight:

• Caesar’s paid the extortion demand ($30M?) and are up and running
• That said, their loyalty program data was stolen and they’ve believed the promise to delete it
• MGM did not pay, and still have threat actor activity inside the network
• Apparently actors hit LinkedIn and gathered some employee names, then vished the help desk
• The ALPHV gang was seen bragging online that it took 12 minutes to go from initial access to full domain admin, and this suggests assistance from an insider
• MGM apparently having trouble making payroll, and employees are walking out:

Employee confirms there have been walk-outs as employees hear payday could be fluid. https://t.co/J6qXGPxxj0

— Vital Vegas (@VitalVegas) September 13, 2023

I’ll add to this before closing. Besides apparently not being able to make payroll, this is also happening to MGM:

It’s been another eventful
Day @MGMGrand … #CyberAttack #MGM #BreakingNews #Breaking #Vegas #Lasvegas
Hotel keys aren’t working, so you have to be verified (somehow) to be escorted to ur room by security. How is this not on national news?? Are they keeping something from… pic.twitter.com/WCujtzTWMA

— Shelly Fields (@ShellyFields) September 12, 2023

Clearly MGM has issues. Lots of issues.

UPDATE: Emily Phelps, Director, Cyware had this comment:

   “If organizations take away anything from the Caesar’s ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn’t. Improving security awareness must be an ongoing effort, and it is only the beginning. 

    “To minimize social engineering risks, it’s important to also ensure you require multifactor authentication, ideally using different types of authentication such as a passphrase and an authenticator app. Threat intelligence is critical to recognizing potential risks before they can cause harm. 

    “Organizations must not only have access to reliable intel; they must also be able to operationalize intelligence quickly. If you aren’t taking action, you aren’t reducing risk. This is why security collaboration and trusted intelligence sharing are critical to enabling enterprises to rapidly act on context-rich insights, moving from a reactive to a proactive security posture.”

Dave Ratner, CEO, HYAS followed with this:

   “Social engineering is one of the most successful ways bad actors breach an environment, and one of the hardest gaps to close.  Continued user training is needed, but this must be complemented with defense-in-depth strategies that assume breaches will occur and  detect the initial telltale signs of a breach, the digital exhaust indicating anomalous activity, so that the attack can be stopped before it expands and impacts operational resiliency.”

This is one of those cases where it proves that the weakest part of your cybersecurity efforts are the humans. I say that because the MGM Resorts hack that I reported on was carried out via a simple 10 minute phone call:

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers.

If that’s true, then that’s very bad. And it highlights the need to train help desks and the like to be vigilant of social engineering like this. Because now that this is out there, it’s a safe bet that other threat actors will try the same thing to carry out similar attacks.

UPDATE: John Gunn, CEO, Token provided me with this comment:

It is beyond ridiculous that we continue to rely on humans as the core of our cyber-defense strategy and expect every employee in the entire organization to be able to identify and fend off sophisticated attacks from hackers using the most advanced tools and techniques. Humans, meaning everyday users, are simply not capable and we have to take this vulnerability out of the process by changing the way they login.

People are the weakest link in cyber security and their abilities to defend have improved extremely little in the past twenty years while attack methods and tools have raced forward in effectiveness and frequency. When cyber criminals fully implement AI, it will be a bloodbath as breaches and the losses accelerate seemingly unimpeded. We must stop relying on humans to defend our organizations against today’s cyber attacks.

If you’re trying to book a vacation at a MGM Resort, forget about it. They’ve been pwned by a ransomware attack:

The initial shutdown impacted nearly every aspect of the casino operator’s business. Reservation systems, booking systems, hotel electronic key card systems, and the casino floors were all apparently impacted by the outage.

The company’s email systems were also apparently taken down in response to the cybersecurity issue, and have not yet come back online.

The company said that as of Monday evening, their casino floors were back online. But the reservation systems that power their thousands of hotel rooms and the booking system that controls reservations for their restaurants are apparently still down, more than a day after the first reports of the incident began to circulate.

Sucks to be MGM. Chris Denbigh-White, the Chief Security Officer (CSO) for Next DLP had comment on this pwnage:

The recent cyber assault on MGM Resorts has sparked significant intrigue, albeit amid a veil of limited information. Considering the available intelligence and the trajectory of cyber threats this year, it strongly suggests ransomware is the probable perpetrator. 

Casinos, both repositories of substantial wealth and vast volumes of personal and financial data that harbor a minuscule appetite for operational downtime, render them exceptionally enticing prey for cyber-criminal syndicates on the hunt for financial gain.

Although specific details are lacking, the initial repercussions of this incident are far from unclear. MGM Resorts has instituted a sweeping shutdown of a substantial segment of its infrastructure. This episode accentuates the paramount role of visibility in crafting effective containment strategies. It compels businesses, irrespective of industry, to contemplate the depth to which they should be prepared to suspend or curtail their operations when confronted by such threats. MGM’s response, somewhat akin to a “nuclear” option, is poised to affect its near-term revenue-generating capabilities indisputably.

As MGM Resorts looks toward the eventual restoration of its services, the imperative of a meticulously delineated and rigorously tested system restoration process takes center stage. This process must ensure that when operations recommence, unwavering confidence prevails regarding the fortitude of system defenses. Following such an ordeal, a certain degree of paranoia will undoubtedly pervade as the systems are reactivated.

The MGM incident underscores a universal truth—namely, that the calculus of cyber risk knows no industry bounds. The profound implications of this breach reverberate well beyond the casino walls, resonating as a stark reminder to senior leadership teams across sectors that the pursuit of resilience, protection of data, and the preservation of digital trust are mandates of our digital age.

I would not at all be shocked if we see more attacks on those in the vacation/resort/casino business as those are targets who might be more likely to pay up as attacks like this are move devastating from a revenue perspective.

UPDATE: Ken Westin, Field CISO, Panther Labs add this:

While the details of the attack have not been provided, the response of shutting down the network, particularly bringing down games which are the lifeblood of a casino, tells me that we are dealing with a potential ransomware incident. The shutdown of such critical systems was probably done to stop the spread of malware through their environment. Ransomware groups commonly target not just one company, but entire industries once they identify a common vulnerability or misconfiguration.  This should be cause for alarm in the gaming industry, as these networks are tightly controlled with multiple layers of security, if a vulnerability was identified it could mean additional casinos will be hit that may share a vulnerable application or similar misconfiguration.

Steve Hahn, Executive VP, BullWall follows with this:

   “MGM isn’t publicly stating the nature of the attack, but looking at the endless stream of negative social media posts from their customers being locked out of their room, or entering rooms with other guests in them, ATMs and slot machines down, this really can’t be anything other than a Ransomware Attack. Ransomware Attacks are designed not just to encrypt data, but to propagate itself to other endpoints, servers, fileshares and even VMs and Domain Controllers. Once this happens wide scale outages begin across the victims IT and services. 

   “Ransomware is also nearly impossible to prevent from a focused and dedicated threat actor. Casinos have some of the largest attack surfaces out there. Every IoT device presents the threat actors with another attack vector. I spoke to a casino that was hit recently that had the attack initiate on a temperature sensor in a large aquarium on their property.

   “These types of properties should view these as a “when” not “if” event and look to how to contain an outbreak within milliseconds vs solely focusing on prevention. With a prevention only focus the threat actor only needs to get it right one time. Containment tools and a disaster response plan have to be seen as “table stakes” for casinos in the modern threat world.”

Finally Emily Phelps, Director, Cyware had this to say:

   “Cybersecurity is increasingly complex, in part, due to the interconnected way in which business now operates. It is more difficult to isolate an issue, leading to widespread impact. Even well-resourced enterprises deal with disparate tools, siloed teams and data, and delayed response. Cybersecurity must become more collaborative to get ahead of threats that interrupt business continuity.”

The Information and Communication Technology Agency (ICTA) has confirmed that on August 26th, all Sri Lankan government emails have lost all their data from May 17 to August 26, 2023 after a massive ransomware attack.
 
One government staff said that their official email had been receiving suspicious links over the past few weeks and that someone may have clicked one, triggering the ransomware attack.

The system was restored within 12 hours of the attack and the backup was also brought back, but more than three months of storage for over 5000 email domains was missing.

ICTA has started daily offline backups and intends to upgrade the relevant application to the latest version. An upgrade to the email network had been planned since 2021 but was constrained by fund limitations and board decisions, ICTA CEO Mahesh Perera said.

Steve Hahn, Executive VP, BullWall had this comment:

   “Ransomware attacks typically seek to steal and encrypt your data. However, there’s no guarantee the attacker will leave your data behind, encrypted or otherwise. Whether you pay the threat actor or even restore from backups, on average companies will not retrieve all of their data.

   “A 2021 study by Veeam found that more than half of all data backups fail, losing Ideas, patents, customer orders and communications, legal information, plans and documents. In this case the failure was a failure to act. It’s critical to protect it all and modern RW targets those backups as well, with the potential to wipe out everything. Not a good thing when “restoring the system” does not include your data.”

The attitude of organizations who are trying to protect themselves against attacks like this have to be prevention first along with a recovery strategy. That way they are covered for any eventuality.

 

According to a notice on Johnson and Johnson owned Janssen Pharmaceutical’s website, CarePath customers’ personal and medical information has been compromised in a data breach involving its third-party technology service provider, IBM.

CarePath is an application designed to help patients gain access to Janssen medications, discounts on prescriptions, guidance on insurance and other helpful tools. IBM manages the CarePath application and database supporting these functions.

After the pharmaceutical firm became aware of a method that could give unauthorized users access to the CarePath database, Janssen informed IBM and the security gap was fixed. IBM then began an investigation which revealed that CarePath users who enrolled on Janssen’s online services before July 2nd had the following details accessed by unauthorized users:

• Name and contact information
• Date of birth
• Health insurance information
• Medication information
• Medical condition information

In an unrelated incident last month, the Colorado Department of Health Care Policy & Financing informed four million individuals that their personal and medical data had been exposed due to the breach on IBM.

Emily Phelps, Director, Cyware had this to say:

   “In today’s interconnected world, securing environments is increasingly complex. We have useful technologies that make it easy for individuals and organizations to engage with each relevant data but can also provide unauthorized access to sensitive information. This is why advanced security collaboration and orchestration are so important. Not all security-related technologies play well together, making it difficult for teams to quickly identify gaps and vulnerabilities. We need to not only get the right information to the right people; we need it to be context-rich, making it clear what steps are needed and what action must be taken.”

Ted Miracco, CEO, Approov Mobile Security follows up with this:

   “Healthcare organizations can no longer simply trust the security posture of every vendor in their supply chain, even if that vendor is as trusted as IBM. As medical devices, apps, clouds and partners increasingly integrate, attack surfaces multiply exponentially. Breaches via third parties will continue absent real-time attestation of app, device and user legitimacy on every request. API interconnections cannot automatically imply interoperability of security and healthcare organizations must re-architect environments where every access attempt, especially from mobile devices, is authenticated and authorized.”

Healthcare is a prime target for threat actors because that sector is seen as weak from a cybersecurity standpoint. That sector really needs to do more to stop these sorts of events from happening.

Zaun, a UK manufacturer of fencing systems for the Ministry of Defense, revealed late last week that it was hit by a cyber-attack carried out by LockBit between August 5th and 6th where gigabytes of data related to top secret British military and intelligence sites were exposed. Gigabytes of sensitive data that could help criminals access the HMNB Clyde nuclear submarine base, the Porton Down chemical weapon lab and a GCHQ listening post were posted to the dark web. Labour MP Kevan Jones, stated: “This is potentially very damaging to the security of some of our most sensitive sites.”

The breach occurred through a Windows 7 PC that was running software for one of Zaun’s manufacturing machines. At the time of the attack, Zaun believed its cybersecurity solutions prevented any transfer of data.

“However, we can now confirm that during the attack LockBit managed to download some data, possibly limited to the vulnerable PC but with a risk that some data on the server was accessed. It is believed that this is 10 GB of data, potentially including some historic emails, orders, drawings and project files,” said the statement.

Zaun said it does not believe that any classified documents were stored on the system, but the data released by LockBit included thousands of pages of data related to the perimeters of His Majesty’s Naval Base, Clyde nuclear submarine base, the Porton Down chemical weapon lab and numerous jails.

Stephen Gates, Principal Security SME, Horizon3.ai had this comment:

   “As the cyberthreat landscape continuously changes, manufacturers face a unique set of IT challenges, as well as the real, physical ramifications that impact their bottom lines. Today’s attackers fully understand the disadvantages manufacturers face, especially in terms of their reliance on various computing systems, antiquated operating systems, commercial and custom-built applications, and lots of devices – some new and some incredibly old.

   “In a recent autonomous penetration test performed by Horizon3.ai’s NodeZero, it found a computer in a manufacturing network running a pre-Windows 2000 operating system, exploited it, and eventually achieved domain admin. Many manufacturers likely have some older computers still in use that are running operating systems no longer supported. Although the older computers work just fine for the minimal tasks they perform, they can easily become an enabler of a successful breach.”

I for one don’t buy a word that Zaun says regarding how bad this is. And why in the world were they running a Windows 7 PC? There’s a lot here that needs to be unpacked as this hack could be catastrophic on so many levels.