Blog Post Archives

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

October 12, 2023/in Blog Post/by Ellen Loughlin

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.”

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.

1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Cybersecurity Time Machine Series: The Evolution of Threat Actors

October 5, 2023/in Blog Post/by Brittany Demendi

By: Brittany Holmes, Corporate Communications Manager

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.

Two Notable Cyberattacks:

In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.
In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel.

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015)

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets.

Two Notable Hacktivist Groups:

Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.
LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present)

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used.

Notable ATP Examples:

Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.
GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.

LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.

Take Proactive Security Measures

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats.

Adlumin’s Spot the Lurker Challenge

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes.

Enter the Contest

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.

Unraveling Cyber Defense Model Secrets: The Future of AI in Cybersecurity

September 28, 2023/in Blog Post/by Ellen Loughlin

By: Arijit Dutta, Director of Data Science

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The increasing threat landscape for organizations has forced cybersecurity teams to adopt digital transformation. The COVID-19 pandemic has further complicated matters by accelerating the adoption of cloud services, leading to a proliferation of cloud providers and a surge in the number of IoT devices transmitting data to the cloud.

This complex web of interconnections has brought about greater scale, connectivity, and speed in our digital lives but has also created a larger attack surface for cybercriminals. Responding to these challenges, cybersecurity teams are turning to AI-powered automation, especially machine learning, to uncover, evaluate, and effectively counter system, network, and data threats. Understanding the role of AI in cybersecurity is critical for organizations to protect themselves against malicious cyber activities effectively.

In this blog, we explore the current technologies available, the exciting developments on the horizon, and the transformative impact of AI.

Current, Upcoming, and Future AI Technology

As in most industries, AI technology is indispensable in organizations today for distilling actionable intelligence from the massive amounts of data being ingested from customers and generated by employees. Organizations can choose from various available data mining and AI methods depending on desired outcomes and data availability. For example, if the goal is to evaluate each customer for digital marketing suitability for a new product, “supervised” methods such as logistic regression or decision-tree classifier could be trained on customer data.

These use cases require customer data on prior actions, such as historical responses to marketing emails. For a customer segmentation problem, “unsupervised” methods such as density-based clustering algorithm (DBSCAN clustering) or principal component analysis (PCA) dimensionality reduction are called for, where we don’t impose prior observations on specific customer actions but group customers according to machine-learned similarity measurements. More advanced methods, such as Artificial Neural Networks, are deployed when the use case depends on learning complex interactions among numerous factors, such as customer service call volume and outcome evaluation or even the customer classification and clustering problems mentioned earlier. The data volume, frequency, and compute capacity requirements are typically heavier for artificial neutral networks (ANNs) than for other Machine Learning techniques.

The most visible near-term evolution in the field is the spread of Large Language Models (LLM) or Generative AI, such as ChatGPT. The underlying methods behind these emergent AI technologies are also based on the ANNs mentioned above – only with hugely complicated neural network architectures and computationally expensive learning algorithms. Adaptation and adoption of these methods for customer classification, segmentation, and interaction-facilitation problems will be a trend to follow in the years ahead.

Cybersecurity Solutions That Use AI

At Adlumin, we develop AI applications for cyber defense, bringing all the techniques above to bear. The central challenge for AI in cyber applications is to find “needle in haystack” anomalies from billions of data points that mostly appear indistinguishable. The applications in this domain are usefully grouped under the term User and Entity Behavior Analytics, involving mathematical baselining of users and devices on a computer network followed by machine-identification of suspicious deviations from baseline.

To skim the surface, here are two solutions cybersecurity teams use that incorporate AI: 

Two Automation Cybersecurity Solutions for Organizations 

User and Entity Behavior Analytics (UEBA) 

UEBA is a machine learning cybersecurity process and analytical tool usually included with security operation platforms. It is the process of gathering insight into users’ daily activities. Activity is flagged if any abnormal behavior is detected or if there are deviations from an employee’s normal activity patterns. For example, if a user usually downloads four megabytes of assets weekly and then suddenly downloads 15 gigabytes of data in one day, your team would immediately be alerted because this is abnormal behavior.

The foundation of UEBA can be pretty straightforward. A cybercriminal could easily steal the credentials of one of your employees and gain access, but it is much more difficult for them to convey that employee’s daily behavior to go unseen. Without UEBA, an organization cannot tell if there was an attack since the cybercriminals have the employee’s credentials. Having a dedicated Managed Detection and Response team to alert you can give an organization visibility beyond its boundaries. 

Threat Intelligence 

Threat intelligence gathers multi-source, raw, curated data about existing threat actors and their tactics, techniques, and procedures (TTPs). This helps cybersecurity analysts understand how cybercriminals penetrate networks so they can identify signs early in the attack process. For example, a campaign using stolen lawsuit information to target law firms could be modified to target organizations using stolen litigation documents.

Threat intelligence professionals proactively threat hunt for suspicious activity indicating network compromise or malicious activity. This is often a manual process backed by automated searches and existing collected network data correlation. Whereas other detection methods can only detect known categorized threats.  

AI Risks and Pitfalls to Be Aware of

When building viable and valuable AI applications, data quality and availability are top of mind. Machines can only train on reliable data for the output to be actionable. Great attention is therefore required in building a robust infrastructure for sourcing, processing, storing, and querying the data. Not securing a chain of custody for input data means AI applications are at risk of generating misleading output.

Awareness of any machine-learned prediction’s limitations and “biases” is also critical. Organizational leadership needs to maintain visibility into AI model characteristics like “prediction accuracy tends to falter beyond a certain range of input values” or “some customer groups were underrepresented in the training data.”

Operationally, an excellent way to proceed is to build and deploy a series of increasingly complex AI applications rather than being wedded to a very ambitious design at the get-go. Iteratively adding functionality and gradually incorporating more data fields can make measuring performance easier and avoid costly mistakes.

Organizations Embracing AI 

Organizations need to build a cybersecurity infrastructure embracing the power of AI, deep learning, and machine learning to handle the scale of analysis and data. AI has emerged as a required technology for cybersecurity teams, on top of being one of the most used buzzwords in recent years. People can no longer scale to protect the complex attack surfaces of organizations by themselves. So, when evaluating security operations platforms, organizations need to know how AI can help identify, prioritize risk, and help instantly spot intrusions before they start. 

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Shadows to the Light: The Key Role of Visibility in Strengthening Cybersecurity

September 20, 2023/in Blog Post Brittany Demendi/by Adlumin Staff

By: Mark Sangster, VP, Chief of Strategy

Visibility in Three Parts: Part 1

Fiat Lux: Lighting the Way to Cybersecurity

Detection is key in many aspects of life, from medical diagnosis to positive treatment to more existential threats posed by massive storms like hurricanes or destructive tornadoes. The quicker we can detect something threatening or dangerous, the sooner we can respond accordingly. While we take this for granted in everyday life, we don’t always appreciate the value of early detection in cybersecurity. Put another way, making cyber threats visible is key to mitigating the risk.

This three-part blog series focuses on how we bring light to the threats and make them visible. In this series, I will explore what we mean by visibility in terms of cybersecurity, methods to detect or make visible threats, and how to measure your ability to detect and respond to those threats, measured in terms of business outcomes.

Part I: There is More to This Than Meets the Eye

When it comes to understanding the meaning of this statement, astronomy is a good teacher. Throughout the ages, scientists and novices alike have stared into the night skies, seeking answers. They looked to understand the celestial motions to predict the season for agriculture, suitable times for trade and travel, or simply to understand the world around them. Until the invention of the telescope in the early 1600s¹ only six planets in our solar system were visible. Not nearly 200 years later, advances in telescope lenses aided William Hershel in discovering a seventh planet, Uranus.

Yet observers of this planet were perplexed that the Newtonian physics thought to govern the motion of the planets could not account for certain anomalies in Uranus’ orbit. Astronomers predicted the presence of another planet that would explain these perturbations. In 1846, advances in telescope acuity and predictive orbital calculations led to the discovery of Neptune. Yet it wasn’t until 1989 that Voyager 2’ flyby discovered additional moons and dark rings that orbit the blue gas giant.²

The Power of Visibility in Cybersecurity

Lesson 1: The Need for Tools

There are two critical lessons from this brief history of planetary discovery. The first is that there is more to this than meets the eye. We need to develop tools and instruments to detect invisible objects. As thriller author Chris Pavone mused, “The best hiding spots are not the most hidden; they’re merely the least searched.³

In terms of cybersecurity, we develop new instruments to detect threats year after year. Firewalls, antivirus, endpoint detection and response, and so on. Each technology provides a set of detection capabilities that overlap the least searched locations, as Pavone suggests.

Lesson 2: The Presence of Inferential Threats

The second lesson is that not everything is obvious to the naked eye, even with the help of a telescope or similar augmentation of acuity. Consider another comparison to visible light. The portion of the electromagnetic (EM) spectrum that our eyes can detect is visible light.⁴ Yet this visible portion of the EM spectrum accounts for about 0.0035 percent of its entirety. The vast majority remains invisible. Our eyes cannot detect radio or microwaves or see infrared or ultraviolet light or X-rays.

Yet we can hear radio waves when captured by a sensor and converted into sound waves. We use microwaves to heat food. We can feel the heat of infrared and ultraviolet light, leading to sunburn when skin is unprotected. And X-ray imaging is a staple of medical care. We can’t see these forms of EM energy, but we can infer their presence from secondary evidence.

That’s the second lesson: not all cybersecurity threats are obvious or come in the form of an alert thrown by a firewall, endpoint defense, or antivirus. Those obvious threats like spam emails or messages from streaming services about declined payments are the background radiation of the internet. While primarily harmless at this point, they have the negative consequence of lulling too many pre-victims into a false sense of security.

Harnessing Implicit and Inferential Detections

Many threats are inferential, they don’t elicit an alert. They are the signals hiding in Pavone’s “least searched spots.” For example, most attacks begin with compromised credentials accessing security controls to create the appearance of legitimate activity. Credentials that were stolen using subtle phishing lures like student requests for mentoring or notification of fake lawsuits.

Once in, criminals use compromised accounts and devices to map your network, connect to critical services to identify valuable assets, and even create new user accounts in Active Directory. Lateral movement, privilege escalation, reconnaissance, staging, and more are all precursors to attacks. In many cases, these events go undetected. And these activities traverse your remote access gateways. Using your tools against you is a broad category of tactics called “living off the land.”

Leveraging Threat Hunting and Artificial Intelligence

Creating a robust cybersecurity defense requires multiple, overlapping sources that cover your entire attack surface. Full spectrum coverage includes more than internet traffic, endpoints and in-network communications, and cloud-service access. It’s covering remote access points and correlating those data points to create a contextual fabric of visibility: who is accessing what and why. Beyond tactical visibility, your attack surface includes vulnerability management and patching, simulated attacks, asset discovery, and security awareness programs.

Detecting these threats requires line speed analysis of network traffic and the correlation of users, groups, devices, and systems. It means collecting enormous volumes of data, normalizing and aggregating the data, and then analyzing it as fast as criminals can move inside your environment.

Of course, like light, the more security information you collect, the harder it is to focus the data to create a big picture. As you open the security aperture, the resource load is almost exponential. Most security teams will attest that exhausted resources and diminished budgets are no match for increasing cyber threats and growing regulatory requirements.

Up Next: Parts 2 & 3

In the next part of the series, we will explore how we harness implicit and inferential detections, use threat hunting to take the fight to the adversary and employ artificial intelligence to manage alert overload and spot invisible threats.

For more information about why implementing proactive security measures is essential to visibility, download “The Executive’s Guide to Cybersecurity.”

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.

Understanding the Fine Print: Cybersecurity Insurance vs. Warranties

September 14, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Holmes, Corporate Communications Manager

The rise in cybercrimes and attacks has reached an alarming rate, putting organizations at risk of losing sensitive information and digital assets. The need to remain protected against these threats has led to the adoption of two key tools: cybersecurity insurance and cybersecurity warranties. While both aim to strengthen defense mechanisms, their approach to ensuring protection differs.

Adlumin’s latest Cyber Threat Insights report highlights a 20% surge in security threat detections, further emphasizing the importance of these tools in safeguarding businesses and organizations. But what exactly do these terms entail, and how do they differ in ensuring protection?

This blog covers cybersecurity insurance and warranties, unveiling the key distinctions and highlighting their role in safeguarding against cyber threats that lurk in the dark.

Understanding Cybersecurity Insurance

Cybersecurity insurance, also known as cyber insurance, cyber liability insurance, or cyber risk insurance, provides financial protection and assistance to organizations in the event of a ransomware attack, data breach, or any other form of cyberattack. It is designed to address the frequency and complexity of cyber threats and the potential financial losses that can result from them. Organizations purchase a contract where the organization’s liability for financial damages is minimized, alleviating the overall consequences if an incident occurs.

What does it protect against?

Cyber insurance covers any type of theft, compromise, or loss of electronic data that negatively impacts an organization. It can help reduce financial risk and keep an organization from paying out of pocket. Any organization that stores, manages, or creates electronic data can benefit from cyber insurance. Sensitive information like customer login information, social security numbers, contact numbers, or any personally identifiable information are all targets for cybercriminals.

Benefits of Cybersecurity Insurance:

Financial protection against losses
Assistance in incident response and recovery
Access to specialist resources and expertise

Exploring Cybersecurity Warranties

A cybersecurity warranty or cyber warranty can be described as when a provider guarantees they will pay a certain amount if their customer experiences a breach or incident. The purpose is to instill confidence in customers that their product or service has undergone rigorous testing and meets security standards. It helps mitigate the risks associated with cyberattacks and provides a form of assurance that the provider will take responsibility in the event of a security breach.

The conditions for a warranty vary based on the provider; some will expect the customer to abide by a set of security standards to be covered by their contract, or some expect the customer to prove that they were using the product or both. The losses a warranty can cover can vary, but they are typically a set amount.

What does it protect against?

Cybersecurity warranties cover various events, including:

Legal Liability: The warranty may cover the costs of letting the individuals affected by a data breach know and the legal expenses related to potential lawsuits.
Business Interruption: The warranty may cover the losses resulting from business interruption, including revenue loss, extra expenses incurred, and reputational damage.
Compliance Event: If a compliance event results in a breach of applicable regulations or standards, a cybersecurity warranty may cover the costs of fines and penalties imposed by regulatory authorities.
Ransomware/Business Email Compromise: ransomware, including payouts for ransoms or business email compromise, resulting in financial loss.

It is important to note that a cybersecurity warranty’s specific coverage and terms may vary depending on the policy and the provider.

Benefits of Cybersecurity Warranties:

Compliance support
Customer trust
Enhanced security
Liability transfer
Risk mitigation

Understanding the Fine Print: Cybersecurity Insurance vs. Warranties

While cybersecurity warranties can function well with cybersecurity insurance, they are not alternatives for each other. Instead, they are complementary. Warranties have more limitations than insurance, but they fill in the gaps in situations where insurers won’t pay out. For example, having a cybersecurity warranty in place may assist in reducing insurance premiums. They are both tools designed to mitigate the financial risk associated with cyberattacks and data breaches.

While cybersecurity insurance and warranties serve different functions, they go hand in hand with a comprehensive risk management strategy. Cybersecurity insurance helps organizations transfer the financial risks associated with cyber incidents to an insurance provider, while warranties provide an additional layer of assurance that the products or services being used have met certain security standards.

For example, if a breach occurs despite the organization implementing robust cybersecurity measures, cybersecurity insurance and warranties can cover the costs of incident response, legal expenses, and any financial losses. Together, they can help organizations mitigate potential financial losses and give them peace of mind knowing that they have protection against cyber threats.

The Ultimate Protection Complement

By combining cybersecurity insurance and warranties, organizations can ensure comprehensive coverage and minimize their financial exposure in the event of a cyber incident. It is important for organizations to carefully assess their cybersecurity risks, evaluate the warranties provided by vendors, and work with insurance providers to customize a cybersecurity insurance policy that suits their specific needs and risk profile.

Let’s Get Started

Learn more about how Adlumin Protect Warranty Certification can safeguard you against business continuity and insure against loss, protecting your revenue and recovery.

A Threat Actor's Playbook: Behind the Scenes of Akira Ransomware

September 7, 2023/in Blog Post/by Ellen Loughlin

By: Adlumin Threat Research and MDR Teams

Adlumin’s Threat Bulletin Series

A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware is a part of Adlumin’s Threat Bulletin Series content series.

In the world of cybercrime, a new player continues to rise: Akira Ransomware. With historical evidence pointing towards nation-state sponsorship, particularly from Chinese Advanced Persistent Threat (APT) groups, this insidious malware has been targeting businesses in the supply chain. However, what sets Akira apart is its focus on smaller tech companies and startups, which are often backed by wealthy investors and at the forefront of technological innovation.

Insights

Historical attack indicators point to nation-state-sponsored groups such as Chinese Advanced Persistent Threat (APT) groups using the new Akira ransomware to target businesses in the supply chain.
Adlumin has observed that Akira ransomware has been used against smaller tech companies/startups since it debuted in March. These firms tend to develop innovative solutions using the latest technology and often have the backing of wealthy investors – all valuable information in the dark web.
Some of the IP addresses involved in an attack that Adlumin recently investigated were registered to Alibaba Cloud, a subsidiary of Alibaba Group, making the connection to Chinese APTs stronger.
Akira ransomware gains access through various attack vectors, including phishing campaigns and exploiting vulnerabilities in remote monitoring and management software (RMM). Notably, the actors behind these attacks also target vulnerabilities in VPN products, again hinting at potential involvement from Chinese APTs who have historically leveraged exploitation through VPNs.
Akira ransomware utilizes various tools and techniques, including the use of distinct tools during operation and the encryption mechanisms used to generate and safeguard encryption keys.

Disrupting the Technology Sector

With the recent targeting of yet another American technology startup in a cyberattack last week, cybersecurity analysts at Adlumin are now considering a crucial question: Could nation-state-sponsored groups potentially be utilizing the Akira ransomware to disrupt the supply chain?

Newcomer malware, Akira ransomware, continues to impact mid-market entities in the utility, construction, manufacturing, education, and transportation sectors, not just in the U.S. but also in countries like Sweden, Australia, Argentina, Japan, and others.

The threat actors behind these attacks have been increasingly targeting smaller tech companies and software makers of IT solutions aimed at educators, office administrators, consultants, entrepreneurs, and even hobbyists.

Akira ransomware attack victims in the IT sector include Cequint, Wilcom, GC&E, WTI Western Telematic, Computer Information Concepts, and Optimum Technology.

The recent Akira ransomware incident examined by Adlumin’s Managed Detection and Response (MDR) analysts also targeted a firm within the IT industry. The malicious actors employed typical tactics, techniques, and procedures (TTPs) like brute force attacks, lateral movement, and credential theft. Nevertheless, indications suggest the potential involvement of a significantly larger entity in these breaches. This assumption stems from the historical behavior of advanced persistent threats (APTs), which often disrupt the supply chain by targeting small enterprises.

Vectors and Exploitation

Akira ransomware made its debut in the malware landscape in March 2023. Since then, threat actors have been using methods like phishing campaigns, exploiting vulnerabilities in remote monitoring and management software (RMM), remote desktop protocol (RDP), and tools like RustDesk for remote access. There have also been recent news reports about threat actors using vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products as additional ways of carrying out attacks.

Adlumin MDR analysts theorize that threat actors behind last week’s attack infiltrated the victim’s network through their VPN due to the numerous VPN events detected by the Adlumin Security Operations Platform in the initial stages of the attack.

Analysts also found that numerous IP addresses used by the threat actors in the attack were registered to Alibaba Cloud, a subsidiary of the Chinese conglomerate Alibaba Group. Researchers at RSA have previously found that Chinese APTs frequently use VPNs and VPN tunneling as a tactic for exploitation and to hide their tracks and exfiltrate data. Furthermore, upon review of network data logs, numerous destination ports during the attack were to servers in China. However, other destinations included servers in Singapore, Paris, Russia, and even cities within the U.S., such as Los Angeles.

Lateral Movement

Once in the networks, the malicious actors initiated lateral movement — compromising hosts running Windows Servers 2012, 2016, and 2019.

Akira ransomware distinguishes itself by its ability to exploit vulnerabilities in Linux systems, marking a departure from conventional ransomware. Research indicates that attacks on Linux machines surged by 75 percent in 2022.

Notably, two endpoints running Ubuntu Bionic Beaver 18.04.6 LTS and Ubuntu 18.04.03 LTS were indeed targets of the attack.

Data Deletion and Exfiltration

Threat actors escalated tactics using PowerShell commands to delete shadow copies with “Get-WmiObject Win32_Shadowcopy | Remove-WmiObject.”

Threat actors then moved to file encryption. MDR analysts identified encrypted files marked with the “.akira” extension, such as “foo.doc.akira.” Additionally, an accompanying ransom note named “akira_readme.txt” was discovered.

Adlumin MDR analysts suggested that the data theft might have occurred using DNS, a method commonly employed by APTs to minimize detection. This technique involves breaking down the stolen data into smaller encrypted chunks, which are then sent to external servers using UDP instead of TCP. The exact amount of data taken in the attack is still unknown, and the investigation is ongoing.

Akira Ransomware Analysis

The following is an analysis of the Akira Ransomware from Adlumin’s Threat Research Team with supportive information from other sources (listed at the end of this section).

Attack Process: The incursion initiates when an instance of the Akira ransomware is activated. Upon execution, the ransomware eliminates Windows shadow volume copies on the targeted device. Subsequently, the ransomware encrypts specific file types with predetermined extensions. It modifies each encrypted file’s name by adding the ‘.akira’ extension during this encryption procedure.

During encryption, the ransomware halts active Windows services using the Windows Restart Manager API to ensure an uninterrupted encryption process. It focuses on encrypting files within various hard drive directories, excluding certain folders like program data, recycle bin, boot, system volume information, and Windows folders.

Notably, Windows system files with extensions such as .sys, .msi, .dll, .lnk, and .exe remain untouched to maintain system stability. In most infiltration cases, unauthorized parties exploit compromised credentials to gain initial entry to the victim’s environment.

It is noteworthy that a significant number of victim organizations did not enable multi-factor authentication (MFA) for their VPNs. The source of the compromised credentials is uncertain, but it is plausible that threat actors acquired access or credentials from illicit sources on the dark web.

Toolset: Upon obtaining initial access, the Akira ransomware employs a distinct variety of tools, including PCHunter, Advanced IP Scanner, AdFind, SharpHound, MASSCAN, Mimikatz, LaZagne, AnyDesk, Radmin, Cloudflare Tunnel, MobaXterm, Ngrok, WinRar, WinSCP, Rclone, FileZilla, and PsExec.

During operation, the ransomware generates a symmetric encryption key using the CryptGenRandom() function, a Windows CryptoAPI random number generator. The symmetric key undergoes further encryption using the RSA-4096 cipher and is appended to the end of the encrypted file. The specific public key used is hardcoded within the ransomware’s binary code and varies across different instances.

Malware Analysis Supportive Sources:

Conclusion

There could be many reasons why APTs may be going after smaller, lesser well-known IT companies. Among these is the prospect of acquiring intellectual property, particularly considering that these startups may be developing new technology that holds significant value in the dark web.

Perhaps threat actors are looking for information on how these companies are funded, including names of investors who could potentially become targets of future spear and whale phishing campaigns.

Whatever the case may be, adversaries are finding that these IT firms have weaker network security than tech giants and thus become easy targets for their aggressive attacks.

Akira Ransomware Indicators of Compromise (IOCs)

Hashes

431d61e95586c03461552d134ca54d16
af95fbcf9da33352655f3c2bab3397e2
c7ae7f5becb7cf94aa107ddc1caf4b03
d25890a2e967a17ff3dad8a70bfdd832
e44eb48c7f72ffac5af3c7a37bf80587
302f76897e4e5c8c98a52a38c4c98443
9180ea8ba0cdfe0a769089977ed8396a68761b40
1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296

Summer 2023: Uncovering Cyber Threats in Education

September 7, 2023/in Blog Post/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

With classes now back in session, the education sector continues to face unique cybersecurity challenges due to its diverse user base, limited IT resources, and increasing adoption of Chromebook and other devices.

Adlumin’s Threat Research Team uncovers double extortion ransomware as one of the leading threats against educational institutions. This type of attack focuses on hackers encrypting data and threatening to leak it. Threats like this put educational institutions at risk of emotional distress, privacy loss, and legal consequences.

To better understand the cybersecurity challenges and emerging threats facing the education sector, download Cyber Threat Insights: Education Edition. This report provides valuable insights into the risks faced by educational institutions and emphasizes the importance of investing in proper cybersecurity measures to protect sensitive data and safeguard against cyberattacks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network by learning more about the challenges and solutions in the education sector.

Learn More

Schedule an Adlumin Demo

September 6, 2023/by Ellen Loughlin

Summer 2023 Threat Insights: Unlock the Latest Cybersecurity Trends

August 31, 2023/in Blog Post Brittany Demendi/by Ellen Loughlin

By: Brittany Demendi, Corporate Communications Manager

Protecting your IT environment from cyberattacks is more crucial than ever. Adlumin’s Cyber Threat Insights: Summer 2023 provides a comprehensive overview of the latest threats and vulnerabilities. Revealing a concerning 20% surge in security threat detections, highlighting the increasing frequency of cyberattacks on organizations.

Not only are these threats becoming more frequent, but their severity is also escalating, with a higher percentage of critical ‘High’ severity detections compared to previous periods. It is essential for organizations to stay one step ahead of these evolving threats. Adlumin’s Cyber Threat Insights emphasizes the importance of leveraging Security Orchestration and Automated Response solutions, which have seen a 30% increase in use.

By downloading Adlumin’s Cyber Threat Insights: Summer 2023, you will gain valuable insights into the latest trends and developments and actionable recommendations to enhance your proactive defense strategies and mitigate cyberattack risks.

Don’t wait until it’s too late – take the necessary steps to protect your enterprise network.

Learn More

8 Essential Questions to Ask: Choosing the Right MDR Provider

August 24, 2023/in Blog Post Jen Thompson/by Adlumin Staff

By: Jen Thompson, Director of Product Marketing

The emphasis on technology solutions can overshadow the crucial role played by effective management. While advanced solutions are essential, their potential remains untapped if not properly implemented and maintained. All too often, promising technologies end up as shelfware, collecting dust instead of protecting our employees and customers. To truly safeguard our environments, we must shift the focus towards not just cutting-edge technology but also the diligent management and utilization of these cybersecurity solutions by seeking Managed Detection and Response (MDR) providers.

MDR is a technology that aims to speed detection and response through automation and provide a solution to empower lean teams by acting as an extension to their current security operations. Finding an MDR provider that will meet your organizational challenges takes research and careful consideration.

Adlumin’s industry expert and Senior Director of Product Marketing, Jen Thompson, discusses essential questions you need to ask when considering an MDR provider and provides answers that will help you make informed decisions when protecting your organization.

What security signal are you able to monitor and protect?

Think about it – cyber criminals attempt to be sneaky to avoid detection. Sometimes, they leave tiny breadcrumbs that are easy to overlook, but when you connect all your security data, those breadcrumbs turn into a trail that leads an analyst to uncover what happened. It’s like shining a light on every nook and cranny of your cybersecurity landscape. It’s not uncommon for cybercriminals to bypass a security signal before finally being caught. And the more monitoring an MDR provider can provide, the better. There are assorted flavors of MDR providers regarding what they will ingest and monitor. The three main profiles are ones that only manage Endpoint Detection and Response (EDR), those that manage network and SIEM, and providers that look at all your security signals. In addition to understanding what they ingest, it’s essential to know if you can connect your current technology or if you must use the provider’s technology (or, in some cases, are limited to their existing integrations).
What metrics and reporting do you offer to help organizations track and understand their security posture effectively?

MDR providers should give access to various reporting capabilities to help organizations track and understand their security posture. These include incident reports, threat intelligence reports, performance and efficacy metrics, compliance reports, trend analysis, executive dashboards, and ad-hoc reporting. These reports can give organizations valuable insights into their security landscape and help them understand their security state effectively.Organizations need to discuss their reporting requirements and expectations with potential providers to ensure alignment and obtain the most relevant and useful information for tracking and understanding their security posture.
What type of visibility will I have into my environment?

Like a doorbell camera monitoring your house, you should also have access to the same data and view as your MDR provider. Gone are the days of the black box approach to managed security. MDR providers act as an extension of your team, giving you 360-degree visibility. You should be able to see what alerts are being investigated, why alerts were closed, and the details of an active investigation. Initially, this may look like check-ins to start to trust the provider, but then it will evolve into the benefits of having an extended team. This allows you to dedicate your time to building a proactive approach to security, understanding your risks, and implementing changes.
If you are in a regulated industry, how will you help me comply with frameworks like PCI DDS, FFIEC, and HIPAA Assessments?

Proving compliance can become a time-consuming process. With all your data in one location, pulling the required data to show compliance should be easy. Your MDR team should be providing support for your day-to-day tasks so you can focus on improving your security posture. Being able to run compliance reporting throughout the year can provide insights into which areas of your security program require improvement to reduce risk. Like other reporting capabilities, you should have direct access to evaluate and understand your compliance needs.
How do you provide scalability and flexibility to accommodate growing business needs?

A scalable MDR solution should seamlessly adapt to increased data volume, diverse threat landscapes, and connecting to new or additional security technology. Simple pricing and licensing are critical in meeting the evolving demands of a growing business and provide scalability. It’s important that your provider can streamline your security program into a centralized location by offering key components such as threat hunting, vulnerability management, incident response, and more. Another thing to consider as your business grows and your security evolves is the flexibility to choose who manages the platform.
How do you use machine learning to detect anomalies in an environment?

Machine learning (ML) and Artificial Intelligence (AI) are becoming more commonplace words in cybersecurity. As cybercriminals evolve their tactics and techniques to evade security controls and the shift to the cloud, they can easily go undetected. MDR providers should have a team of data science and threat researchers who identify these new methods and build machine learning models based on this activity to develop detections. Additionally, the security platform your provider uses should include user entity and behavior analytics to create behavioral profiles for users so it can detect when behaviors deviate from the baseline. Here is an example of Adlumin’s Threat Research Team examining a recent emerging threat.
What is the onboarding process? How long will it take to be fully up and running?

The onboarding process should be simple and only take a few hours. Deployment and tool integration should be intuitive, necessitating minimal aid. Initial support with an onboarding call will help guide you through a smooth setup. A straightforward onboarding process not only accelerates security enhancement and return on investment but also showcases the provider’s commitment to efficiency and effectiveness. It also usually indicates a provider’s ability to deliver a Proof of Value, enabling you to experience their capabilities firsthand.
What does customer support look like?

A dedicated customer support representative within your MDR provider is a direct link to assistance and quick resolution when you have questions. With a dedicated customer success manager, you gain a partner who advocates for your interests. This focused support enhances collaboration, builds trust, and helps you maximize your security investment. Some MDR providers also offer a dedicated post-sales engineer as additional support.

Get Started

By considering these questions and your unique circumstances, you will be better equipped to find tools that meet your specific criteria and maximize their value to your business.

For additional help, contact us today, schedule a demo, or sign up for a free trial. Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority.