Read the latest cyber threat research covering digital risks, vulnerabilities, and attack techniques to develop proactive strategies and defenses against emerging cyber threats.

Unraveling Cyber Defense Model Secrets: Credential Harvesting and Insider Threats

By: Bronwen Cohn-Cort, Data Scientist, and Shaul Saitowitz, Data Scientist

Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.

The Essential Role of Threat Detection

Threat detection is a critical component of an organization’s cybersecurity strategy. Requiring the combination of human expertise and machine learning, risk can be significantly reduced by identifying threats before a potential attack.

Many threats can go unnoticed for months or even years. In IBM’s latest report, it takes an average of 277 days for security teams to identify and contain a data breach, and the cost of a breach skyrocketed, reaching an average of $4.45 million. Given the extended timeframe it often takes to detect and contain a data breach, organizations must proactively implement measures to quickly respond to potential threats and reduce the risk of costly damages.

To effectively combat malicious activity in your environment, it can be challenging to stay on top of all the potential threats, particularly as it demands skilled professionals who can develop models to apply artificial intelligence. Setting up alerts for when suspicious activity is detected can help organizations quickly respond to potential breaches and mitigate the risk of further damage to their systems and data.

Critical Detections for Your Network Security

While there are many types of security threats and detections to consider today, we highlight credential harvesting and insider threats as two crucial ones to add to your queue.

Adlumin Data Science is rolling out alerts for credential harvesting and insider threats, each capable of warning against prevalent attack tactics within their domains by utilizing user and entity behavior analytics. These detections are crucial as they are often difficult for organizations to identify.

Credential Harvesting Detection

A credential harvesting alert addresses a post-exploitation technique to broaden network access. After gaining a foothold, this alert will notify an organization about suspicious activities related to stealing login credentials from a computer system. This information can then be used to access other systems, steal data, or even compromise an entire network.

Sources of stored credentials include files, databases, registry entries, and memory structures where login credentials are stored, whether in plaintext or encrypted form. Some of these locations include LSASS (Local Security Authority Subsystem Service), GPP (Group Policy Preferences), and web browsers that store passwords. Cybercriminals can use one of many tools or techniques to capture the stored credentials.

These include utilities like Mimikatz, Hashcat, and SharpChromium. Once the credentials have been extracted, the attacker harvests them for future use. Encrypted passwords can be cracked offline and then used to access other systems within the network, furthering the attack.

The detection exposes several credential dumping techniques and delivers background on the tool discovered. This allows prompt stoppage of the unfolding attack and helps protect business assets. The detection model should be updated regularly to keep up with new tactics and methods.

Credential harvesting poses a significant threat to organizations, leading to unauthorized access, data breaches, and financial loss. Setting up alerts for credential dumping processes is crucial as it enables early detection and swift response to mitigate potential damage. Organizations can protect their sensitive information, maintain operational continuity, and uphold trust with customers and stakeholders by efficiently enriching, containing, and recovering from such incidents.

Insider Threat Detection: Aggregating and Analyzing Widespread File Deletion

Some ransomware variants, like REvil, involve mass file deletion; in some instances, an unauthorized insider may gain permissions sufficient to mass-delete files. The Insider Threat model detects and alerts on cases of a user or attacker deleting an abnormally high number of files across many different subdirectories. Further analysis is conducted to filter out file extensions and locations that likely correspond to benign deletion activity. For example, a user emptying the Recycle Bin would not trigger an alert.

Setting up an Insider Threat alert uses a machine learning model to determine anomalies in the number of Windows Event ID 4663 (“An attempt was made to access an object”) events with Delete access permissions. A high quantity of these 4663 events in a half-hour period significantly deviating from the customer baseline is considered anomalous.

The table below displays partially redacted information from 4663 events associated with an alert. For each, it shows the time of the log message, the computer name on which it occurred, and which Object Name and Process Name were associated with the event. This table can be used to further investigate the deletion activity by reviewing the details of what computers, locations, and types of files were involved.

Following an alert, activity from the username(s) in question should be examined if a threat actor compromised a user account. Suspicious behavior may warrant disabling the account and quarantining affected computers from the network. Review user actions and run an anti-malware scan and vulnerability assessment to check if the threat actor has performed any other actions, such as creating a logic bomb or backdoor.

Insider threats pose a significant risk to organizations as they can result in data breaches, financial loss, reputational damage, and operational disruptions. Malicious insiders or compromised accounts can intentionally or unintentionally cause harm by deleting critical files, installing malware, or stealing sensitive information.

Setting up Insider Threat alerts, like the one described here, is crucial for detecting suspicious activities, such as widespread file deletion, in a timely manner. By observing user behavior, organizations can proactively identify and respond to potential insider threats, mitigating the impact of security incidents and safeguarding their assets and operations.

Experience The Innovations 

Here at Adlumin, we know how important it is to see everything in cybersecurity. That’s why we offer a customized Security Operations Platform and Managed Detection and Response services to give organizations a complete view of their IT environment. But we go further than that. We believe in the value of firsthand experience, so we invite you to explore our platform yourself with a guided tour.

See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free. Join the tour and boost your organization’s visibility to a whole new level.

The ABCs of Cyber: Assets, Budget, and Consolidation

Join cybersecurity experts Mark Sangster and Dave Grubber in this insightful webinar, tackling the challenges small to medium organizations encounter in countering cyber threats within budget and personnel constraints. Discover key insights on network protection, compliance navigation, AI/ML-driven security optimization, and strategic budgeting for heightened cybersecurity.

Black Hat 2024

Join Adlumin and industry leaders at Black Hat 2024. Discover cutting-edge research and enhance your skills through hands-on training, so your organization can stay ahead of the ever-evolving cybersecurity landscape.

FutureCon Boston

FutureCon Boston offers advanced security training, addressing cutting-edge security strategies and risk management in the dynamic landscape of cybersecurity. Cybersecurity is no longer just an IT problem, and FutureCon Boston helps you gain the knowledge you need to secure computing environments from advanced cyber threats.

The event features:

  • Discussions with C-level executives who have successfully mitigated the risks of cyber attacks.
  • Educating C-suite executives and CISOs about the global cybercrime epidemic and building Cyber Resilient organizations.

Attendees can demo the newest technology, interact with security leaders, and stay informed about pressing topics in the information security community.

Date: November 30, 2023
Location: Boston, MA

Contactmarketingevents@adlumin.com

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


Cybersecurity Time Machine Series: The Evolution of Threat Actors

By: Brittany Holmes, Corporate Communications Manager 

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s 

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010 

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.  

Two Notable Cyberattacks: 

  • In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.  
  • In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel. 

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015) 

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets. 

Two Notable Hacktivist Groups:

  • Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.  
  • LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present) 

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used. 

Notable ATP Examples:

  • Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.  
  • GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.  

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

  • WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.  
  • LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.  

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.  

Take Proactive Security Measures 

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.  

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats. 


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.