Read the latest cyber threat research covering digital risks, vulnerabilities, and attack techniques to develop proactive strategies and defenses against emerging cyber threats.
Gain insights into the unique challenges that government entities face in maintaining cybersecurity. Explore strategies to mitigate risks and safeguard sensitive information.
By: Bronwen Cohn-Cort, Data Scientist, and Shaul Saitowitz, Data Scientist
Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape.
Threat detection is a critical component of an organization’s cybersecurity strategy. Requiring the combination of human expertise and machine learning, risk can be significantly reduced by identifying threats before a potential attack.
Many threats can go unnoticed for months or even years. In IBM’s latest report, it takes an average of 277 days for security teams to identify and contain a data breach, and the cost of a breach skyrocketed, reaching an average of $4.45 million. Given the extended timeframe it often takes to detect and contain a data breach, organizations must proactively implement measures to quickly respond to potential threats and reduce the risk of costly damages.
To effectively combat malicious activity in your environment, it can be challenging to stay on top of all the potential threats, particularly as it demands skilled professionals who can develop models to apply artificial intelligence. Setting up alerts for when suspicious activity is detected can help organizations quickly respond to potential breaches and mitigate the risk of further damage to their systems and data.
While there are many types of security threats and detections to consider today, we highlight credential harvesting and insider threats as two crucial ones to add to your queue.
Adlumin Data Science is rolling out alerts for credential harvesting and insider threats, each capable of warning against prevalent attack tactics within their domains by utilizing user and entity behavior analytics. These detections are crucial as they are often difficult for organizations to identify.
A credential harvesting alert addresses a post-exploitation technique to broaden network access. After gaining a foothold, this alert will notify an organization about suspicious activities related to stealing login credentials from a computer system. This information can then be used to access other systems, steal data, or even compromise an entire network.
Sources of stored credentials include files, databases, registry entries, and memory structures where login credentials are stored, whether in plaintext or encrypted form. Some of these locations include LSASS (Local Security Authority Subsystem Service), GPP (Group Policy Preferences), and web browsers that store passwords. Cybercriminals can use one of many tools or techniques to capture the stored credentials.
These include utilities like Mimikatz, Hashcat, and SharpChromium. Once the credentials have been extracted, the attacker harvests them for future use. Encrypted passwords can be cracked offline and then used to access other systems within the network, furthering the attack.
The detection exposes several credential dumping techniques and delivers background on the tool discovered. This allows prompt stoppage of the unfolding attack and helps protect business assets. The detection model should be updated regularly to keep up with new tactics and methods.
Credential harvesting poses a significant threat to organizations, leading to unauthorized access, data breaches, and financial loss. Setting up alerts for credential dumping processes is crucial as it enables early detection and swift response to mitigate potential damage. Organizations can protect their sensitive information, maintain operational continuity, and uphold trust with customers and stakeholders by efficiently enriching, containing, and recovering from such incidents.
Some ransomware variants, like REvil, involve mass file deletion; in some instances, an unauthorized insider may gain permissions sufficient to mass-delete files. The Insider Threat model detects and alerts on cases of a user or attacker deleting an abnormally high number of files across many different subdirectories. Further analysis is conducted to filter out file extensions and locations that likely correspond to benign deletion activity. For example, a user emptying the Recycle Bin would not trigger an alert.
Setting up an Insider Threat alert uses a machine learning model to determine anomalies in the number of Windows Event ID 4663 (“An attempt was made to access an object”) events with Delete access permissions. A high quantity of these 4663 events in a half-hour period significantly deviating from the customer baseline is considered anomalous.
The table below displays partially redacted information from 4663 events associated with an alert. For each, it shows the time of the log message, the computer name on which it occurred, and which Object Name and Process Name were associated with the event. This table can be used to further investigate the deletion activity by reviewing the details of what computers, locations, and types of files were involved.
Following an alert, activity from the username(s) in question should be examined if a threat actor compromised a user account. Suspicious behavior may warrant disabling the account and quarantining affected computers from the network. Review user actions and run an anti-malware scan and vulnerability assessment to check if the threat actor has performed any other actions, such as creating a logic bomb or backdoor.
Insider threats pose a significant risk to organizations as they can result in data breaches, financial loss, reputational damage, and operational disruptions. Malicious insiders or compromised accounts can intentionally or unintentionally cause harm by deleting critical files, installing malware, or stealing sensitive information.
Setting up Insider Threat alerts, like the one described here, is crucial for detecting suspicious activities, such as widespread file deletion, in a timely manner. By observing user behavior, organizations can proactively identify and respond to potential insider threats, mitigating the impact of security incidents and safeguarding their assets and operations.
Here at Adlumin, we know how important it is to see everything in cybersecurity. That’s why we offer a customized Security Operations Platform and Managed Detection and Response services to give organizations a complete view of their IT environment. But we go further than that. We believe in the value of firsthand experience, so we invite you to explore our platform yourself with a guided tour.
See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free. Join the tour and boost your organization’s visibility to a whole new level.
Join cybersecurity experts Mark Sangster and Dave Grubber in this insightful webinar, tackling the challenges small to medium organizations encounter in countering cyber threats within budget and personnel constraints. Discover key insights on network protection, compliance navigation, AI/ML-driven security optimization, and strategic budgeting for heightened cybersecurity.
Join Adlumin and industry leaders at Black Hat 2024. Discover cutting-edge research and enhance your skills through hands-on training, so your organization can stay ahead of the ever-evolving cybersecurity landscape.
FutureCon Boston offers advanced security training, addressing cutting-edge security strategies and risk management in the dynamic landscape of cybersecurity. Cybersecurity is no longer just an IT problem, and FutureCon Boston helps you gain the knowledge you need to secure computing environments from advanced cyber threats.
The event features:
Attendees can demo the newest technology, interact with security leaders, and stay informed about pressing topics in the information security community.
Date: November 30, 2023
Location: Boston, MA
Contact: marketingevents@adlumin.com
Adlumin brings you a comprehensive visual overview of key statistics and
trends. Shedding light on the evolving landscape of cybersecurity threats and challenges small and medium-sized businesses (SMBs) face.
By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team
A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.
In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.
Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.
In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.
Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2
The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.
The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.
On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”
According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5
However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.
“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.”
In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.
Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.
1. Screen capture of the 9/12/2023 post published by vx-underground.
At some point, ALPHV removed the reference to “vx-underground” and issued another update:
“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.
The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.
According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.
MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6
Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.
How to Protect Yourself from Social Engineering
Verify
In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.
An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.
Training
Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.
This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.
Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.
Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.
By: Brittany Holmes, Corporate Communications Manager
In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.
The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.
During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.
Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.
As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.
The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.
Two Notable Cyberattacks:
These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.
Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets.
Two Notable Hacktivist Groups:
Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.
Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used.
Notable ATP Examples:
These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.
Notable Ransomware Attacks:
The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.
The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.
Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats.
Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes.
Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.
Microsoft has issued a warning about an active phishing campaign that lures users into opening Microsoft Word attachments sent via email. Microsoft first identified the campaign in June 2023.
The attackers, a Russian cybercriminal group known as Storm-0978, are exploiting a zero-day vulnerability of CVE-2023-36884 by sending victims phishing emails that contain infected Microsoft Word files that deploy a backdoor, similar to RomCom Remote Access Trojan (RAT) malware. The malicious software is triggered upon downloading the files, allowing threat actors access to victims’ systems.
According to Microsoft, Windows Defender for Office 365 users and those using Microsoft 365 Apps (Versions 2302 or later) are protected from this attack. However, Adlumin advises that organizations contact your MDR team to assist them with the mitigation steps Microsoft recommends.
This remote code execution attack is among several others that hackers are currently exploiting in the wild since yesterday, including:
According to reports, there are at least 132 new security vulnerabilities that Microsoft is working to address; many of them are in the “critical” and “severe” range of the CVSS.
Users should remain alert when receiving emails with messages related to the conflict in Ukraine, according to Microsoft Threat Intelligence.
The phishing campaign has often been directed to defense and government entities in Europe and North America with lures to the “Ukrainian World Congress.” But Storm-0978 has also targeted financial companies for ransomware.
Adlumin is monitoring to ensure that any necessary patches or workarounds are implemented as soon as they become available.
In the meantime, we recommend that organizations remain vigilant, follow best practices to enhance your security posture, and exercise caution with email attachments and links. We also recommend the following:
1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907
Copyright 2024 Adlumin, Inc. All Rights Reserved