Read the latest cyber threat research covering digital risks, vulnerabilities, and attack techniques to develop proactive strategies and defenses against emerging cyber threats.

The ABCs of Cyber: Assets, Budget, and Consolidation

REPORT

The ABCs of Cyber: Assets, Budget, and Consolidation



Cyber experts Mark Sangster, VP at Adlumin, and Dave Grubber, Principal Analyst at Enterprise Strategy Group (ESG), outline a rapid roadmap to successful cybersecurity using consolidation to drive efficiency and manage cost.



Download to learn:



  • Network protection must-haves
  • How to navigate compliance
  • Best practices for streamlining your security operations using artificial intelligence and machine learning
  • How to thoughtfully approach your cybersecurity budget and make the most of every dollar


Thought Leadership Webinar



Adlumin’s on-demand webinar, “The ABCs of Cyber: Assets, Budget, and Consolidation,” provides actionable advice on consolidating resources to improve efficiency and control expenses in response to ever-changing cyber threats.



Black Hat 2024

Join Adlumin at Black Hat 2024, the premier cybersecurity event featuring the latest research, developments, and trends. Connect with top minds in the industry, explore groundbreaking work from leading security researchers, and enhance your skills through hands-on training led by industry professionals across diverse topics.

Come see the Adlumin team at Booth 874! We invite you to hear from Adlumin’s industry expert Mark Sangster on Thursday August 8th at 11:30 AM in BHA. More information to come!

Dates: August 3-8, 2024
Location: Mandalay Bay Convention Center, Las Vegas
Booth: #874

Contact: marketingevents@adlumin.com

FutureCon Boston

FutureCon Boston offers advanced security training, addressing cutting-edge security strategies and risk management in the dynamic landscape of cybersecurity. Cybersecurity is no longer just an IT problem, and FutureCon Boston helps you gain the knowledge you need to secure computing environments from advanced cyber threats.

The event features:

  • Discussions with C-level executives who have successfully mitigated the risks of cyber attacks.
  • Educating C-suite executives and CISOs about the global cybercrime epidemic and building Cyber Resilient organizations.

Attendees can demo the newest technology, interact with security leaders, and stay informed about pressing topics in the information security community.

Date: November 30, 2023
Location: Boston, MA

Contactmarketingevents@adlumin.com

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


Cybersecurity Time Machine Series: The Evolution of Threat Actors

By: Brittany Holmes, Corporate Communications Manager 

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s 

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010 

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.  

Two Notable Cyberattacks: 

  • In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.  
  • In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel. 

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015) 

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets. 

Two Notable Hacktivist Groups:

  • Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.  
  • LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present) 

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used. 

Notable ATP Examples:

  • Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.  
  • GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.  

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

  • WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.  
  • LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.  

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.  

Take Proactive Security Measures 

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.  

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats. 


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



New Microsoft Vulnerability Storm-078: What you Need to Know

Microsoft has issued a warning about an active phishing campaign that lures users into opening Microsoft Word attachments sent via email. Microsoft first identified the campaign in June 2023.

The attackers, a Russian cybercriminal group known as Storm-0978, are exploiting a zero-day vulnerability of CVE-2023-36884 by sending victims phishing emails that contain infected Microsoft Word files that deploy a backdoor, similar to RomCom Remote Access Trojan (RAT) malware. The malicious software is triggered upon downloading the files, allowing threat actors access to victims’ systems. 

According to Microsoft, Windows Defender for Office 365 users and those using Microsoft 365 Apps (Versions 2302 or later) are protected from this attack. However, Adlumin advises that organizations contact your MDR team to assist them with the mitigation steps Microsoft recommends.  

This remote code execution attack is among several others that hackers are currently exploiting in the wild since yesterday, including: 

  • Windows SmartScreen Security Feature Bypass (CVE-2023-32049)  
  • Windows MSHTML Platform Elevation of Privilege (CVE-2023-32046)  
  • Windows Error Reporting Service Elevation of Privilege (CVE-2023-36874)  
  • Microsoft Outlook Security Feature Bypass (CVE-2023-35311)  

According to reports, there are at least 132 new security vulnerabilities that Microsoft is working to address; many of them are in the “critical” and “severe” range of the CVSS.    

The Phishing Campaign  

Users should remain alert when receiving emails with messages related to the conflict in Ukraine, according to Microsoft Threat Intelligence.   

The phishing campaign has often been directed to defense and government entities in Europe and North America with lures to the “Ukrainian World Congress.” But Storm-0978 has also targeted financial companies for ransomware.   

The Adlumin Response   

Adlumin is monitoring to ensure that any necessary patches or workarounds are implemented as soon as they become available.  

In the meantime, we recommend that organizations remain vigilant, follow best practices to enhance your security posture, and exercise caution with email attachments and links. We also recommend the following: 

  • Educate and raise awareness among employees about the potential risks of opening unknown or suspicious files and encourage them to report suspicious activity.  
  •  Remain cautious when opening email attachments or clicking on links, especially if they are from unknown or suspicious sources.  
  • Invest in a security operation platform to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability. 
  • Invest in a continuous vulnerability management product to regularly scan your environment to identify vulnerabilities and misconfigurations.  

Five Unique Tactics of Social Engineering Attacks

By: Krystal Rennie, Director of Corporate Communications, and Brittany Demendi, Corporate Communications Manager

Five Unique Tactics of Social Engineering Attacks is a part of Adlumin’s Cyber Blog content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.

Social Engineering Adlumin Stats

As cybercriminal organizations and state-sponsored actors grow in sophistication and capability, they remain loyal to the simple tactics and techniques that deliver results. “Social Engineering” might not carry the glamor of a technical zero-day malware attack, but it works. Social engineering works so well that 90% of cyberattacks on organizations involve some form of the tactic, according to KnowBe4. Employees are then vulnerable to influence and often become unwitting accomplices in a cybercrime.

Social Engineering is when “an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity.”

Cybersecurity & Infrastructure Security Agency (CISA).

Social engineering tactics can take multiple forms, from collecting publicly available information on social media to conducting search engine analysis. Fundamentally, these tactics identify valuable tools and information that potential victims might seek and be more likely to interact with. Social Engineering is about gaining a user’s trust.

Social engineering strategies can involve fake emails and websites that look authentic and can fool the entire spectrum of employees. Everyone can be a target, from engineers to sales and marketers, finance admins, and senior executives. Social engineering aims to manipulate a target user into revealing sensitive data about their business or personal information. This stolen information can create a phishing campaign that looks authentic. These attacks seek to gain information and can take many different forms, making it harder to pinpoint the cybercriminal’s entry point.

Five Common Tactics of Social Engineering

  1. Scareware: An attack that bombards victims with false alarms and fictitious threats about their devices. Victims are misled to think that their systems are infected with malware, prompting them to install malicious software or malware itself. In one of the most extreme cases, following a massive credit theft from a major retailer, cardholders were contacted through phone calls and asked to update their security measures. Of course, the calls came from cybercriminals collecting victims’ PINs and passwords.
  2. Baiting: A form of social engineering that incentivizes users to take action the attacker wants. These attacks often include offers of gifts, exclusive offers, courier packages, and other well-known “lures.” Engaged users give up their personal information or sign up for fictitious accounts, exposing their passwords. Since passwords are often recycled across multiple accounts, this can create a severe breach and risk to the organization. Rarely can baiting even use physical media like flash drives. Dropped in the employee parking lot, an unassuming individual may accidentally release malware once installed on a company computer.
  3. Pretexting: In this form of social engineering, attackers approach victims requesting sensitive information necessary to complete a critical task or service. Appearing as friendly actors, these criminals solicit data about the victim using various motivators like tax refunds, payments, deliveries, or business-related projects.
  4. Spear Phishing: These attacks target individuals with roles within the company, seniority, rank, authority, and access to critical systems. They often target professionals such as lawyers, doctors, or engineers presented with fake license complaints and lawsuits. In other cases, executives were targeted with emails and branded file shares containing lawsuit filings, the basis of which was stolen from publicly available court filings and stolen litigation material. Spear Phishing is perhaps one of the most challenging forms of engineering because it is extremely difficult to distinguish from legitimate traffic and communications.
  5. Quid Pro Quo: This type of attack centers around an exchange of service or information convincing the victim to act. Typically, the cybercriminal will promise rewards or leverage implicit work motivations to the victim for information that can be used to steal money or take control of a company account or data. One of the most common examples is when the cybercriminal poses as an IT employee asking for or offering technical support.

Many social engineering schemes happen daily. Like all strategies, some techniques are more well-known than others. However, unlike other cyberattacks, human interaction is a critical component of social engineering, which should make you think more carefully about your daily interactions on the internet. These attacks underline the importance of understanding that attacks are much harder to identify and often dupe employees in the early stages of a much larger cyber campaign.

Training is Key to Proactive Defense Against Social Engineering

Employees are your organization’s first line of defense regarding protection from social engineering methods. If employees are not appropriately trained against these tactics, your security software can only defend you until someone clicks on a malicious link.

Yes, there are ways to hunt these threats before they take over your IT network, but it’s best to think proactively and put the fire out at the source.  Finding and implementing the right Proactive Defense Program will empower employees with skills to find and report suspicious activity. These are not just one-off sessions that overwhelm employees with the information they soon will forget. It’s consistent training that creates a positive cybersecurity culture within the organization.

Training needs to be persistent and delivered in small doses throughout the year for information retention. Proactive Defense Programs use real-life de-weaponized attack campaigns to test employees. In addition, implementing training ensures your organization complies with set industry regulations and set policies and tracks and trains high-risk users.

What’s Next?

Now that you have this new information, you might wonder, what’s next? The best advice when attempting to combat social engineering threats is to know the signs and prioritize implementing a Proactive Defense Program throughout your company. Social engineers manipulate feelings and human logic to lure victims into their traps. As a result, we must be wary of what we open, click, and interact with while navigating our online experiences. Always remain alert and trust your gut instinct; if something doesn’t feel right, nine times out of ten, it isn’t right.