Blog posts, webinars, and guides exploring ransomware prevention tips and platform capabilities against these attacks.

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

/in /by

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.


Cybersecurity Time Machine Series: The Evolution of Threat Actors

/in /by

By: Brittany Holmes, Corporate Communications Manager 

In an interconnected world, the digital landscape has become the breeding ground for opportunities and dangers. Cybercriminals have taken advantage of this evolution every step of the way and have become more prevalent. As a result, all organizations are now targets. Staying one step ahead is imperative. For organizations to protect themselves and their assets effectively, they need to understand how threat actors adapt and refine their strategies.

The 2023 Cybersecurity Awareness Month’s theme celebrates 20 years of cybersecurity awareness. In relevance, we want to look back on the past 20 years to shed light on the significance of understanding a few prominent threat actors’ evolutions.

Threat Actors in The Early 2000s 

During the early 2000s, the internet was crawling with cybercriminals and script kiddies as primary threat actors. A script kiddie is a cybercriminal who uses existing code or computer scripts to hack into a computer. They usually lack the knowledge to come up with it on their own.

Motivated by a thirst for knowledge and the desire to showcase their technical skills, these individuals exploited vulnerabilities across networks. Their targets varied, encompassing everything from corporate entities to personal computing systems. Using a wide range of techniques, script kiddies mimicked the actions of their more experienced counterparts on a less sophisticated level. As time went on, their motivations began shifting towards financial gain.

As a result, advanced phishing and malware attacks started gaining traction within the digital world. These malicious actors honed their skills in deceiving unsuspecting individuals, often using highly sophisticated techniques to harvest personal information and turn it into profits. This transition marked a turning point in the world of cyber threats, setting the stage for more organized and financially driven attacks in the years to come.

Rise of Nation-State Actors 2005-2010 

The rise of nation-state actors has significantly impacted cybersecurity. One trend is the emergence of state-sponsored cybercriminals, who are employed by governments to sabotage operations and carry out cyber espionage. These cybercriminals are motivated by various factors, including gathering intelligence, financial gain, and gaining a competitive edge in certain industries. Their targets often include government agencies, defense contractors, and critical infrastructure.  

Two Notable Cyberattacks: 

  • In 2007, Estonia experienced a massive wave of distributed denial-of-service (DDoS) attacks, believed to be orchestrated by Russia in response to a diplomatic dispute.  
  • In 2010, the Stuxnet worm created a new era of cyber warfare by targeting industrial control systems (ICS) used in Iran’s nuclear program. It was later revealed to be a joint effort by the United States and Israel. 

These incidents demonstrate the extent to which countries are now leveraging cyberattacks as a strategic tool for achieving their geopolitical goals.

Rise of Hacktivist Groups (2010-2015) 

Between 2010 and 2015, groups such as Anonymous and LulzSec came onto the scene. Their targets and motivations were wide-ranging, as they aimed to challenge authority, expose secrets, and promote freedom of information. Using tactics like data breaches and DDoS attacks, these groups looked to disrupt and damage the systems and credibility of their targets. 

Two Notable Hacktivist Groups:

  • Anonymous, founded in 2003, is a group that often attacks with a justice philosophy in mind. They targeted corporations, governments, and organizations that they thought were corrupt, oppressive, or unethical. Their actions included taking down the websites of major financial institutions during the Occupy Wall Street movement.  
  • LulzSec focused on causing chaos and amusement within the online community. Operating as a small team of cybercriminals, they deployed various cyberattacks targeting high-profile organizations like PBS, Fox, the X Factor, and individuals. Their motivations were often driven by the pursuit of “lulz,” or laughter, as they exposed vulnerabilities.

Ultimately, hacktivist groups demonstrate cyber activism to challenge authority and expose injustices. Their actions, whether through DDoS attacks or data breaches, highlighted the potential power of the internet in promoting transparency and holding institutions accountable. This period also raised questions about the lines between activism, vigilantism, and criminal activity, forcing governments and corporations to adapt their cybersecurity measures in response to this new digital landscape.

Shift Towards Advanced Persistent Threats (APTs) and Ransomware (2015-Present) 

Over the past few years, we have seen a significant shift in threats with a rise in APT groups. These groups have a specific goal and aim to infiltrate and maintain long-term access to systems and networks. Another growing threat in the cyber landscape is ransomware attacks. Unlike APTs, ransomware attacks focus on quickly encrypting or disabling systems data until a ransom is paid. The reason behind these attacks is usually financial gain. Ransomware groups target small and large businesses. What is particularly concerning about ransomware attacks is the evolution and sophistication of the strains being used. 

Notable ATP Examples:

  • Deep Panda: This group mainly targets US government institutions looking to steal intellectual property and state secrets. They focus on high tech, education, legal services, telecommunications, finance, energy, and pharmaceuticals. They have been known to be highly organized and remain undetected on networks for months at a time.  
  • GhostNet: This has been a large-scale cyber spying operation that tricked users into downloading a malicious file. Once the user interacts with the file, a remote access trojan, known as ‘Ghost Rat,’ is then installed on their computer. They are known to have breached over 1,200 computers belonging to foreign ministries, government offices, and embassies in 103 countries.  

These attacks often target governments, corporations, and other high-value organizations, stealing sensitive information or conducting espionage.

Notable Ransomware Attacks:

  • WannaCry: In 2017, malicious software spread globally, encrypting Windows operating systems. It encrypted files and demanded ransomware to restore access. These attacks went after hundreds of thousands of computers in over 150 countries.  
  • LockBit: In 2019, LockBit deployed advanced encryption algorithms to make files inaccessible and display a ransomware note demanding payment. There are various delivery methods, including gaining access to unauthorized networks, phishing emails, and software vulnerabilities. They use double-extortion methods, setting LockBit apart from other ransomware.  

The overall evolution of threat actors will continuously change and become more sophisticated. They are growing in scale, posing a significant risk to organizations of all sizes. Educating yourself and your organization on the latest threat actors can help prepare you.  

Take Proactive Security Measures 

The past two decades have shown a significant evolution in the cybersecurity landscape, particularly in the sophistication and complexity of threat actors. The market has shifted and now every organization, big or small, is a target. Organized groups have emerged, adding a new level of threat to mid-market organizations that previously believed they were too small to be targeted. The financial gains associated with cyber threats have become the main motivator, and it is crucial to recognize the evolving nature of these attacks in order to stay protected.  

Stay tuned for our blog next week to explore the next steps to protect your organization from cyber threats. 


Adlumin’s Spot the Lurker Challenge 

Unleash the power of knowledge and stand a chance to win big in the ‘Defeat the Lurker’ contest. Download Adlumin’s 2023 Threat Report Round-Up, shine a light on hidden threats and equip yourself with the tools to protect your network while entering for a chance to win amazing prizes. 


Enter the Contest

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Trending Ransomware Attacks and How to Stop Infection Before Payment

/in /by

By: Brittany Demendi, Corporate Communications Manager

With the rise of ransomware attacks, it is more important than ever to be proactive when it comes to protecting your organization’s devices and networks. Knowing about the various types of ransomware, such as LockBit, BlackCat, and Medusa, is important. Additionally, it is essential to understand how ransomware affects a system and device, and the steps you should take to detect and stop ransomware before it is too late.

In this blog, we will discuss some of the most dangerous and widespread ransomware attacks, how they affect a system, and the steps you should take to prevent them from wreaking havoc on your organization.

Trending Ransomware Attacks

The following section references trending ransomware attacks/gangs from Adlumin’s Threat Research Team.

LockBit:

LockBit is malicious software that blocks users’ access to their computer systems in exchange for a ransom payment. LockBit will automatically spread the infection, vet for other valuable targets, and encrypt systems on the network. Attackers have targeted organizations globally and have made their mark by threatening data theft, extortion, and operational disruption.

It is a self-spreading type of malicious software that does not require manual direction from the attacker. In addition, it uses tools like Server Message Block (SMB) and Windows Powershell to target an organization’s user rather than spread like spam malware.

LockBit attacks in three stages:

  1. Exploit
  2. Infiltrate
  3. Attack

BlackCat:

BlackCat, also known as ALPHV, has been deemed one of the most threatening and sophisticated types of malware in recent years. BlackCat is considered ransomware-as-a-service (RaaS). Although there has been a decline, BlackCat is still dangerous as they target organizations globally using triple-extortion tactics. Cybercriminals use a malware-infected email or website link to lure in victims, quickly spreading across an entire system.

After BlackCat attackers gain initial access to a network, they begin lateral movement phases identifying sensitive data to later encrypt. It is difficult to remove and will attempt to disable anti-virus software and other security measures. Cybercriminals will also modify system files and settings to make a recovery more complex.

One of the main differences between BlackCat and other types of ransomware is that it is written in Rust programming language. There has been an increase in this type of language because it is stable, fast, and secure to evade existing capabilities while allowing for better memory management. BlackCat can also run on non-Windows operating systems like Linux.

Medusa:

Medusa has been picking up media coverage this past year with increased activity and the launch of their ‘Medusa Blog,’ where they leak data for victims who do not pay a ransom. They target globally and demand millions in ransom.

Medusa is known to shut down over 280 Windows processes and servers, including database servers, backup servers, and security software, and will prevent files from being encrypted. They claim to exfiltrate data from organizations and perform a double-extortion attack where the threat actor encrypts compromised systems and releases or sells the data publicly on their blog. Since they are relatively new, additional capabilities are still being discovered.

How Ransomware Affects a System of Device

Ransomware is used in several different methods to infect an organization’s device or network. Some of the most common ransomware infection vectors include:

  • Social Engineering Attacks and Phishing Emails: Phishing emails entice employees and victims to download and run malicious attachments, which contain ransomware disguised as a link, PDF, Word document…etc. An attacker can access their system once that link or attachment is opened or downloaded. IBM recently reported that 45% of all ransomware attacks successfully infiltrate through a phishing email or a social engineering tactic.
  • Account Compromise: Cybercriminals buy authorized users’ credentials off the dark web or steal or obtain them via brute force. They then use the credentials to log into a computer or network to deploy ransomware directly. A widespread credential theft technique that cybercriminals use is the remote desktop protocol to access a victim’s computer remotely.
  • Software Vulnerabilities: It is common for cybercriminals to exploit software vulnerabilities by injecting malicious code into the network or device. Attackers know how common it is for organizations to not have everything patched, making known vulnerabilities the easiest point of entry or technique to plan their attack.

Detection Before Ransomware Execution

One of the most important steps for all organizations to protect themselves from ransomware is taking a proactive approach to cybersecurity by investing in the right solutions and technologies. In conjunction with a Security Operations Platform and Managed Detection and Response Services, implementing a solution specific to ransomware adds multiple layers of protection to an organization to proactively block ransomware from executing. If signs of a ransomware attack are detected, the attack can be stopped before the files are encrypted.

Typically, when a ransomware attack occurs, removing ransomware alone does not give you access to your files again. It will still require a solution and tool to prevent you from having to pay the ransom, with an encryption key to unlock it. Specifically, a multilayer ransomware defense solution will stop the ransomware before this stage is even needed. These solutions are not a replacement for threat management solutions but an added necessity to enhance your cybersecurity protection.

Adlumin’s threat experts work as an extension to your security team and can detect ransomware before havoc is reached and reduce an event’s impact. They can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Cyber Tide Season 1, Episode 6: Knowing Your Cyber Adversary: The Latest on Ransomware

/in /by

On this week’s episode of Cyber Tide, VP and Chief of Strategy Mark Sangster and Co-founder and EVP Tim Evans are joined by Kevin O’Connor, former U.S National Security Agency (NSA) and Director of Threat Research at Adlumin. Listen in as O’Connor dives deep into the latest 2023 Threat Report, examining the rise of advanced persistent threats, emerging trends, and the changing tactics of adversaries.

Learn more about the increase in ransomware attacks and the strategies you can use to protect yourself from them. Don’t miss this essential episode as these experts uncover the world of threats lurking in dark corners.

You can subscribe to CyberTide via Apple and  Spotify.

About the Cyber Tide Series

Dive beneath the surface of infamous cybersecurity attacks to learn the means and motives of cyber adversaries. In each episode, we invite an expert to reveal the contributing factors and costs of cyber incidents and how your firm can protect itself from business-disrupting cyberattacks.

The Need to Know: Black Basta Ransomware Gang

/in /by

By: Mark Sangster, Chief of Strategy, and Kevin O’Connor, Director of Threat Research

Virulent Ransomware Gang Has Ties to FIN7 State-Sponsored Group

Discovery of Ransomware Gang FIN7

I discovered a rather clever adversary targeting investment firms in New York almost ten years ago. At the time, the group used Microsoft Macros to launch a fake Windows log-in pane to harvest credentials. Once an account was compromised, the adversaries would use it to send the phishing to the next victim. From that account, they moved to the next, and so on, until they captured key accounts at 70 funds. The number might sound small, but these firms managed billions in funds, so much so that the Security Exchange Commission (SEC) was concerned about a campaign to destabilize the economy, slowly crawling back from the 2008 subprime lending market collapse. The Russian-affiliated group was eventually labeled FIN7.

Black Basta Ransomware Gang Emerges

Fast forward to the present, and FIN7 crosses my desk. Yahoo! Finance asked me to comment on several ransomware attacks on food services and a grocery chain. It turns out the culprit, another Russian gang, Black Basta, had left its ransomware mark on over 50 victims since April of this year. According to SentinelOne research, there are trademark FIN7 (also called Carbanak) tactics and tools, including evasion tools and backdoor malware.

While FIN7’s original focus was financial data and institutions, a shift to a broader market, associations and the food industry is no surprise. Destabilizing food supply or heat utilities in the winter tend to create social angst and lead to eroded faith in the government to protect its citizens. While groups like Black Basta are primarily driven by financial gain, ideological impact as a byproduct is a free benefit.

A Political Big Brother: Russia

Given the hostilities in Ukraine, Russian retaliation against western countries providing support to Ukraine was deemed fair game for cybercriminals (like they were ever offside). Many of these groups (like Black Basta) either operate with impunity in Russia or some level of collusion or coordination with Russian agents.

FIN7 and Black Basta share more than ideology; a political big brother to protect them and target organizations. FIN7 technology brought nation-state capabilities to smaller ransomware gangs before ransomware-as-a-service with a thing (RaaS). They set the benchmark for researching their targets and using tactics that emulate insiders or actors that appear to be “in the know” of confidential information.

Ransomware Tactics Used

Ransomware gangs, like Black Basta, leveraged multi-extortion techniques (not unique), with enviable defense evasion and late manifesting symptoms that hide their presence until the ransomware detonation. They also rely on commodity malware like living off-the-land exploitation techniques, including the ever-growing popularity of Quakbot, PowerShell, WMI, netcat (used for lateral tunneling), mimikatz, CobaltStrike, and Coroxy. They’re also known for using the PrintNightmare vulnerability (CVE-2021-34527) for lateral movement, which can run on Linux against VMWare hypervisors to encrypt multiple hypervisor-hosted systems.

While sophisticated, they still rely on unpatched vulnerabilities, broad administrative access, and unguarded entry points. Consider Black Basta master chefs who can make delicious meals with reliable ingredients. Similarly, their encryption algorithm, ChaCha20, uses a robust RSA-4096 key but requires administrative privilege to execute.

Now What? CIS Controls to Implement

It’s a good news / bad news story. The bad news is that one of the most sophisticated ransomware gangs is back on the prowl. The good news is that they are mortal and can be stopped. They still use conventional tactics to infiltrate their targets: open vulnerabilities, unencrypted remote access points, exposed credentials, and over-provisioning administrative privilege. All of these tactics are detectable. Unfortunately, your insurance firm’s paneled incident response firm usually finds them as part of your claim.

The Center for Internet Security (CIS) is an excellent place for organizations to build a strong cybersecurity posture. CIS provides 18 controls for organizations of all sizes to safeguard data and mitigate cyber-attacks or ransomware attacks against their networks and systems. Here are just a few to get started with:

CIS Security Controls

  • CIS Control 7: Continuous Vulnerability Management (CVM)
    • CVM covers one of the 18 controls by closing the gaps between significantly reducing risk and security assessments. Managing vulnerabilities and understanding is a continuous activity requiring the focus of resources, time, and attention. CVM assesses and tracks vulnerabilities on all enterprise assets within the infrastructure. It minimizes and remediates the window of opportunity for cybercriminals.
  • CIS Control 8: Audit Log Management
    • Audit log management is the process of recording any activity used across an organization within the software systems. Audit logs document any occurrence of an event, the impacted entity, when it occurred, and who is responsible. In addition, compliance regulations require logs to be kept for a certain amount of time. Ensuring organizations collect, review, retain, and alert audit logs of events helps recover from an attack quicker.
  • CIS Control 14: Proactive Security Awareness
    • Employees are every organization’s first line of defense. It is critical to arm them with the proper knowledge and skills to properly identify and report any suspicious activity. A Proactive Security Awareness Program empowers employees with the needed expertise. Security software can only defend for so long until someone clicks a malicious link- take the proactive approach.
  • CIS Control 18: Penetration Testing
    • A penetration test or ‘ethical hacking’ evaluates the security of a system by attempting to breach accessibility, integrity, or confidentiality. A test provides real-world penetration scenarios covering industry-specific threat assessments offering actionable recommendations and rapid results.

The Adlumin Advantage

As co-founder and CEO of Adlumin, Robert Johnston is fond of saying even the biggest hacks had common factors and tactics. While companies were spending millions in the wake of massive data breaches, for a fraction of that cost, they could stop these common criminal chokepoints.

The Adlumin Security Operations Platform is designed to detect sophisticated tactics used by state-sponsored actors and provide simple response capabilities to disable compromised accounts, deactivate remote access services when suspicious activity is present, and identify event manipulation like creating unreconciled users or promoting account privileges. With Adlumin, you can stop these attacks early in the life cycle and prevent them from disrupting your business.

Are your Security Defenses Ready?

For more information, contact one of our cybersecurity experts for a demo to get started.

Human Error Continues to Drive Numbers on Cybersecurity Attacks

/in /by

Checking the box for your organization’s cybersecurity training annually doesn’t quite cut it anymore. Cyberattacks are rising yearly, and one of the top reasons is human error. Taft dives into the best approach to managing privacy and cybersecurity and how to create a more innovative, more attentive security culture.  

You might think your run-of-the-mill privacy and cybersecurity training is sufficient. You might think that by “checking the box” on generic training you have fulfilled your duty and obligation to mitigate data privacy and cybersecurity attacks. You might think that general malware protection adequately secures your company’s data and you can move on with your everyday business efforts without concern. Think again. Human error continues to be the number one driver of data breaches. Over 85% of all data breaches are caused by an employee mistake. (SourcePsychology of Human Error by Stanford University Professor Jeff Hancock and Tessian, a cybersecurity firm.) “Human error” can take many forms from the use of stolen credentials and misuse of company information to phishing or malware links. Cybercriminals and hackers have developed advanced and creative tactics in efforts to access and steal confidential information. Malware attacks, for example, are attacks where hackers attempt to infiltrate networks, individual computers, and mobile devices with malicious software. An unassuming click to open a link or download software is all it takes to enable a malware attack. Social engineering tactics are often used to get employees to send bank account information, provide usernames and passwords, among other confidential information. Psychological manipulation is the bread and butter of social engineering. Such efforts intentionally target human interactions by tricking persons into thinking they are receiving an email from a trusted source, perhaps a friend or a business partner. Email content may consist of an urgent request, portray legitimate branding to make the email appear trustworthy, request your “verification” of information, or pose as a boss or coworker. Employees need to be trained and continuously reminded to be mindful when conducting business. Technology can only take us so far in protecting businesses and securing information from cybersecurity attacks, especially with respect to social engineering. In the hustle and bustle of everyday business, it is easy to flit from email to email, shooting off quick responses without even glancing at the subject line, or the name or email address of the sender. Some of the simplest requests from a seemingly innocuous email can lead to the leak of very valuable information. Do you recognize the sender’s email address? Are there spelling mistakes in the content of the email? Is the company or individual name familiar to you? Cybersecurity attacks can be incredibly costly, causing financial, mental, and emotional heartache from the click of a button. Aside from financial ramifications, data breaches and cybersecurity attacks may reflect negatively on your business’s reputation, cause you to lose clients or customers, and may even lead to significant litigation proceedings and hefty government fines from breach of regulatory violations. The best approach in managing privacy and cybersecurity training is a proactive one. A primary goal should be to create a smarter, more attentive security culture within your business.

Read the full article here.

Adlumin Inc. is a patented, managed security services platform built for corporate organizations that demand innovative cybersecurity solutions and easy-to-use, comprehensive reporting tools.  

North Carolina, the First State to Ban Ransom Payments

/in /by

Al Capone had it right. He once said, “Prohibition has made nothing but trouble.” One hundred years on, we will see if he was right. It never stopped the rum runners—will it stop the cybercriminals?

Earlier this year, North Carolina became the first state to prohibit government agencies from paying ransoms in the wake of a cyberattack. As part of the latest 2021-2022 budget appropriations, North Carolina bars communications with adversaries and funds transfers.  The law applies to agency, department, institution, board, commission, committee, division, bureau, officer, official, or other entity of the executive, judicial, or legislative branches of State government and other entities for which the state has oversight responsibility.

While the law applies to institutions like the University of North Carolina, it does not apply to private sector businesses. Other states are pursuing similar legislation, with New York pushing legislation to ban ransom payments across both public agencies and private businesses and Pennsylvania’s Senate approving a bill to ban the use of taxpayer funds to pay ransoms.

Congress is also considering a bill (by a representative from North Carolina) to make it illegal for financial firms to pay ransoms over $100,000 without prior government approval. This move is contrary to FBI advice to not ban payments which could result in companies facing alternate extortion tactics or hiding payments from authorities. Of course, the FBI does not officially support the paying of ransoms in response to cyberattacks.

Before considering the merit and efficacy of ransom payment prohibition, it is important to mention that US Treasury published an advisory warning of risks facilitating or paying ransoms to recipients on the Office of Foreign Assets Control (OFAC) sanctions list. I cannot complete this point without noting that the Internal Revenue Service (the largest bureau in the Treasury department) allows ransom payments (partner of a larger list of theft acts) as a tax deduction. (Play canned laugh track here.)

Should ransom payments be made illegal? Well, by their very nature, they are illegal. The question is should payment by victims be banned, prohibited, or governed?

Pro-ban advocates argue that ransoms are, after all, illegal, and banning payments would break the economic supply-demand engine that makes ransomware so profitable. This tough-love approach might cause short-term pain to unprepared victims who cannot recover without purchasing decryption keys.

Pro-pay (or choice) advocates argue that banning payments will not discourage ransomware gangs and will only leave victims helpless in the wake of costly operational disruptions. In fact, they often invoke scenarios in which hospitals and clinics are disrupted for weeks and months, patient care suffers and causes medical chaos, and payment prohibition costs lives and not just money. Their approach is the lesser-of-two-evils ethos.

Here is an insightful article on the debate.

Beyond the philosophical or political charge, it remains to see if ransomware bans will have the desired effect of diminishing ransomware attacks. Ransomware attacks continued to increase after Treasury’s saber-rattling about OFAC sanctions. It doesn’t seem the courts are clogged with cases filed against companies that paid ransoms to parties they could not verify as OFAC sanctions. That said, anecdotally, a cottage industry is popping up to conduct OFAC checks, and insurance companies will refuse coverage if payments violate Treasury regulations.

The other question is whether paying the ransom improves the outcome for the victim organization and its operations. Indicators suggest paying ransoms is simply adding insult to injury. One study that surveyed 5,000 companies found that the cost of a ransomware attack doubled for companies that paid the ransom. That same report also noted that 92 percent of ransom payers never recovered the entirety of their data and systems.

I am often asked how best a firm can avoid paying a ransom. And my answer is always this: the best way is to avoid being hit by a ransomware attack. Awareness, training, preparation, and rapid detection can stop ransomware attacks before they disrupt your business. The second-best way is a rapid response based on well-tested business continuity and disaster recovery planning. The interruptions are short, with fail-over to hot backup systems minimizing the impact.

The companies that face the to-pay-or-not-to-pay dilemma are the ones that were not prepared, thought their insurance would solve the problem or the ones that never tested their backup systems. Backup systems were designed for business continuity scenarios like power outages, floods, or fires. They were not designed with out-of-the-box resilience to withstand intentional sabotage by criminals.

Most frustrating is the oft-quoted statements that there were no signs before the attack. This inaccurate statement is misleading and absolves the affected parties of all responsibility. I am not shaming the victim here. But events like ransomware attacks are like airline accidents. It takes a confluence of many factors that culminate in an incident.

Cybercriminals are more chefs than Jason Bourne or James Bond. The sophistication in their attacks lies in the way they stage the attack and use expertise where it counts. The actual ingredients they use are well-known malware or practices, referred to as tactics, techniques, and procedures (TTPs). And ransomware disruptions require longer dwell times and multiple touchpoints within your environment. Each touch, step, file change, login, upload, and so on is another chance for you to detect their presence and do something about it before it is too late.

Adversaries combine publicly available documents and information with stolen credentials or data sold on the dark web to build convincing phishing emails and fake websites. These lures are designed to trick unwitting victims into surrendering their passwords. In the early stages, you can search for compromised credentials on the dark web, detect concurrent log-ins, impossible travel events (consecutive log-ins from two geo locations in a time frame that eliminates travel as a possibility), or failed log-in attempts when criminals hit controls like multi-factor authentication. They aren’t even in, and you can catch them checking the door locks and rattling the windows.

Assuming they gain initial access, we can catch establishing, persistent access. Unusual administrative access, bandwidth spikes, new user accounts, and other well-documented tactics give away their presence. User and Entity Behavioral Analytics (UEBA) identifies suspicious actions committed by authorized accounts and devices, and the endpoint can detect changes and flag attempted sabotage of defensive controls. And then, of course, there are beacons calling back to bad guy headquarters, payloaders, lateral movement, and a plethora of TTPs that give away malicious activity.

There were plenty of signs. Post-event, your insurance company will find them, or their appointed incident response firm will. So, pretending there were no signs won’t help. As I say, ignorance is not bliss—it’s potential negligence or liability.

So why do ransomware attacks go unnoticed if there are so many early signs of compromise? Simple. Most companies don’t know where to look in the shadows to find the indicators. What you can’t see poses the most significant risk. Between the cloud, hybrid networks, and the darknet, there are countless gaps where threats can hide. Most companies are in the dark regarding what is happening in their environment. And no one likes to be in the dark alone.

That’s where Adlumin comes in. We illuminate threats to eliminate the risks. We illuminate threats that would have otherwise gone unseen with powerful automation that enables rapid action and continuous compliance. And our platform is backed by an expert team delivering human insights and trusted support.

That might sound like marketing (and it is) but is more than a well-honed tagline. I have been in the cybersecurity business for over 25 years, and I helped define Managed Detection and Response. I’ve seen nation-state attacks, rampaging ransomware gangs, and clever criminals take down companies of all sizes.

I joined Adlumin because they get it. They know where to look and how to respond to protect their customers. And I am proud to represent the experts who develop our products and analysts that work in our security operations centers. They face these sophisticated adversaries every day and stop their attacks before they shutter our customer’s operations.

There are ways of stopping ransomware attacks before you need to consider paying extortion fees or crossing regulatory lines. You can stop attackers before they stop you.

Will prohibition work for ransomware payments when it has failed to control alcohol and narcotics use and distribution? If we ask the pundits, the answer is no. The Nobel prize-winning economist Milton Friedman once likened prohibition to making water run uphill.

While payment ban legislation and bills line up like planes on final approach at a major airport at Thanksgiving, pragmatism and market pressures will decide the matter. As insurance coverage decreases, claim denials increase, and (fingers crossed) companies invest in cybersecurity strategies that reduce their risk, the efficacy of ransomware will erode, and criminals will find a new tactic.

More Money, More Problems: The Most Expensive Data Breaches in History

/in /by

Data breaches are more expensive and detrimental than you expect. Why? Companies are not just paying for the immediate repair of the breach but the aftermath that comes with it. The follow-on effects include not just financial consequences such as lost productivity and revenue but reputational damage and employee attrition. Additionally, these effects can play out over the best part of two years.

A company’s size can also contribute to whether there is a chance of recovery. For example, “60% of small businesses fold within six months of a cyber-attack,” according to Inc. This statistic makes sense when considering that the margin for error is negligible in many businesses that live month to month in terms of solvency. Consider Mossack Fonseca, a little-known law firm in Central America but remembered (if at all) as the epicenter of the Panama Papers scandal. In the wake of a cyberattack, “reputational deterioration” led to the demise of the firm.

Large or small, it is clear that no one company is safe from breaches. Even with many companies folding after an attack, some high-profile companies have worked their way back up after almost business-fatal breaches. Let’s dive into some of the most expensive data breaches to date.

  1. $190 Million – Capital One

What happened?

A hacker broke into a server at Capitol One and gained access to over 100 million customers’ accounts and credit card applications. In addition to 140,000 Social Security numbers. Capital One agreed to pay $190 million to settle a class-action lawsuit.

  • Year: 2019
  • Location: Seattle, Washington
  1. $1.4 Billion – Equifax

What happened?

In 2017, the personal information of over 147 million people was exposed and stolen from Equifax, a credit reporting agency. Equifax faced a lot of backlash and was criticized for its lack of security and response to the breach. Due to failure in patch management, they were hacked through a compliant web portal. Their internal process lacked entirely, and now they suffer from a substantial financial hit.

  • Year: 2017
  • Location: Headquartered in Atlanta, Georgia
  1. $4 Billion – Epsilon

What happened?

After years of recovery, Epsilon, an international marketing company of Alliance Data Systems Corp, comes in first place for the most expensive data breach. The breach affected 75 companies, including Target, Chase, JP Morgan, and Best Buy. Epsilon houses 40 billion emails annually and 2,200+ brands internationally, so you can imagine the impact this had on customers. It is estimated that only 3% of email addresses were exposed, resulting in them losing $45 million worth of business.

  • Year: 2011
  • Location: Headquartered in Irving, TX

Additional Notable Breaches:

  • Travelex was hit by ransomware, lied about the attack for months (called it a maintenance issue), and finally folded.
  • Starwood Marriott had information of over 500 million guests stolen. Marriott inherited the cost of the breach two years after they acquired Starwood—M&A means assets plus liabilities.
  • Yahoo lost billions in value post-hack during the acquisition by Verizon.
  • US Office of Personnel Management (OPM) experienced over 21.5 million individuals’ background investigation records stolen. In addition, the personal data of 4.2 million former and current Federal government employees was stolen.

Solutions: How to Protect Your Organization

The cost of a data breach is not the only misconception harbored by business leaders. The notion that these attacks are impossible to stop is another. This second fallacy is more damaging because it creates a sense of impunity or fatalistic surrender. It admonishes the company from taking any responsibility in the wake of a data breach. In other words, you can protect your business from sophisticated cyberattacks, and you must defend. Regulators, court decisions, and denied insurance claims are finally beginning to counterbalance this skewed narrative.

As an organization, you may not have control over whether a cybercriminal will go after your data or not, but you do have control over the steps to take to mitigate the risk. Typically, it is best to invest in a managed security services platform that does the heavy lifting for your IT team. These platforms are built to discover threats, malfunctions, and IT operation failures in real-time. You can also receive updates that go directly to your phone and email about what is going on within your IT environment. The managed security platform you choose should be built on the following three components:

  1. Network Health and Compliance
  • This feature will keep your organization’s compliance up to date while actively searching for violations in real-time and keeping you informed.
  1. Detection and Artificial Intelligence
  • A platform that gives you AI and machine learning in the form of User & Entity Behavior Analytics (UEBA) to automatically write (and re-write) your SIEM rules dynamically as your network traffic changes.
  1. Data Research and Log Management
  • With one quick step, all user and account activity can be correlated. A security analytics platform allows you to quickly scope out a potential breach using advanced research tools that help visualize access for every account and system on your network.

In addition, for complete visibility into your enterprise network, there are 24/7 Security Operations Center (SOC) services available. This service can provide you and your IT team with 24/7 monitoring of every system and account on your network. There is a light at the end of the dark tunnel for options for protecting your customers, employees, and organization. The great news is that these options are available as all-in-one solutions and are cost-effective.

Next Steps

If you’re interested in learning more about data breaches, check out Data Breaches: Uncovering the Unknown. Or, if you are looking to enhance your organization’s security, request a demo with one of our experts.

Adlumin Cybersecurity

1140 3rd St. NE, Suite 340
Washington, DC 20002
(202) 570-7907

Get a Demo Free Trial Contact Adlumin
Adlumin Inc 5000

Privacy Policy  Sitemap  GDPR Privacy Notice

GDPR Data Processing Addendum  GDPR Privacy Request Form

Copyright 2024 Adlumin, Inc. All Rights Reserved