Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Highlights from the New Threat Insights 2024 Volume I Report

Event details:

Thursday, April 18, 2024
1:00 PM ET

Presenters:

Mark Sangster, VP, Chief of Strategy, Adlumin
Kevin O’Connor, Director of Threat Research, Adlumin

About this Talk:

Explore the latest ransomware cyber-threat trends in this new research from the Adlumin Threat Research Team.

The Adlumin Threat Research Team has been dedicated to tracking and analyzing the most important cybersecurity trends, including ransomware. Keeping up to date with these threats can make the difference between a minor event and an operational shutdown.

Join Kevin O’Connor, Director of Threat Research, and our host, Mark Sangster, VP, Chief of Strategy at Adlumin as the pair reviews significant takeaways, trends, and vulnerabilities in the new Threat Insights 2024 Volume I report.

What you will learn:

  • Exclusive insights from Adlumin’s Threat Insights 2024 Volume I Report
  • Detailed analysis of emerging threat trends in cybersecurity, including the latest in ransomware attacks
  • Strategies to implement vulnerability management in your cybersecurity strategy
As a thank you for joining our webinar, we’ll send you our new Threat Insights 2024 Volume I report. Additionally, one lucky participant will receive a $200 Amazon gift card.


Additional Resources





Adlumin’s Threat Insights 2024: Volume I

Adlumin’s Threat Insights 2024 Volume I reveals significant trends and developments in threats, vulnerabilities, and cyberattacks faced by U.S. industries from December to February 2024. Discover three key threats, each presenting unique challenges to cybersecurity professionals.

Stay informed and proactive to defend your organization’s assets against evolving cyber threats in a dynamic landscape.

Watch a Live EvilGinx Demonstration to See How Cybercriminals Bypass MFA

Event details:

Thursday, March 21, 2024
1:00 PM EST

Presenters:

Mark Sangster, Chief of Strategy at Adlumin
Kevin O’Connor, Director of Threat Research

About this talk:

Cybersecurity professionals preach the power of multi-factor authentication (MFA), but what happens when a cybercriminal goes around it?

Join Adlumin’s Mark Sangster and Kevin O’Connor as they demonstrate MFA bypass techniques using EvilGinx 3. In this webinar, you’ll also see how attackers can leverage hijacked session cookies and EvilGinx phishlets to compromise user accounts and access. The pair will also dive into how to combat these attacks, along with the benefits of a fully visible network for cybersecurity.




Top 4 Cybersecurity Predictions to Be Aware of for 2024

The Adlumin Threat Research Team has peered into the future and unveiled their top predictions for the upcoming year.

With each passing year, hackers become more sophisticated and the consequences of a breach become more severe. To help organizations prepare for the challenges that lie ahead, we have compiled this list of the top four cybersecurity threats to be aware of.  

From the growing threat of Ransomware-as-a-Service (RaaS) to the increasing impact of AI tools, these predictions will arm IT Directors with the knowledge they need to protect their organization from potential risks. So, buckle up and prepare for the top four cybersecurity challenges in the new year. 

1. Increase in Ransomware-as-a-Service (RaaS) Attacks 

Ransomware attacks have become more sophisticated, causing financial, operational, and reputational damage to businesses and organizations. RaaS refers to the model where cybercriminals offer ransomware tools and infrastructure to other hackers, who then deploy the ransomware on their behalf. This has enabled malicious actors with less sophisticated technical skills to carry out ransomware attacks, and share the profits with the original creators.

The rise in RaaS actors is alarming because it lowers the barrier to entry, making ransomware attacks accessible to a broader range of cybercriminals. This means we can anticipate a surge in ransomware attacks as more individuals and groups access these tools. This trend threatens organizations of all sizes and sectors, as no one is immune to being targeted by ransomware attacks. 

2. Shift from Data Encryption to Data Extortion Ransomware 

Ransomware has been a long-standing top cybersecurity threat, but in the new year, a shift in its tactics is predicted. Traditionally, ransomware attacks involved encrypting victims’ data and demanding a ransom for release. However, cybercriminals are expected to focus on data extortion increasingly.

This shift means threat actors will also exfiltrate sensitive information from victims’ systems and encrypt data. They will then threaten to release or sell this data if the ransom is not paid. This new approach adds an extra layer of pressure on organizations to comply with the attackers’ demands, as the exposure of sensitive data can lead to severe consequences, including reputational damage, regulatory penalties, and legal liabilities. 

3. Increased Focus on Cyberattacks Against Hospitality   

This cybersecurity threat prediction for the new year highlights the potential increased focus on attacks targeting the hospitality industry and the expected rise in the sophistication of fraud schemes. As the hospitality sector relies heavily on technology and handles a vast amount of customer data, it has become an attractive target for cybercriminals. This prediction suggests that attackers will continue to exploit vulnerabilities in hotel networks, reservation systems, point of sale (POS) terminals, and other digital platforms to steal confidential information. 

For example, the Marriot Hotel has faced multiple cybersecurity breaches over the past couple of years. Their most recent breach resulted in losing 20 gigabytes of sensitive customer and employee data including credit card information in an extortion attempt.   

4. Increased Impact from Malicious AI Tools

The increased impact of malicious AI tools on both attackers and defenders is predicted to be a major cybersecurity threat. AI technology has evolved significantly, creating a new era in cyberattacks and defense strategies. Cybercriminals leverage AI tools to amplify the scale and sophistication of their attacks, making them harder to detect and mitigate. AI-powered malware can self-propagate, adapt, and evolve, posing immense challenges to traditional cybersecurity measures.

Organizations also protect themselves by using AI tools to enhance their security capabilities. AI can help identify and analyze threats in real-time, assist in incident response, and automate cybersecurity processes. However, these AI tools can generate false positives or negatives, leading to missed or misinterpreted threats and potentially unlocking vulnerabilities.

The use of AI on both sides creates a dynamic and rapidly evolving cybersecurity landscape. Attackers can leverage AI algorithms for advanced evasion techniques. On the other hand, defenders have the daunting task of keeping up with AI-powered attacks while navigating through potential inaccuracies or blind spots in their AI-enabled defense systems. 

Illuminate Threats and Eliminate Risks in 2024

The threat of data breaches and ransomware attacks loom over organizations of all sizes and sectors. It’s no longer a matter of if your organization will get breached or attacked with ransomware but rather when. The harsh reality is that no system is invincible, and cybercriminals are continually finding new ways to exploit vulnerabilities.

While it can be challenging for IT teams to keep pace with evolving threats, innovative technology solutions and security measures are available to alleviate the strain. Organizations can automate threat detection and prevention processes by leveraging advanced security solutions like a Security Operations Platform and pairing them with Managed Detection and Response (MDR) Services, effectively mitigating the risks associated with cyber attacks.

Through the use of AI and machine learning, these solutions analyze vast amounts of data, identify anomalies, and respond to potential threats in real-time, empowering organizations to defend against cyber threats proactively.  

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts.



Unmasking the Top Ransomware Groups of 2023

Over the past year, the digital landscape has been a battleground for attacks cybersecurity threats, creating a sense of vulnerability and urgency for organizations. Adlumin’s dedicated threat research and Managed Detection and Response (MDR) teams have been at the forefront of detecting and combating these threats, witnessing firsthand the havoc they have wreaked across countless sectors.  

With ransomware groups and adversaries still on the rise and continually refining their techniques, organizations must remain vigilant and prepared for the malicious activities that lie ahead.  

As we enter the new year, we are shedding light on the top ransomware groups and emerging threats that demand our attention and resilience. 

Ransomware Group Spotlights 

BianLian   

BianLian is a versatile cybercriminal group that has expanded its tactics beyond ransomware attacks. They employ advanced techniques such as customized malware, targeted phishing, and zero-day exploit usage. The group’s expertise is in evading antivirus systems and exploiting unknown software vulnerabilities. 

The BianLian group is a serious threat and is an example of a ransomware group targeting organizations hoping to receive big payouts. 

Read Adlumin’s latest Threat Insights 2023: Volume IV to learn more about two emerging threat actors and three critical vulnerabilities.  

CL0p 

Cl0p, also known as Clop, TA505, and FIN11, is a notorious ransomware group that is known for its advanced tactics and operations. They employ a ransomware-as-a-service (RaaS) model and utilize the double-extortion data disclosure tactic. Their motivation is financial gain through extorting organizations by encrypting their data and demanding ransom payments in exchange for its release. 

Cl0p first emerged in 2019 as a variant of CryptoMix malware distributed through a large-scale phishing campaign. Over time, they have evolved into one of the most sophisticated and effective ransomware groups, frequently exploiting zero-day vulnerabilities to target and compromise numerous systems across the globe. 

Read more about the CL0P ransomware group, trends, and developments in Adlumin’s Threat Insights 2023: Volume II

LockBit 

LockBit is a ransomware group that operates as a Ransomware-as-a-Service (RaaS) model. They provide other cybercriminals, known as “affiliates,” with their ransomware tools to spread and infect victims’ systems. LockBit’s main motivation is financial gain through extortion. They target organizations, particularly in professional services like manufacturing, construction, and technology, by accessing their networks and encrypting their data.  

A ransom payment is demanded in exchange for the decryption key, threatening to leak the stolen data if the ransom is not paid. LockBit’s focus is mainly on small to medium-sized companies. However, they have also targeted larger organizations with victims in North and South America, with no clear regional pattern in targeting.  

Adlumin’s Threat Insights: Volume I give an in-depth analysis of the latest trends and an overview of the effects and recovery from recent ransomware attacks.  

Akira Ransomware 

Akira ransomware is a relatively new malware that emerged in March 2023. The threat actors behind Akira ransomware employ various tactics, such as phishing campaigns and exploiting vulnerabilities in remote monitoring and management software, remote desktop protocol, and other remote access tools. They have also been reported to exploit vulnerabilities and compromised credentials in Cisco virtual private network (VPN) products. 

The motivation of Akira ransomware threat actors is believed to be financial gain. Like most ransomware groups, they encrypt the victim’s files and demand ransom. These ransom payments are typically made in cryptocurrencies, making tracing and identifying the perpetrators harder. 

Read more about Akira Ransomware and the examination from Adlumin’s threat research team in A Threat Actor’s Playbook: Behind the Scenes of Akira Ransomware

PlayCrypt 

Play ransomware has been a significant threat since its emergence in 2022, targeting numerous companies and government entities worldwide. This development of PlayCrypt being sold as a service means that PlayCrypt is now accessible to affiliates, essentially allowing a wider range of actors to launch highly effective attacks using this Russia-linked ransomware.  

Affiliates could include skilled cybercriminals, less experienced “script kiddies,” and individuals with varying levels of expertise. This expansion may lead to a substantial increase in the frequency of attacks using Play ransomware. 

Learn more about how Adlumin uncovered evidence that Play ransomware (PlayCrypt) is also being sold “as a service” in PlayCrypt Ransomware-as-a-Service Expands Threat from Script Kiddies and Sophisticated Attackers

Top Industry-Specific Threat Spotlights   

Legal Industry: Phishing 

Phishing attacks have emerged as one of the legal industry’s top cybersecurity threats. These attacks target lawyers and law firms by deceiving individuals into revealing sensitive information such as usernames, passwords, and financial details. Given the substantial amount of valuable and confidential data law firms handle, they have become prime targets for cybercriminals. 

Phishing attacks in the legal industry often take the form of scam emails, mimicking trusted sources like IT service providers, law enforcement agencies, or other professionals with whom lawyers regularly interact. These emails typically employ social engineering tactics to create urgency or manipulate emotions, tricking recipients into clicking on malicious links or downloading malware-infected attachments. 

Adlumin’s latest Threat Insights Legal Edition report details top threats and access methods the legal industry faces.  

Financial Industry: Credential Harvesting 

Financial institutions are particularly vulnerable to credential harvesting attacks because they deal with large volumes of sensitive customer information and transactions. If cybercriminals successfully harvest credentials from bank customers, they can gain direct access to their accounts, potentially leading to financial losses for the customers and the institution.  

These attacks typically start with creating fake websites that closely resemble legitimate banking or investment websites. These fake websites often utilize convincing branding, formatting, and domain names almost identical to the targeted companies. This mimicry is intended to deceive users into thinking they are logging into their actual financial accounts. 

Read more about top threats and access methods the financial industry faces in Adlumin’s latest Threat Insights Financial Edition report.  

 Education Industry: Double Extortion 

Double extortion ransomware has emerged as one of the biggest cybersecurity threats to the education sector. Cybercriminals employ this dangerous tactic to maximize their chances of profiting from malicious activities. Double extortion takes the already damaging effects of ransomware attacks to a whole new level. 

In a traditional ransomware attack, cybercriminals encrypt the victim’s data, rendering it inaccessible until a ransom is paid. However, double extortion ransomware goes a step further. Instead of relying solely on encryption to extort money, cybercriminals also threaten to publicly expose or release the stolen data unless the ransom is paid. 

Read more about how double extortion affects the education industry and mitigation strategies in Adlumin’s latest Threat Insights Education Edition report.  

How Can You Stay Protected? 

Organizations must prioritize their cybersecurity and take proactive measures to protect their sensitive data and networks. Adlumin’s Managed Detection and Response (MDR) service provides a solution to address the growing threat of ransomware and other cyber attacks.  

Here are a few recommendations from Adlumin’s Threat Research Team 

  • Third-party risk management programs should be implemented to assess and monitor the security of vendors and suppliers, and to ensure they are adhering to the same security standards as the financial institution. 
  • Implement application controls to manage and control the execution of software, including allowlisting access programs. 
  • Adopting Zero Trust Architecture, developing and implementing a Zero Trust security architecture and model for your organization can dramatically reduce the risk of unauthorized access and lateral movement within networks. This involves verifying every user and device, regardless of location.  
  • Multi-factor authentication should be implemented where possible to prevent unauthorized access if credentials are stolen. 
  • All employees should be regularly trained in essential cybersecurity best practices, including social engineering identification, phishing, password security, re-use threats, and good browsing hygiene.   

Adlumin’s Managed Detection and Response (MDR) Services combines advanced threat detection capabilities with a team of dedicated experts who monitor and respond to suspicious activities around-the-clock. By incorporating machine learning and AI, Adlumin can quickly detect and respond to potential threats before they cause significant damage. In addition to consistently monitoring ransomware groups’ latest trends and tactics, enabling organizations to stay ahead of their attackers. 

Take the Tour

Discover how Adlumin’s Security Operations Platform paired with MDR Services empowers your team to effectively detect and respond to threats and lightens your team’s workload. Take the platform tour and elevate your organization’s visibility to new heights. 

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos

By: Max Bernal, Technical Content Writer, and Adlumin’s Threat Research Team

A Threat Actor’s Playbook: 2023 Cyberattacks on Caesars Entertainment and MGM Casinos is a part of Adlumin’s Threat Bulletin Series content series.

In early September 2023, Caesars Entertainment in Las Vegas experienced a major cyberattack. The threat actors used a combination of social engineering tactics and ransomware to breach the casino’s networks and steal sensitive data. On September 10, another gambling conglomerate, MGM Resorts International, experienced a cyberattack by threat actors in the ALPHV ransomware-as-a-service (RaaS) group. The two attacks cost the casinos millions of dollars in losses.

Caesars Entertainment Cyberattack

Caesars Entertainment’s SEC filing on September 7, 2023, stated that it had suffered a social engineering attack “on an outsourced IT support vendor used by the company.” The exact date of the cyberattack was not disclosed, nor who carried out the assault.

In the filing, Caesars also stated that the cyberattack did not impact customer-facing operations like slot machines, guest services, and other services but that among the data stolen, the threat actor(s) had acquired a copy of the loyalty program database, which included member driver’s license and Social Security numbers.

Caesars also disclosed that it had taken steps to “ensure that the stolen data [was] deleted,” alluding that it had paid a ransom. Numerous news outlets, including Bloomberg, reported that the company paid “tens of millions of dollars.”1 Other news outlets, including CNBC, reported that Caesars paid $15 million.2

The company did not provide specific details on how the social engineering attack was carried out or identify the cybercriminal(s) by name. However, numerous news reports published statements from sources “familiar with the matter” that pinned the attacks on a hacker group called Scattered Spider, also known as “Scattered Swine,” “Muddled Libra,” and UNC3944 (by Mandiant), which is likely affiliated with the ransomware group, ALPHV.

The threat actor group is known for its sophisticated social engineering techniques and the ability to target and bypass Okta login security services.

MGM Resorts International Cyberattack

On September 12, 2023, MGM Resorts International issued a statement via PR Newswire stating that it had “identified a cybersecurity issue affecting the company’s systems.”3 MGM also stated that it had notified law enforcement to help protect networks and data, including by “shutting down certain systems.”

According to the Associated Press, MGM began experiencing disruptions on Sunday, September 10,4 and its reservations website was down that day. Soon after, numerous other media outlets reported that slot machines were out-of-service or were displaying errors across MGM-owned casinos, including at the MGM Grand, Bellagio, Aria, Mandalay Bay, Delano, Cosmopolitan, New York-New York, Excalibur, and Luxor. In addition, it was reported that thousands of guests had to wait in long lines for hotel check-ins and that credit card point of sales systems were down, forcing guests to pay cash.5

However, some of the same news outlets published statements from unvetted sources citing that the attack on MGM was carried out by the “same threat actors” that attacked Caesars Entertainment, Scatted Spider. On September 14, the ransomware-as-a-service (RaaS) group ALPHV issued a rare statement claiming sole responsibility for the attack and condemned news media and cybersecurity firms for publishing “false” and “unsupported” details on the attack.

“The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets decided to falsely claim that we had claimed responsibility for the attack before we had,” part of the statement read. “Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.” 

In an earlier version of the statement, ALPHV had also distanced itself from the Twitter/X account, “vx-underground,” which had published a post on September 12 stating that the attack was carried out by looking up employee information on LinkedIn and that a 10-minute phone call to the company’s help desk was all it took to “defeat” the multi-million-dollar company.

Numerous news media erroneously believed the threat actors had published the post to explain how they gained access to the MGM networks and used it in their reporting.  


1. Screen capture of the 9/12/2023 post published by vx-underground.

At some point, ALPHV removed the reference to “vx-underground” and issued another update:

“As of September 16, 2023, we have not spoken with journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won’t,” ALPHV wrote.

The Adlumin Threat Research Team cannot confirm what tactics ALPHV used to break into MGM servers nor provide more details on the attack until MGM discloses what transpired.

According to ALPHV’s statement, the group was able to deploy ransomware once inside MGM’s network, encrypting about 100 ESXi hypervisors at the onset of the attack. The group also alluded to targeting the casino’s Okta services.

MGM operations resumed normal customer-facing operations on September 20. According to news reports, MGM lost about $8 million each day its servers were down, which adds up to $40 million.6

Adlumin contacted MGM for more details on the attack, but the company only referred us to their original September 12 statement.

Recommendations

How to Protect Yourself from Social Engineering

Verify

In Caesars Entertainment’s case, a simple vishing tactic, where a cybercriminal attempts to obtain information via phone call, was used to impersonate a legitimate employee and request a password reset. How? While the exact details are still unclear, we can surmise that personally identifiable information (PII) was obtained by the threat actors and used to reset an account.

An organization’s IT or cybersecurity department should verify an individual’s identity using information that cannot be found on social platforms, such as a unique company-issued ID, and not just a full name and date of birth, for example. If the individual calling can provide you with all the correct information, you may need to think outside the box; what are the circumstances surrounding this issue? Is the caller experiencing the issue they’re asking about? For example, if the caller asks for a password reset due to an ‘account lockout,’ you should verify that the account is locked out before proceeding with assistance. Most organizations have a form of internal communications platform used for employee-to-employee messaging and the like. Some organizations even have a call roster with the employee’s personal number. Therefore, give the employee a quick call to verify that the individual is contacting you.

Training

Training is the most crucial defense against social engineering tactics. With incidents happening daily, remaining vigilant is essential. However, mere vigilance is not enough; frequent proactive security awareness training is vital to mitigate this type of threat. By consistently providing training, users gain a deeper understanding of the risks and measures to counter social engineering attacks.

This continuous education keeps cybersecurity at the forefront of their minds, ensuring they are better equipped to identify and respond to potential threats. Employing various training techniques and approaches helps to reinforce key principles and enhance overall cybersecurity proficiency among users. By prioritizing proactive cybersecurity awareness programs, organizations can establish a culture of security awareness and significantly reduce the propensity for successful social engineering attacks.

How Adlumin Can Help Protect Your Organization

Proactive Security Awareness: Adlumin offers a managed Proactive Security Awareness Program, which, as stated previously, is the best defense to counter social engineering tactics. Adlumin will develop and run monthly customized phishing simulations to educate and equip your users on how to identify phishing attempts. Learn more here.

Illuminate Threats and Eliminate Risks

Learn more about how Adlumin’s Managed Detection and Response Services and Security Operations Platform can empower your team to illuminate threats, eliminate cyber risk, and command authority. Contact us today, schedule a demo, or sign-up for a free trial.

Stay Informed

Subscribe to Adlumin’s blog series and gain access to actionable advice and step-by-step guides from cybersecurity experts. Join our community and be part of the frontlines against cyber threats.