Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, September 22nd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to discuss some of the week’s news. That includes the ransomware attacks on MGM Resorts and Caesar’s Palace in Las Vegas, and distributed denial of service attacks against Canadian public and private sector websites.
Before I get to that, here’s a review of some of the other headlines from the past seven days:
The International Criminal Court in the Hague said there was a breach of its security controls last week. The court prosecutes allegations of war crimes. No details of the hack were released.
Lakeland Community College of Ohio is notifying over 285,000 people of a data breach it suffered in March. No details were released but one news source said the Vice Society ransomware gang recently posted data it says came from the college. The college was also hit by ransomware in 2020.
Another corporate victim of the MOVEit file transfer vulnerability has stepped forward. The American division of the Bank of Montreal is notifying more than 56,000 people their data was stolen from a third party processor the bank used that had their data on its MOVEit server.
A Linux version of the Windows backdoor malware called Trochilus has been discovered. Trend Micro, which calls this malware SprySocks, says it was created by a China-linked group. This is a group known for going after public-facing servers with known vulnerabilities, so patching servers is a vital defence. So is minimizing the number of publicly-exposed servers.
Threat actors are increasingly taking advantage of poorly protected implementations of the open-source Redis data storage application to create a botnet. Researchers at Cado Security say the number of Redis applications compromised with the P2Pinfect malware dramatically increased this month. Make sure your Redis implementation is patched and protected.
A threat actor has found a new tactic for distributing malware on GitHub: Posting a fake proof-of-concept exploit for a recently discovered vulnerability in the WinRAR utility and hoping security researchers will download it. Palo Alto Networks says the exploit is malware that leads to the installation of a remote access trojan.
Finally, Trend Micro patched a critical vulnerability in its Apex One and Worry-Free products, while Fortinet released patches for products running its FortiProxy and FortiOS operating systems.
(The following is an edited version of the first of several topics discussed. To hear the full conversation play the podcast.)
Howard: There are two themes to this edition: Ransomware and denial of service attacks. Let’s start with the ransomware attacks on the MGM Resorts last week, and on Caesar’s Palace in Las Vegas a few weeks ago.
The attacks have at least one thing in common: Both companies appear to have victimized by ransomware created by the AlphV or BlackCat group. Caesars was hit by one of their affiliated groups that calls itself Scattered Spider.
There are unconfirmed reports that someone infiltrated MGM’s system after identifying an MGM tech employee on LinkedIn and then calling the company’s support desk to convince them to them network access. Scattered Spider gained entry to Caesars’ system by deceiving an employee at a third-party vendor.
The attack on MGM caused a lot of mayhem, with guests having to wait for hours to check in, electronic payments system disrupted, and knocking off the company’s website and mobile app for days. At a financial conference this week where I moderated a panel on ransomware — and I’ll get to that in a few minutes — one panelist told me he couldn’t turn the lights off in his room. At Caesars’ its operations weren’t disrupted, but the attackers got a copy of the hotel’s loyalty rewards members, including their driver’s licence numbers or Social Security numbers. Caesar’s reportedly paid a ransom; MGM Resorts has not.
What did you think when you heard of this?
Terry Cutler: I was watching some uploaded footage from guests that were at these hotels and they were showing how none of the slot machines were working. If you’d won you had to manually cash out with a hotel security agent. A lot of folks couldn’t even close their blinds at the hotel because it’s all connected. They couldn’t even use the ATMs. If you want to see a cyber security incident gone wrong, this is it. So let me just break down your question a little bit. The attacks obviously were pretty sophisticated because it wasn’t as simple as, ‘I’m going to hack the MGM Resorts firewall and get in. They had to go through social engineering, which is obviously the weakest link in all this. The first part of any attack is going to be the reconnaissance phase. The attackers want to build a battle plan. They want to know everything they can about your company before they launch an attack. So one of the things they want to find out is who manages the websites, who the vendors are, who’s part of the board. Maybe where the CEO lives. They might drive to his house with a device like a WiFi Pineapple and start attacking his WiFi — you never know what kind of passwords you’re going to uncover. They might look at things like job board postings. They’re looking for IT guys who they [the target company] wants to hire that have to have certain skill sets, but when they start revealing the skillsets you’re actually telling hackers what technology is running inside the organization. They may do a lot of open-source intelligence recon, like they just did here when they found the IT guys [at MGM Resorts] on Linkedin. This is where [employee] security awareness kicks in.
Because imagine these guys [the attackers] are calling technicians on the help desk saying, ‘I need access to this network because I’m having a hard time logging in.’ Because you already have knowledge of the environment somehow the support agent — who might be only just a level 1 guy — is going ways to be helpful, especially if the person calling is in distress.
Going back to the loyalty program [theft] imagine a scammer calling up these these victims saying, ‘Mr. Smith, we apologize for the inconvenience at our hotel. We know you stayed at these dates. We know you have this much loyalty points …’ Because the scammer is giving information to the victim, he’s going to feel less threatened and less on guard. Now the hacker can ask for additional [personal] information, and he’ll most likely get it …
Howard: I don’t want to deceive our listeners by saying the hackers caused a lot of the problems that customers faced [at MGM Resorts] I’ll get to that in a second. But first I want to mention one expert told Forbes.com that despite all the money that these two Las Vegas casino and hotel companies were spending on cybersecurity hackers were still able to get around defenses by getting apparently employees to fall for the old click-on-this-link-and-enter-your-credentials trick. Certainly Caesar’s admitted a social engineering attack on an outsourced IT vendor was the initial cause of that hack.
Terry: It makes sense. Why would hackers spend so much time trying to hack your firewall and get detected when all they have to do is send a special crafted email to one of the employees and have them click on the link? So awareness training is key in [stopping] a lot of hacks. But if you’re having a bad day and you’re not paying attention, that awareness training goes right down the drain. Organizations have to check what third-party vendors have access [to their systems] … It’s very important they start looking at defense in depth, make sure they have two-step verification turned on everywhere, segment the IT network, make sure they implement a good cyber security culture. That has to come from the top down to where everyone takes security very seriously. Eventually everyone’s going towards a zero-trust model where everything [on the network] has to be vetted.
Howard: News stories involving the MGM Resorts hack focused a lot on the impact on customers — they had trouble when they were checking in at the hotel, they had trouble getting into their rooms, one person couldn’t turn off their lights. That was getting a lot of bad publicity, so much that the AlphV ransomware gang had had the nerve to blog complaining that all those troubles weren’t the gang’s faults. They were the hotel’s fault because the hotel — not the gang — decided to shut down certain systems. Well, of course, they had to do that, because of the attacker. And the attacker got into the MGM Resorts domain controllers The gang admitted it was in the MGM Resorts’ Okta employee access authentication system and they got super administrator privileges. According to some reports the gang encrypted more than 100 of the resort’s virtual servers and they claim to have copied 6 TB of data. So no wonder MGM Resorts shut down some of the IT systems.
Terry: That’s just incredible. How dare they blame the hackers for this! It makes a lot of sense for the hotel to shut these systems down because they don’t know what back doors the hacker installed. Especially when they get access to a domain controller. For those of you that don’t don’t know, the domain controller controls and manages all the user authentication and access within your network. If somebody has access to this it’s like having the keys to the kingdom …
Howard: As for Caesar’s I got a question: Why does a loyalty program ask for driver’s licenses and Social Security card numbers? Or if they didn’t ask, why do they even give [patrons] the option to enter their driver’s license and social security card number? I guess because people at Caesars are high rollers and maybe the hotel want to make sure there are no fraudsters in the loyalty program. But isn’t this a perfect example of collecting personal data that you really don’t have to? Isn’t that just begging for trouble in case there’s a hack?
Terry: It’s a double-edged sword: Collecting that type of information is very delicate, but at the same time there’s the benefits of having data to prove that it’s really you who’s actually enrolled. But you’re opening up yourself to potential data privacy issues and regulatory compliance. There should be a way you can activate alternative verification methods especially around like two-step verification.
Howard: Finally, Caesar’s paid a ransom MGM Resort has not. What do you make of that?
Terry: Caesar’s probably assessed the impact and maybe they found that it’s a lot cheaper to pay the ransom and get their data back than it is to rebuild the whole IT network. But interesting is that even though they get their data back they still need to start rebuilding the network because they don’t know what other backdoors have been installed. It could also be a time-sensitive issue where the data needs to be restored quickly, and wouldn’t be very valuable had they restored from a backup. And of course they need to to to do a proper risk assessment because once ransomware occurs in your organization you’re going to see all the vulnerabilities and ways that hackers could get in.
If we talk about MGM, which did not pay the ransom, there’s a lot of risks with paying. You’re never guaranteed if you’re going to receive the decryptor keys [from the attacker] because you are dealing with cybercriminals. I think what happened is MGM had enough robustness in their backup-recovery measures that they didn’t have to pay …
Howard: Listeners who are senior executives need to think now whether you’re going to pay a ransom if you get hit with ransomware and under what conditions. How much data would they have to steal before you have to pay, how much data would have to be encrypted, what kind of data is it that that the attackers have? You’ve got to think about this now before you get hit because otherwise to start debating this in the middle of a crisis is not very good.