Ransomware and materiality. MetaStealer hits businesses. Two looks at cloud risks. His Highness, the Large Language Model.
Dave Bittner: The MGM Resorts incident is now believed to be ransomware, and how does that inform our view of Materiality of a cyber incident? MetaStealer targets businesses. Cloud access with stolen credentials. The cloud as an expansive attack surface. Johannes Ullrich from SANS describes malware in dot-inf files. In our Industry Voices segment I speak with Oliver Tavakoli, CTO at Vectra, on the complexity and challenges of cloud service security. And welcome back, or not, Your Highness the Large Language Model, Prince of Nigeria.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, September 14th, 2023.
MGM Resorts incident now identified as ransomware.
Dave Bittner: The attack on MGM Resorts International is now generally held to be a ransomware operation, but there's some lack of clarity over which gang is responsible. Vx-underground tweeted that the ALPHV ransomware gang had claimed responsibility, and that the attackers gained access through social engineering, specifically vishing. They put it this way: “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.” Hackread offers a more extensive account of this attribution that's open to the possibility that the attackers may represent an ALPHV subgroup.
Dave Bittner: But it seems increasingly unlikely that it was ALPHV. Other sources, Bloomberg and Reuters among them, charge the attack to Scattered Spider, also known as UNC3944, a younger criminal organization. (Younger both in terms of its recent appearance and the ages of its members, some of whom are believed to be teenagers operating from the US and the UK.) Some of the confusion may arise from Scattered Spider's use of ransomware encryptors and dump-site infrastructure made available by ALPHV. ALPHV has traded these in the C2C markets, the FBI says, since April of 2022 at least. In this case there may have been some direct collaboration between Scattered Spider and ALPHV. Scattered Spider has shown considerable aptitude for social engineering, attributable in part to their vishing operators being native speakers of English.
Dave Bittner: The hospitality sector, and especially its casino subsector, has long been more security-aware than most, but the Wall Street Journal concludes that connectivity in the industry seems to have outrun the casinos' ability to secure their systems. Recovery has involved reversion to many long-sidelined manual systems, giving the affected casinos a curiously retro, "oddly analog vibe."
Materiality of a cyber incident, as seen in the MGM and Caesars ransomware attacks.
Dave Bittner: Bloomberg says that Scattered Spider is believed to have been responsible for a ransomware attack against MGM Resorts competitor Caesars Entertainment a few weeks earlier. Caesars is expected to disclose the attack, which began on August 27th, in regulatory filings "imminently." The company had not yet done so as of this morning. Bank Info Security reports indications that Caesars paid the ransom demanded--some $15 million, or half of the extortionists' demand.
Dave Bittner: Moody's Investor Service evaluated the incident and said, in an assessment they provided the CyberWire, that the incident is "credit negative" for MGM Resorts International. The downtime in particular was a problem for a business that relies heavily on technology, especially when that downtime entails potential revenue losses. MGM Resorts will also be dealing with "reputational risk and any direct costs related to investigation and remediation." There's a risk of litigation as well. In general, Moody's regards "the gaming and gambling industry as carrying moderate cybersecurity risk" because of its high degree of digitization and the large quantities of potentially valuable personal information companies in the sector tend to hold.
Dave Bittner: MGM Resorts International, in a Form 8-K filed yesterday with the Securities and Exchange Commission (SEC), warned that the incident represents a material risk to the company. New SEC regulations require companies to disclose cyber incidents that have a material effect on a public company. There's been much discussion of what counts as "materiality," with companies having considerable (unwelcome) latitude in reaching their own definition. The ransomware attacks on MGM Resorts and Caesars Entertainment offer two examples of companies' judgments of materiality.
MetaStealer targets businesses.
Dave Bittner: SentinelOne has published an analysis of MetaStealer, a malware family designed to target macOS. The malware is distributed via social engineering with business-themed lures: “This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software.” Once installed, the malware attempts to exfiltrate data, particularly passwords saved in the keychain.
Cloud access with stolen credentials.
Dave Bittner: IBM X-Force has released its 2023 Cloud Threat Landscape Report, finding that 36% of cloud security incidents in 2023 resulted from the theft of valid credentials, compared to just 9% in 2022: “X-Force engagements reveal that, often, credentials with overprivileged access are left exposed on user endpoints in plaintext, creating an opportunity for attackers to establish a pivot point to move deeper into the environment or access highly sensitive information. Specifically, plaintext credentials were located on user endpoints in 33% of X-Force Red’s adversary simulation engagements that involved cloud environments during the reporting period.”
The researchers add, “Microsoft Outlook Cloud credentials accounted for over 5 million mentions on illicit marketplaces — by far the most popular access for sale.”
The cloud as an expansive attack surface.
Dave Bittner: Palo Alto Networks has released its Unit 42 Attack Surface Threat Report for 2023, finding that 80% of security exposures are located in cloud environments. These exposures are often introduced through changes in cloud services, which occur frequently: “Over 45% of most organizations’ high-risk, cloud-hosted exposures in a given month were observed on new services that hadn’t been present on their organization's attack surface in the month prior. Thus, the creation of new, publicly accessible cloud services (both intended and unauthorized) is a risk factor related to nearly half of all high-criticality exposures at a given time.”
His Highness the Large Language Model, Prince of Freakin’ Nigeria (and his widows and business managers, too).
Dave Bittner: Finally, there’s a new kid on the royal block, and we’re not talking about the Duchess of Sussex, either.
Dave Bittner: Abnormal Security warns that cybercriminals are using generative AI tools like ChatGPT to improve upon classic Nigerian prince scams: “Spelling mistakes and grammatical errors have long been characteristics of an attack, making them easy to spot even if they did land in the inbox. But with the rise of generative AI, this is no longer the case.”
Dave Bittner: Some threat actors are sending a combination of human- and AI-generated emails, which the researchers think “is an indication that cybercriminals are still testing out the technology to determine how useful it may be for their work.” The scammers have also shifted the themes of these emails, with many of them referring to business transactions rather than personal ones.
Dave Bittner: You too, friend, could make a pile with a small upfront investment. Or so we hear. We pass that on without endorsement.
Dave Bittner: But seriously, it wounds us that machines do better with English than many graduates of American high schools. Stay in school, kids, and by the Great Hornspoon and the shade of Mr. Noah Webster, fellow youths, pay attention in your English class. Welcome back to school, by the way, and go, Friars, and Dons, and Cardinals, and Eagles, and well, all of you. [Keep the Dons in if you can, at least–they’re listeners.]
Dave Bittner: And really and truly, there is..no…Nigerian…prince…. Not for you and me, friend.
Dave Bittner: Coming up after the break, Johannes Ullrich from Sands describes malware in dot-inf files. In our Industry Voices segment I speak with Oliver Tavakoli, Chief Technology Officer at Vectra on the complexity and challenges of Cloud Service Security. Stay with us. [ Music ]
Dave Bittner: The migration that many organizations have made toward cloud data storage and security has brought with it an added dimension of complexity, managing cloud architecture, change controls, and the basic differences between the various cloud providers all present specific challenges and the potential for security issues. Oliver Tavakoli is Chief Technology Officer at security firm Vectra. And in this Sponsored Industry Voices segment, we discuss his insights on securing cloud environments.
Oliver Tavakoli: I think oftentimes what you see in organizations is that the business need to be agile, it gets out ahead of the security side of things. The security team doesn't typically want to be in the business of saying no. And so different business units go ahead and adopt some cloud systems. And then eventually, the central security function is given the baton and asked to make sure that it's all secure and that they can- that their business can meet its compliance mandates, and that risk is mitigated reasonably. And so oftentimes, the security team, I think, finds themselves chasing where the business is, rather than laying the groundwork in advance of the business going to cloud.
Dave Bittner: Are there any common misperceptions with folks when it comes to how they consider cloud security?
Oliver Tavakoli: Yeah. I think oftentimes, cloud in general, that there's a euphemism. It's, you know, your application running on someone else's compute or your data stored on somebody else's storage. But I think there are significant differences beyond that abstraction. And so two key differences are number one, from the point of view of an attacker, each cloud system is relatively homogeneous and self describing. And so what that means is, if I break into somebody on Prem, every environment is like its own unique snowflake, and I have to spend a lot of time figuring out the ins and outs of how that environment is set up, what systems I can reach, and how I deal with identity and stuff like that. In the cloud, if you're attacking some AWS environment belonging to a particular customer, a particular tenant, or organization, it's all very homogeneous, and it's all self described. And once you get API access to the environment, you can actually just ask it about the entirety of the environment without having to spend a lot of time doing reconnaissance and other things like that. So that's one difference. The second key difference is that cloud systems are definitely leaky. And so storage is an interesting example of that. I think most people tend to think of storage as just part of the, you know, infrastructure as a service migration. It's like, oh, yeah, I used to have my disks, and now I have my storage. You might even think of it as the equivalent of a file server that you have on Prem. The problem is that this is a file server that can be got at without going through your network. As we saw, certainly, in the early days of cloud adoption, when people's s3 buckets were just left open to the Internet and were not secured and people just downloaded, you know, gigabytes and gigabytes of data. None of that data actually went through the network boundary of that cloud tenant. The organization's cloud kind of network. And so that's the other thing that's hard for people to kind of get their head around, which is that all of these services storage included, the fact that we have a backplane that bypasses their network controls where on Prem, you could never basically exfiltrate 10 gigabytes of data without it going through the edge firewall, in this instance, you can. And that is a new muscle to learn.
Dave Bittner: And so the folks have to adjust to this kind of jettison that whole notion of there being a perimeter, you know, being a moat around the castle?
Oliver Tavakoli: Yeah. I think you still wouldn't like to think of it as a moat, but it becomes somewhat of a logical moat. It's like you have all the controls in place. It's not easy to look at, in one place and say, I am convinced that I have a DMZ, which is what you would have in the old days. I know what controls I have, I know what's inbound and outbound. Now you have a much more leaky perimeter. You may have a concept of what you want your perimeter to be. But there's this whole cottage industry now of checking whether the concept of what you think your perimeter is and your actual perimeter actually match up. So you may make unequivocally the statement that we have no means of reaching our cloud tenant other than from our on Prem systems, and it may turn out to be a untrue statement. So there's this whole cottage industry of external attack surface management, which is attempting to find all the ways in which you might be leaky to the outside, then you may not be aware.
Dave Bittner: You know, you and your colleagues there at Vectra, when it comes to the folks that you're working with, are there any common elements that you find? For the folks who are finding success here, are there commonalities?
Oliver Tavakoli: I think for the folks that succeed at this, we find that the security team has reasonable controls in place. Like, if the security team is chasing the rest of the business, it's really hard, right? You can implement some detection capability, but ultimately it's very difficult if the rest of the business is not really committed to security, is committed to prime first and foremost to agility and getting products out and getting services out. I think when there's a balance, when there is a reasonable balance between the security team and the infrastructure teams in terms of what the infrastructure and application team in terms of what they deployed, that's one. I think the second one for us is that we find, again, the security teams that have a reasonable balance in terms of prevention. So they do some amount of, you know, cloud security, posture management. But recognize that there is a law of diminishing returns on that, and have detection capabilities. The other one that we find is more and more coming to the fore is the ability to kind of stitch these worlds together. Attackers know that you have the series of interconnected systems. Your cloud systems are some of those. Your cloud identity, which is not really public cloud per se, things like Azure AD or Okhta is another element of that. Your SaaS applications, it used to be you wouldn't run exchange servers on Prem, now you're sending all your data to Microsoft 365 in the cloud. How are you securing those things? Well, how is access control to those things? I mean, we see all the business email compromise these days, a lot of that is against cloud hosted systems. These are more SaaS applications. And so the problem then tends to be if you have this distributed attack surface across on Prem network endpoint, and public cloud and cloud identity and SaaS applications, how do you begin to stitch all of these things together, because attackers may only leave a certain amount of signal in any one of these places, which will make it rather difficult to detect them there. But if you if you zoom out and look at the pattern across the entirety of your attack surface, attacks become kind of more tractable and easier to find. So stitching these worlds together is key. That is really kind of part of our SDR strategy is, you know, how do we provide native signal for a lot of these surfaces [music] and for the ones that we don't provide it for, how do we import that signal and then stitch those worlds together so you don't have to?
Dave Bittner: That's Oliver Tavakoli from Vectra. [ Music ]
Dave Bittner: And joining me once again is Johannes Ullrich. He is the Dean of Research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, it's great to welcome you back to our show. I know one of your colleagues, I believe has been looking at some malicious code embedded in dot-inf files? What's going on here?
Johannes Ullrich: That was Xavier, and he came across this particular malware that I thought was kind of interesting. Because always amazing how attackers find new ways to deliver a malware in ways that you don't expect and that you don't actually expect when you're looking at attachments and such. In this particular case, it was a dot-inf file. If you're a Windows user, you may have seen dot-inf files. They're usually part of the setup a tool that you're using to install software. And typically they just describe, you know, where the software is being copied to. But everything is better with some kind of arbitrary code execution. So they also have here something called a run breeze setup command section. That's the section the inf file allows you to run arbitrary commands. The idea is you may want to prepare the system, maybe create some directories or do something along the line, we've changed some settings. So you can basically add an operate PowerShell script to these inf files. And now if the user installs the software, or at least that's what they think they do. And, of course, this works even better if you can find some benign and trusted a piece of software to do this with, all the attacker has to do is change that one section in the inf file. And now they can download additional files.
Dave Bittner: So it's masquerading as a legit file, and indeed may function as a legit file, but lurking within is this malicious code?
Johannes Ullrich: Yeah. Then, of course, it's always off the social engineering aspect here. In this particular case, the additional software download installed, well they called it a corporate VPN client, which I'm not sure if that's what sort of within the context of that particular application. But if you are seeing on your system, all of a sudden, some corporate VPN client, well, you may discard it and say It's probably nothing, it's probably just something, you know, corporate IT installed. Right.
Dave Bittner: Right. Right. So what are your recommendations then for folks to protect themselves here?
Johannes Ullrich: Block dot-inf files. I don't think there's a good reason why you should ever download one from the Internet or receive on an email. And instead of that good old block list game of Whack the Mole, yet another extension to block. Would be nice if someone would come up with a nice allow list to only list extensions that you actually need. But of course --
Dave Bittner: Might be a shorter list.
Johannes Ullrich: That's really difficult too. Right, right. All right.
Dave Bittner: Well, good insights as always. Johannes Ullrich, thanks for joining us. [ Music ]
Dave Bittner: And that's the CyberWire. For links to all of today's stories check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at firstname.lastname@example.org. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that n2k and podcasts like the Cyberwire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. WE make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with Original Music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]
Caesars Paid Ransom After Suffering Cyberattack (Wall Street Journal)
The Cyberattack That Sent Las Vegas Back in Time (Wall Street Journal)
Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech (Wall Street Journal)
“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments (Security Intelligence)
Unit 42 Attack Surface Threat Report (Palo Alto Networks)