The ghostly night that ghouls relish is now upon us. Goblins will gobble up tasty treats. Little kids will scamper in the streets. Teens will jump out of the bushes yelling, “Boo!”, while black cats cross your path. It has been a spooky month, indeed.
On Friday the 13th we issued a warning about increasing threat vectors that, unfortunately, proved necessary. Then along came the Scattered Spider, along with a black cat that can leap onto your unpatched FTP server, creating massive damage.
First, the Spider
Although it was not their first rodeo, Scattered Spider gain fame (though ‘infamy’ may be more accurate) by digitally infiltrating MGM Resorts and Caesars Entertainment, last month. Total losses: +$100 Million.
What makes this notable is that, according to CyberArk Offensive Tech Researcher Andy Thompson, the threat vectors didn’t get into the system through malware. Instead, the attackers used the bona fide users’ credentials to gain remote access. How?
The process I’m about to describe applies to attacks that have been made on telecommunications firms, municipalities, manufacturers, educational institutions and others. First, they teach young video gamers in the UK and North America how to scour social media platforms to acquire the information needed to impersonate an actual employee.
Then they show them how to use this information to convince a company’s IT Help Desk personnel that they are a legit stakeholder, often getting the IT person to bypass Multi-Factor Authentication. One moment of compassion for a young, innocent sounding voice with a compelling story and the damage is done.
But… These bad actors, some of whom are as young as 15 or 16, then hand off the credentials to access brokers or larger groups that specialize in ransomware and other malware.
This is scary enough, but these organized hackers aren’t just looking for identities and proprietary data. According to Jenkins, they are also searching for your AWS panel root account The goal: to gain access to your Jenkins stacks so they can use your cloud platform crypto mining. Imagine what that would do your operations!
If you listened to our September video interview, you heard how cybercrime has become a well-organised, well-oiled industry, and can see how access brokers (and ChatGPT) are changing the cybercrime landscape. For now, one of the deterrents is still having a robust Multi-Factor Authentication (MFA) in place as an important line of defence. Many people recognize the importance of having MFA on their endpoints, but it is also needed within the cloud, and it each access stage as users go deeper into your network.
What does this mean for you, and what should you do?
- Organisations need to recognize that students and young low-income earners are vulnerable and susceptible to being lure to the dark side (i.e. the dark web). As a result, employee onboarding and ongoing training must include a serious discussion on the topic – and a warning that hacking is a crime for which jail time can be severe.
- Review and, as necessary, revamp your hiring and onboarding practices, as well as your IT protocols and training.
- Orphaned assets present great risks. Not surprisingly, there are cyber criminals who specialize in turning employees into bad actors. So, make sure your patches are always up to date and that you have inventoried every device and/or application on the network.
- Ensure you are using a good MFA solution. Our partners have created special bundles for various cybersecurity products. There are packages for large enterprises as well as SMBs. Please call us to learn if there is a bundle that’s right for your needs.
And now the Black Cats
Unfortunately, some black cats are not the sweet furry ones, but are the kind packing pernicious payloads.
The BlackCat ransomware, also known as ALPHV, is virulent and, unfortunately, an excellent example of the type of trouble being unleashed by criminals profiting from the growing Ransomware as a Service (RaaS) industry.
We’ve been talking about this relatively new entrant to the gig economy for some time – and the access brokers spearheading RaaS operations have been talking about BlackCat since it arrived on the scene in November 2021.
BlackCat, which is the first sophisticated malware written in RUST, rapidly became the darling of the dark web delinquents because of its high performance and memory safety. The other problem is that it can also compromise Windows- and Linux-based operating systems.
As a result, it was the vehicle used for many of the headline-grabbing breaches for about a year after it was released. Then, towards the end of 2022, it seemed to be slinking away, as BlackCat attacks drop by approximately 20% from November 2022 to the end of Augus.
Unfortunately, as was so often heard in the movie Dinosaur Story, “They’re Baaack!”
So, please remind your teams about double-checking the provenance of emails – and warn them not to click on any cool Halloween photos today, because experts expect there to be a five-fold increase in socially-engineered attacks. You don’t want the headache, and we certainly don’t want you crying “Boo Hoo”.
So, here’s to furry black cats, decorative spiders only, and a very Happy and treat-filled Halloween for us all!
.webp)