Issue #14 | October, 2023
How many wake-up calls do we still need?
In the last month, two large casinos — MGM Resorts and Caesars Entertainment — faced cyberattacks attributed to a group known for hitting third parties to reach their targets, and Microsoft came up with an explanation that sounds like a movie plot for how attackers obtained the account key that allowed access to emails belonging to the United States government. These are our main headlines this time, but there is a lot more to cover.
Our usual section on breaches will point you to stories about how criminals may already be using passwords cracked from the LastPass vaults that leaked last year, as well as attacks against government institutions – including one that hit a third-party vendor that was still using Windows 7.
Following along, you’ll see that Australia came forward with a “six shields” strategy for cybersecurity while also raising the possibility that directors may be personally liable for negligence. In the United States, CISA has published a framework for supply chain risk management.
There is a lot happening right now when it comes to third-party and supply-chain risk management. Be it a big incident, a government strategy, or guidance that needs to be taken seriously due to economic sanctions affecting vendors – each one of these is a wake-up call for those still asleep at the wheel when it comes to their third parties. The best time to face this challenge inside our organizations is long past, but the second best time is now.
With that said, there’s no time to waste, and we shouldn’t keep you here in the editorial. We hope you enjoy the read!
MGM and Caesars hacks: social engineering on vendors and IT staff to defeat authentication ??
The media took notice of the cyberattacks against MGM and Caesars, two casino operators from Las Vegas. Due to the scope of the coverage, there’s a lot to say about what happened. The attackers claimed to have stolen six terabytes of data:
The Scattered Spider hacking group said on Thursday it took six terabytes of data from the systems of multi-billion-dollar casino operators MGM Resorts International and Caesars Entertainment as both companies probed the breaches. […]
Scattered Spider, also known as UNC3944, is one of the most disruptive hacking outfits in the United States, according to Google’s Mandiant Intelligence.
Several security analysts have drawn attention to the group over the past year for its effective social engineering tactics. It is known to reach out to a target an organization’s information security teams by phone, pretending to be an employee needing their password reset.
Given that everything unfolded early in September, both casinos have since restored their operations. There appear to have been setbacks along the way, however, as the disruption lasted 10 days for MGM and the press reported that Caesars paid US$ 15 million to the attackers.
In a regulatory filing, Caesars said it has “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result” — which could be one way of saying they did pay the ransom. While they have no estimates for the cost of the incident, they believe it will be offset by their cybersecurity insurance. The same document also confirms the incident’s link to third-party cyber-risk management when it claims the hack resulted from “a social engineering attack on an outsourced IT support vendor.”
Meanwhile, MGM’s filing estimates a US$ 100 million loss from the incident plus US$ 10 million in one-time expenses.
Reuters published a profile on Scattered Spider, the group responsible for the attack. Although researchers agree that ALPHV, UNC3944, Scattered Spider, Scatter Swine, and Muddled Libra are related, there are different interpretations regarding the nature of this relationship. In the Reuters article, ALPHV is described as the supplier behind the tools used by Scattered Spider to carry out the hacks.
In case you are not very familiar with research on threat actors like this one, it’s common for analysts to come up with different names for the same group. As each security company tends to handle more incidents of a certain type, it’s very normal for one name to be more closely related to a subset of victims or behaviors, and finding common threads for attribution is almost an art at times. While some overlapping characteristics can be found, it’s difficult to be sure that the threat actors are indeed the same.
Okta, for example, usually publishes alerts on activity that is related to its service, but the company didn’t use the “Oktapus” moniker that Group-IB did; instead, it appears Okta adopted “Scatter Swine.” Scatter Swine, we should remember, was?behind the attack that hit Twilio last year. That being said, no threat actors are named in Okta’s recent advisory on cross-tenant impersonation, an activity that has also been linked to Scattered Spider.
Scattered Spider itself is known for employing social engineering. As Reuters puts it, “they also appear to make the effort to study how large organizations work, including their vendors and contractors, to find individuals with privileged access they can target.” In MGM’s case, the threat actor claimed to have used vishing (“phishing by voice”) to trick help desk staff into giving them valid credentials – not unlike the social engineering attack that hit the outsourced IT staff at Caesars.
The Caesars incident isn’t an outlier, however. As Muddled Libra, the group has been linked to hacks at outsourcing firms that provide services to cryptocurrency companies. In other words, the same group – or a very similar threat actor – is already known for looking at vendors as a gateway to their actual targets.
More recently, just a few days before the casino hacks made headlines, it was reported that an Australian healthcare provider, TissuPath,?suffered a third-party attack in which patient data was stolen. This incident was also linked to the ALPHV ransomware group.
The incidents at MGM Resorts and Caesars Entertainment have put this threat actor and its tactics in the spotlight, but not much is new. There’s a range of both technical and social engineering attacks being leveraged against third parties, so companies should work with their partners and vendors to improve their security posture – this may include activities such as monitoring and incident response to fix vulnerabilities and weaknesses, sharing processes for credential recovery of privileged users, and making sure that contractors and vendors do not lag behind internal employees when it comes to cybersecurity awareness.
Before we end this section, there’s one more story to mention: developer platform Retool had to deal with a very similar hack in which the attackers defeated MFA by employing social engineering and phishing attacks through calls and SMS. The company, which uses Okta and Google Workspace, published a blog post criticizing Google for pushing the synchronization feature in Google Authenticator, as this effectively granted the attacker access to all OTP codes after breaching an employee’s Google account.
The cascading effects from this breach are said to have hit 27 other companies according to The Hacker News, which also noted the similarities to the Scattered Spider incidents.
Microsoft investigation discovers how Chinese hackers obtained key to access government email?
We’ve been covering the story about how the United States government warned Microsoft that hackers had managed to access cloud-hosted mailboxes. Microsoft initially explained that the attackers – believed to be Chinese – had obtained a consumer key and then exploited a vulnerability in key validation to forge authentication tokens to Outlook Web Access (OWA) and Outlook.com.
It was still unclear how this Microsoft account key (MSA) had fallen into the attacker’s hands. Microsoft published a follow-up containing what it called “the most probable mechanism by which the actor acquired the key”:
Our investigation found that a consumer signing system crash in April of 2021 resulted in a snapshot of the crashed process (“crash dump”). The crash dumps, which redact sensitive information, should not include the signing key. In this case, a race condition allowed the key to be present in the crash dump (this issue has been corrected). The key material’s presence in the crash dump was not detected by our systems (this issue has been corrected).
We found that this crash dump, believed at the time not to contain key material, was subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network. This is consistent with our standard debugging processes. Our credential scanning methods did not detect its presence (this issue has been corrected).
After April 2021, when the key was leaked to the corporate environment in the crash dump, the Storm-0558 actor was able to successfully compromise a Microsoft engineer’s corporate account. This account had access to the debugging environment containing the crash dump which incorrectly contained the key. Due to log retention policies, we don’t have logs with specific evidence of this exfiltration by this actor, but this was the most probable mechanism by which the actor acquired the key.?
This explanation describes a series of failures – from the systems that couldn’t redact nor remove the key from the dump to the engineer that was already compromised by the attacker. As Marcus Hutchins put it, “This is absolutely crazy stuff.”
If you need a refresher, you can read the first story from our August issue, or Microsoft’s first statement on the attack. It’s worth remembering that the Cyber Safety Review Board (CSRB) opened an investigation into “cloud security” in response to the fallout from this incident, so we may still see more – even though, as Microsoft admitted, their log retention policies simply don’t go far enough to uncover what truly happened.
Journalist Dan Goodin, who criticized Microsoft’s response for omitting important information, wrote a story at Ars Technica that explores some unanswered questions. It also adds a statement from a Microsoft spokesperson explaining the engineer had been hacked with a “token-stealing malware” – which could refer to some custom-made malware or one of many common malware families described as “stealers” that evolved from keyloggers to exfiltrate authentication data such as cookies, tokens, password vaults, and crypto wallets.
Goodin’s report also includes an analysis that speculates the initial crash itself may have resulted from a vulnerability. It further notes that Microsoft has been repeatedly using the word “issue” instead of “vulnerability” to describe these flaws. When asked to define what a vulnerability is – and shed some light on why they didn’t use it –, Microsoft’s answer was that “vulnerability is a specific term, and we would use the term vulnerability if it was appropriate.”
One could suggest Microsoft should check these logs (which they don’t have) to figure out if the term is appropriate. Some modesty in these situations can go a long way, and it’s hard to argue that a series of “issues” leading to a hack cannot be called “vulnerabilities” — more so when this hack and the related issues apparently went undetected for two years.
One takeaway here is that organizations should be aware of their vendors’ choice of terminology. As this incident shows, it directly impacts how Microsoft communicates with their customers – anyone who was too focused on Azure “vulnerabilities” may want to start paying attention to “issues” now.
There’s more news coverage at Reuters, though it doesn’t add much aside from the fact that China has described the allegations that it stole emails as “groundless narratives.” If Microsoft's version of events is correct, this indicates an actually advanced and persistent attacker with a fair amount of knowledge of Microsoft's environment. The fact that this was used to read defense-related e-mails from the US State Department seems compatible with usual intelligence targeting. So the attribution seems pretty plausible.
Criminals may be cracking keys from the LastPass breach to steal cryptocurrency
We start our round-up of breaches with a story by Brian Krebs reporting on a possible link between crypto heists and the LastPass breach from last year:
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults. […]
Bax, Monahan and others interviewed for this story say they’ve identified a unique signature that links the theft of more than $35 million in crypto from more than 150 confirmed victims, with roughly two to five high-dollar heists happening each month since December 2022.
It’s difficult to be sure that the attacks are linked, but this seems plausible. We still strongly believe in the value of using password managers, and don't think this changes that calculation. It's important to remember, though, that, even when "zero knowledge" models are used and attacker with enough time, resources and an offline copy of your safe can eventually crack it. LastPass' fumbled communication about that breach, including initially claiming no credentials had been stolen, might have led some of its users to think they didn't need to rotate their credentials.
Vendors working for cryptocurrency companies have been a prime target for attackers for a while now (some will even remember the MailChimp hack from last year). More recently, blockchain insights platform Nansen also advised customers to change passwords as both password hashes and addresses were stolen after an attacker compromised a third-party vendor. NFT marketplace OpenSea is also rotating API keys after a vendor was breached, but it’s unclear if the incidents are related.
Moving on, we have some breaches at government institutions:
There have been some incidents attributed to the use of default passwords for LogicMonitor. The software maker was assigning default and weak passwords without enforcing a password change.
领英推荐
West Virginia University Health System is notifying patients after a breach at a vendor, Nuance Communications. Meanwhile, Australian bookseller Dymocks has pinned the leak of 1.24 million customer records on a third party.
Airbus is?investigating a data leak in which data from 3,200 suppliers was posted to the dark web after an attacker managed to access an IT account associated with a customer. In Russia, Ukrainian hackers are said to have accessed data from 664 million flights over the last 16 years after compromising the Sirena-Travel booking system – yet another reminder of the need to take a closer look at travel companies to protect the security and privacy of executives.
British charities are warning supporters their data has been breached after attackers hit Kokoro, a company that provides web services to About Loyalty, which itself worked with charities to carry out surveys of their supporters.
Finally, one more from the UK: a logistics company in the United Kingdom is under administration (in other words, is insolvent) after being hit by a cyberattack in June. Although not directly related to a third-party incident, there’s a lesson for TPCRM here: it’s worth keeping in mind that a cyberattack may very well prevent a vendor from maintaining operations.
‘The latest trends in supply chain cyber risk management at overseas financial institutions’ and more guidance
PwC published a report on “The latest trends in supply chain cyber risk management at overseas financial institutions” – though, since this title is from a Japanese viewpoint, many of us can disregard the word “overseas” and look at it as a summary of global trends. They looked at institutions from the United States, Europe, and Singapore, outlining practices that ranged from how risk assessments are carried out to software and hardware management. There are many recommendations in each section:
In this study, we examined initiatives aimed at countering cybersecurity risks at primary entry points (third parties) as well as at fourth and subsequent parties, based on the anticipated supply chain patterns […]. The targets of this study were experts engaged in cybersecurity initiatives at financial institutions.
Thomson Reuters has an article highlighting the impact of recent government sanctions on third-party vendor verification, while Tom Cole from Abacus Group argues that third-party security risks can be turned into a competitive advantage.
Dan Llewellyn at ERP Today also has some advice in his article “Is it time to get your digital supply chain security in order?” CBIZ also published a few tailored recommendations for not-for-profits but, as is usually the case, most can benefit from taking a look.
Law firm Fieldfisher prepared a rather lengthy overview of the EU’s Digital Operational Resilience Act (DORA) and its impacts on third-party risk management. Any businesses operating in the EU may want to read it carefully and understand what is at stake as well as what processes will need to be adjusted for compliance. DORA will be in effect starting January 2025.
Australia looking to build six ‘cyber shields’
There seems to be quite a bit of movement in Australia recently when it comes to new directives and regulations for cybersecurity. Since supply chain management is very strategic even at a national security level, it has already been in the spotlight a few times.?
Speaking at the Australian Financial Review Cyber Summit, Home Affairs Minister Clare O’Neill described the country’s strategy through six “cyber shields”: education ("citizens and business who understand the cyber threat"), safe technology, threat-sharing and threat-blocking, critical infrastructure protection, sovereign infosec capability, and coordinated global action. Her full speech is available here.
At the same Summit, Joe Longo, chair of the Australian Securities and Investments Commission (ASIC), told companies they need to address third-party risk:
He gave examples of the Latitude Financial and Perpetual breaches which were brought on by third party suppliers.
“This should be a concern for any organisation. Look to your third party suppliers and evaluate your cyber risk. Starting with good governance and risk assessment can successfully set the right tone.”
Longo said ASIC expects directors to ensure their organisation’s risk management framework adequately addresses cyber security risk and resilience, and that controls are implemented to protect key assets. Failure to do so could mean failing to meet regulatory obligations.
Longo’s full speech is also available. It highlights that “failure to ensure adequate measures are in place exposes directors to potential enforcement action by ASIC based on the directors not acting with reasonable care and diligence,” echoing the same strategy that is beginning to take form elsewhere and that can drastically change how executives see cybersecurity, since it will greatly amplify how much risk the individual executives will be sharing with the business.
Looking at the big picture, it appears regulators are seeking ways to make sure companies and executives act in accordance with their relevance to the whole supply chain. The Australian Institute of Company Directors (AICD) is also covering this topic. Australia is not alone, of course. In the United States, NIST has been moving forward with changes and updates to its Cybersecurity Framework. Melanie Teplinsky at Lawfare has published a critical review of the updated framework, which is still being finalized (only a draft has been released so far, so there is still time for things to improve).
Forbes has an article covering the recent movements in the United States that attempt to protect IoT devices – mostly through regulation. CISA published an advisory on attacks against router firmware, so this is in fact a relevant concern at the moment.
There is a lot of guidance and recommendations coming from the government, too. CISA has released a framework for supply chain risk management while the FDA has published guidance for medical devices (also check Adam Shostack’s comments on what this means for the industry).
The Department of Justice struck a deal with Verizon, which agreed to pay US$ 4 million to settle claims that the company “failed to completely satisfy certain cybersecurity controls in connection with an information technology service provided to federal agencies.” The United States government is probably betting on federal contracts as one way to improve cybersecurity – especially from major providers of communication services and software.
The story that ends this section on government news comes from South Africa, where the Information Regulator issued an “Enforcement Notice” against Dis-Chem, a pharmaceutical company, after a database managed by a third-party provider, Grapevine, suffered a brute force attack. The company will have to comply with several requirements outlined in the enforcement notice to avoid a fine or even imprisonment “if convicted” – the Information Regulator didn’t name who would be imprisoned, but the definition of “responsible party” in the South African Protection of Personal Information Act is quite broad.
Poll: 44.9% of executives expect supply chain security challenges in year ahead
A new Deloitte poll with over 1,000 executives found that 44.9% of them expect an increase in the number and size of cyber events targeting their organizations’ supply chains in the year ahead:
The expected increase seems to indicate higher go-forward concerns, as just 33.8% of respondents say their organizations experienced one or more supply chain cybersecurity events during the past year. […]
Part of improved supply chain visibility can include third-party risk assessments. While nearly half of respondents’ organizations conduct third-party risk assessments prior to new vendor engagement (46.5%), just 29.1% of that group also repeat those assessments at least annually as well. Unfortunately, 20.9% of respondents say their organizations do not conduct third-party risk assessments to support broader supply chain security.
In other words, executives are expecting more challenges in the supply chain either because they are already having issues today or because they are seeing other organizations facing problems in their supply chain.
Kaspersky did a similar survey focused on the automotive industry. According to their findings in the Automotive Threat Intelligence report, almost two-thirds (64%) of automotive industry leaders believe their supply chain is vulnerable to cyberattacks. The integration of infotainment systems and connectivity technology provided by third-party software vendors is seen as a major challenge, with 34% of respondents listing it as their main cybersecurity concern.
The “Security, Funded” newsletter also carried out an interesting poll with the following question: “If a cybersecurity vendor your company uses has a breach event, do you start looking for a replacement and kick them to the curb?”The answer is that it’s complicated, with 68% of respondents saying “it depends” (for example, how critical the issue is) or outright “no.” Although the poll only had 37 votes, it’s a reminder that there is a cost associated with trying to prevent a company from hiring a vendor or switching to a new one.?
In some organizations, information security simply doesn't have the mandate or political capital to force that kind of move. Plus, trying to force this on business executives only reinforces information security's ?long standing reputation as the "department of no". We strongly believe that working with third parties from the very beginning to help them improve their security posture, rather than simply auditing them, ?is a tool missing from most organizations' repertoires. Which is a shame.
We have three bonus links for you this time. One of them is a Kroll online event with “Lessons Learned from 50+ MOVEit IR Investigations” – the MOVEit Transfer hack was one the major incidents related to third-party vendors this year, with over 1,000 victims, so hopefully this event will bring some inside look on how organizations dealt with it in practice. It’s scheduled for October 25.
The other two links are below. We hope to see you again next month!
Tenchi’s Alexandre Sieira also?commented on this story.
Sky News has learnt that discussions between the accountancy firm and the Financial Reporting Council (FRC) are close to being finalised, with an announcement possible in the coming weeks.
City sources said the two sides had been negotiating penalties of between £25m and £30m, before the application of a discount on the basis of KPMG’s co-operation with the probe.
While recent security incidents prompted Microsoft to expand cloud logging data for its customers, Google announced a new paywall for its cloud governance feature.
After January 15, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of Security Command Center. For more information, see Billing questions.