Was Vegas Hit by Adversary-in-the-Middle Attacks?
Bulletproof, a GLI Company
Empowering your organization to work more productively while being secure.
Author: Gage Taylor | Read Time: 5 Minutes
There has been a lot of recent news about casinos in Las Vegas being hit by ransomware groups. People were locked out of their rooms, were unable to make reservations, and could not play games at a few of the city’s major casinos.?
Many news articles are claiming that the initial attack vector for the ransomware groups was to first compromise user identities and accounts via phishing.
The Security Operation Centre (SOC) at Bulletproof has seen a steep increase in a specific type of phishing incident being triggered called Adversary-in-the-Middle (AitM). These types of incidents are also known as Man-in-the-Middle (MitM) attacks.?
When an AitM attack occurs, a threat actor positions themselves between two parties who are communicating over a network, such as a user and a website or two devices on a Wi-Fi network. The attacker intercepts and potentially modifies the data being exchanged between these parties, making it appear as if the communication is going directly between them when, in fact, it's passing through the attacker's system. AitM attacks can be used for various malicious purposes, such as eavesdropping on sensitive information or altering the data being transmitted.
Take this example of an AitM from hypr.com: "In July 2022, Microsoft reported a new type of phishing attack that bypassed multi-factor authentication (MFA) controls using an adversary-in-the-middle attack to steal session cookies and gain access to victims' email accounts. Once they had gained access to mailboxes, the attackers followed up with Business Email Compromise (BEC) attacks."
The illustration of the AitM attack flow from Microsoft is shown below:
Phishing Kits are Easy to Buy and Deploy in AitM Scams
So, how do attackers get ‘in the middle’? There is an entire cybercrime economy that makes it possible for amateur threat actors to purchase ‘phishing kits’ so they can carry out cyberattacks. These kits contain software tools and code that cybercriminals can use to execute their scams.
These phishing kits have lowered the bar in terms of technical knowledge needed to deploy advanced phishing campaigns. They are so easily available that there are well-known brands of these kits for purchase online (for as little as $6, according to Microsoft’s 2021 Digital Defense Report). NakedPages, ?EvilProxy, and Evilginx are examples of the phishing kits that Bulletproof has seen.
Phishing typically targets an end-user and occurs through deceptive emails, websites, or messages that appear legitimate. The goal of a phishing attack can vary, but it often includes stealing login credentials, credit card numbers, personal information, or spreading malware. The twist on an MItM attack is that they usually intercept sensitive information such as login credentials, financial data, or other confidential data being exchanged between the victim and the legitimate party.
AitM attacks can be conducted using various techniques, including ARP spoofing, DNS spoofing, SSL stripping, or by compromising network devices or routers.
How to Identify Signs of an AITM
Indicators of Compromise (IoC) and Tactics, Techniques, and Procedures (TTP) are used to detect and respond to security incidents, assess the scope of an attack, and develop strategies to prevent future attacks.
IoCs are specific pieces of information that suggest the presence of malicious activity or security breaches within a network or system. They are essentially clues or evidence that something is wrong. IoCs can take various forms, including:
IoCs are valuable for incident response because they provide specific, actionable information that can be used to identify threats. They help security teams detect and contain security incidents quickly.
Tactics, Techniques, and Procedures (TTP) refer to the methods, strategies, and behaviors used by cyber adversaries, such as:
Analyzing TTPs can also help improve overall cybersecurity posture.
The security experts in the SOC at Bulletproof have identified some common IOCs and TTPs while handling AitM incidents over the past year.
TTPs to remediate AitM incidents include: ?
Are You Prepared for an AitM Incident?
The AitM attacks that happened in Las Vegas casinos caused a lot of visitors to question their confidence in those organizations. They trusted them to keep their data secure including their banking information. If these attacks can happen to the biggest casinos in the country, they can happen to businesses of any size.?
Is your business doing everything it can to monitor and remediate cyberthreats? Cybercriminals don’t work 9-5, and they act fast. You may know the IOCs and the TTCs to help you detect when something is off, but the timeline between detection and containment is critical.
To effectively run a 24/7 threat monitoring program that can detect threats, contain them, and take preventative action immediately, a security operations centre (SOC) is required. Using a third-party security team with a fully equipped SOC means your business will be protected 24/7, no matter how time or resource-constrained your in-house IT team may be.
As the 2021 Microsoft Global Security Partner of the Year, Bulletproof is happy to discuss how our cybersecurity expertise can be used to mitigate the risk of an AiTM cyberattack on your network.