Cyber Security Headlines:  Caesars, MGM attacks, Weather Network down, LockBit dual deployment

Caesars and MGM both caught up in Scattered Spider’s web

Bloomberg is reporting that a few weeks back, another Las Vegas giant, Caesars Entertainment, paid “tens of millions of dollars” to the group Scattered Spider, which allegedly paralyzed the operations of MGM Resorts. According to CrowdStrike, Scattered Spider is an affiliate of ALPHV, and is also known as OktaPus because it “targets users of tech company Okta’s identity and access management services.” With Caesars, the group claims to have “obtained access to an outside vendor before entering the company’s network.” A report from Trellix says the Scattered Spider group is “known to impersonate IT personnel especially through LinkedIn, and uses social engineering to persuade company officials to run remote monitoring and other tools. From there, they exploit vulnerabilities and use tools like “Stonestop” to evade security software.” According to The Record, “members of the group spoke to the Financial Times and TechCrunch this week, claiming their original goal was to attack MGM’s slot machines only and use paid mules to slowly milk the devices. But when that failed, they turned to their tried-and-true methods of attack, eventually encrypting the company’s systems.”

(Engadget, Bloomberg, Crowdstrike, The Record, and Trellix)

Cybersecurity incident impacts Canada’s Weather Network

Pelmorex, the parent company of Canada’s The Weather Network and its French language equivalent MétéoMédia says the cybersecurity incident that paralyzed some of its data systems this week was connected to third-party software. Investigations are continuing. Its AlertReady app, which delivers Amber alerts, forest fire warnings and weather-related warnings, was not impacted by the event.

(CityNews and Twitter/X)

Blocked LockBit affiliate deploys 3AM instead

The Symantec Threat Hunter Team at Broadcom has described an attack on an unnamed victim in which a LockBit deployed several Cobalt Strike components on an individual’s computer, and then, after conducting some reconnaissance for lateral movement opportunities, sought to deploy LockBit ransomware, which was successfully blocked. They then successfully deployed 3AM, an executable written in Rust. Symantec states this is not the first time they have seen ransomware affiliates deploying two ransomware families in an attack, and they suggest this may, “may indicate that affiliates are becoming more independent from ransomware operators.”

(Security Week)

Thanks to this week’s episode sponsor,

The team at Lucid software reduced the time spent answering customer security questionnaires by a whopping 91% with Conveyor’s security questionnaire automation software – powered by OpenAI. Compared to the tools on the market, Conveyor’s AI auto-generates the most accurate answers to entire questionnaires so you can spend almost zero time on them. That’s it. That’s the ad. e’ll let you get back to the headlines, but if you want to take away the pain of questionnaires, try a free proof of concept at

Professional sports has a cybersecurity problem

According to the UK-based National Cyber Security Centre, “70% of sports organizations experience at least one cyberattack per year,” which they point out is more than double the rate of regular businesses. This is due largely to the digitalization of sports which is accumulating large amounts of consumer data and is accessed by a wide variety of devices and networks. In addition, the article points out the often overlooked vulnerabilities in physical sports facilities such as digital signboards with exposed ports, Wi-Fi hotspots, mobile apps, and QR codes, POS technology, and the need for improved network segmentation between IT and OT systems such as stadium access technology.

(Dark Reading)

Azure HDInsight flaws enabled data access and session hijacking

Eight cross-site scripting (XSS) vulnerabilities have been revealed by Orca Security as threats to Azure HDInsight, and which could be used to “access data, hijack sessions, or deliver malicious payloads.” These exist in Apache services including Hadoop and Spark, which work under Azure HDInsight. There are five CVE codes for these 8 flaws, listed on the show notes to this episode. Orca has stated “all eight XSS vulnerabilities discovered in various platforms and components in Azure HDInsight primarily resulted from the lack of proper input sanitization.”

CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, CVE-2023-36877

(Security Week)

UK plans to consolidate NHS data

The UK’s National Health Service  is looking to create a centralized platform called the NHS England Database. A five year contract, worth £480m is currently in a bid review process with an announcement of the winner expected very soon. The front runner is the US firm Palantir, owned by tech billionaire Peter Thiel. In response to questions from The Guardian, Palantir emphasized that it is “not in the business of mining data, nor do we sell or monetize it in any way. In addition, NHS England said that it, not the platform, will control the patient data inside it.”

(The Guardian)

Kubernetes security flaws in Windows endpoints

Three high severity vulnerabilities in Kubernetes have been discovered by researchers at Akamai that “can be exploited to gain remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster.” This can be triggered by applying a malicious YAML file on the cluster, and impacts installations of Kubernetes both on-prem and with the Azure Kubernetes Service. These carry CVSS ratings of 8.8. The three CVE numbers for these vulnerabilities are 2023-3676, 3893 and 3955.

(Security Affairs)

Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.