Caesars and MGM both caught up in Scattered Spider’s web
Bloomberg is reporting that a few weeks back, another Las Vegas giant, Caesars Entertainment, paid “tens of millions of dollars” to the group Scattered Spider, which allegedly paralyzed the operations of MGM Resorts. According to CrowdStrike, Scattered Spider is an affiliate of ALPHV, and is also known as OktaPus because it “targets users of tech company Okta’s identity and access management services.” With Caesars, the group claims to have “obtained access to an outside vendor before entering the company’s network.” A report from Trellix says the Scattered Spider group is “known to impersonate IT personnel especially through LinkedIn, and uses social engineering to persuade company officials to run remote monitoring and other tools. From there, they exploit vulnerabilities and use tools like “Stonestop” to evade security software.” According to The Record, “members of the group spoke to the Financial Times and TechCrunch this week, claiming their original goal was to attack MGM’s slot machines only and use paid mules to slowly milk the devices. But when that failed, they turned to their tried-and-true methods of attack, eventually encrypting the company’s systems.”
Cybersecurity incident impacts Canada’s Weather Network
Pelmorex, the parent company of Canada’s The Weather Network and its French language equivalent MétéoMédia says the cybersecurity incident that paralyzed some of its data systems this week was connected to third-party software. Investigations are continuing. Its AlertReady app, which delivers Amber alerts, forest fire warnings and weather-related warnings, was not impacted by the event.
Blocked LockBit affiliate deploys 3AM instead
The Symantec Threat Hunter Team at Broadcom has described an attack on an unnamed victim in which a LockBit deployed several Cobalt Strike components on an individual’s computer, and then, after conducting some reconnaissance for lateral movement opportunities, sought to deploy LockBit ransomware, which was successfully blocked. They then successfully deployed 3AM, an executable written in Rust. Symantec states this is not the first time they have seen ransomware affiliates deploying two ransomware families in an attack, and they suggest this may, “may indicate that affiliates are becoming more independent from ransomware operators.”
Thanks to this week’s episode sponsor,
Professional sports has a cybersecurity problem
According to the UK-based National Cyber Security Centre, “70% of sports organizations experience at least one cyberattack per year,” which they point out is more than double the rate of regular businesses. This is due largely to the digitalization of sports which is accumulating large amounts of consumer data and is accessed by a wide variety of devices and networks. In addition, the article points out the often overlooked vulnerabilities in physical sports facilities such as digital signboards with exposed ports, Wi-Fi hotspots, mobile apps, and QR codes, POS technology, and the need for improved network segmentation between IT and OT systems such as stadium access technology.
Azure HDInsight flaws enabled data access and session hijacking
Eight cross-site scripting (XSS) vulnerabilities have been revealed by Orca Security as threats to Azure HDInsight, and which could be used to “access data, hijack sessions, or deliver malicious payloads.” These exist in Apache services including Hadoop and Spark, which work under Azure HDInsight. There are five CVE codes for these 8 flaws, listed on the show notes to this episode. Orca has stated “all eight XSS vulnerabilities discovered in various platforms and components in Azure HDInsight primarily resulted from the lack of proper input sanitization.”
CVE-2023-36881, CVE-2023-35394, CVE-2023-38188, CVE-2023-35393, CVE-2023-36877
UK plans to consolidate NHS data
The UK’s National Health Service is looking to create a centralized platform called the NHS England Database. A five year contract, worth £480m is currently in a bid review process with an announcement of the winner expected very soon. The front runner is the US firm Palantir, owned by tech billionaire Peter Thiel. In response to questions from The Guardian, Palantir emphasized that it is “not in the business of mining data, nor do we sell or monetize it in any way. In addition, NHS England said that it, not the platform, will control the patient data inside it.”
Kubernetes security flaws in Windows endpoints
Three high severity vulnerabilities in Kubernetes have been discovered by researchers at Akamai that “can be exploited to gain remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster.” This can be triggered by applying a malicious YAML file on the cluster, and impacts installations of Kubernetes both on-prem and with the Azure Kubernetes Service. These carry CVSS ratings of 8.8. The three CVE numbers for these vulnerabilities are 2023-3676, 3893 and 3955.