Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
A couple of LinkedIn profiles, the right phone number for an IT helpdesk, and financial motive. Is that all it takes to shutter operations at more than two dozen hotel and casino locations for over a week?
If you ask the cybercriminals allegedly responsible for the recent MGM hack — Scattered Spider and ALPHv’s ransomware-as-a-service operation — they’d say those items are at least a good place to start. Caesars Entertainment and Okta, an identity and access management company, also recently experienced an uptick in attacks that began at the same place: a phone call to the IT help desk.
As the spread of mandatory phishing training and general awareness helps organizations prevent less sophisticated “spray and pray” forms of social engineering, threat actors are increasingly focused on creative ways to get at the weakest link in the security chain — us. With more than 90% of incidents still enabled by social engineering efforts, what are the critical areas of focus for organizations protecting themselves both today and into the future?
According to the ALPHv ransomware group’s account of the incident, all that was needed to compromise MGM Resorts was an employee’s public LinkedIn account. With a name, job title, and history at their fingertips — and so much more only a Google search away — it takes threat actors only ten minutes of work to obtain a password reset or modify the MFA method on an account by adding their own device.
By choosing their target employees wisely, like a highly privileged role, threat actors can access sensitive data without the same level of legwork associated with traditional email phishing attempts or sophisticated malware. Why do all the work of traditional entry methods like exploiting misconfigurations when you can get someone on the inside to open the door for you?
It took MGM ten days to return to business as usual. They faced headaches like handwritten casino receipts, physical room keys, and non-functional slot machines while trying to mitigate the damage to their systems and data. Meanwhile, threat actors were able to steal personal information, ranging from names to social security numbers.
In August, months before these attacks hit MGM or Caesars, Okta reported on a consistent pattern of “social engineering attacks against IT service desk personnel.” That leads us to believe this is only the beginning of a trend, especially as cybercriminals note the success of prior attacks.
To safeguard an organization against ambitious social engineering attempts, organizations should require more “proof” that the user is actually who they say they are — beyond what can be plucked from their public-facing social media accounts. Visual verification via video calls is the best way for help desk personnel to confidently determine a user’s identity.
Keeping a log of all help desk calls can assist in auditing for control effectiveness, incident response, and help desk operator training. This can also be used to answer the question of ‘how many users are requesting password resets, and do they have privileged access?’
With the data in front of us, organizations can keep a closer pulse on signs of a larger problem. For example, if there is a mass influx of password reset requests, organizations can revisit their processes and ultimately better train help desk operators. By having a monitoring and audit mechanism in place, you can ensure that you are constantly reevaluating and future-proofing your password reset process against vishing (voice phishing) and social engineering attempts.
According to a July report from the Department of Homeland Security’s Cyber Safety Review Board (CSRB), the ransomware group Lapsus$ —infamous for being largely made up of teenagers — used SIM-swapping attacks to breach dozens of organizations throughout 2021 and 2022. This included high-profile organizations with considerable resources for their cybersecurity posture, like T-Mobile, Samsung, and Microsoft.
SIM swapping is when an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card they control. This allows them to intercept calls and messages, including those used for MFA.
The CSRB report states:
“In several instances, attackers gained initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which allowed them to intercept one-time passcodes and push notifications sent via SMS, effectively defeating this widely used MFA control. A lucrative SIM swap criminal market further enabled this pay-for-access to a target’s mobile phone services.”
An attacker gathers personal information about a victim, contacts their mobile carrier pretending to have lost their phone, and requests to transfer the victim's number to a new SIM card.
If there’s a major takeaway here — and we don’t mean to hurt anyone’s feelings — it’s that we, the humans, are the weakest link. Sometimes, threat actors play on our desire to help and do our jobs well (sorry, help desk team). Other times, they take advantage of how bad most of us are at coming up with passwords. Looking at you, Password1234.
That’s why MFA has been such an important part of any organization’s cybersecurity strategy. But as we noted in the previous section, not all MFA is created equal. Threat actors are only getting better at circumventing the hurdles we put in front of them (like forcing a password reset). Plus, there’s the timeless objection to implementation: MFA is an annoying extra step for the user.
The solution to all of the above? Passkeys — the new and improved way to securely authenticate user accounts.
A passkey is a FIDO2 (Fast Identity Online) digital credential that uses biometric authentication. It’s a passwordless way to log in, typically using a fingerprint, face scan, or screen lock PIN.
Passkeys use two cryptographic keys for your account. One is the public key stored on the site you’re on, and the other is a private key stored on the authenticator (your device). The website and the authenticator communicate without sharing exploitable information, as opposed to the traditional password approach, which relies on exchanging secret password information between servers.
We have some time before we live in a passwordless world, but Google, Microsoft, and Apple are leading the charge in the adoption of passkey.
Threat actors are, as usual, finding new ways to dupe us. The latest trend is “vishing” attempts that leverage the information we all have publicly available, like our LinkedIn accounts, to gain access to privileged accounts. Before that, we were inundated with headlines of successful SIM-swapping attacks.
Phishing training and stronger verification processes are a step in the right direction — but a passwordless future, empowered by passkeys, is the best defense against even the most creative cybercriminals.
For more on how to prepare for the future of cyberattacks, watch our webinar here.