As many are aware, the systems of the $14 billion dollar gaming and hospitality giant MGM have been brought to a halt for nearly 5 days due to a multi-vector attack that has come to affect Caesars Entertainment as well.
While the culprits of the attack are not confirmed, hacking group Scattered Spider, who is also associated withUNC3944-related groups Scatter Swine, Oktapus, and Muddled Libra, has been suspected to be the attacker.
This attack is notable not only because of its scope but also due to its use of ransomware made by ALPHV or BlackCat (Ransomware-as-a-Service), suggesting that the UNC3944 threat cluster is likely here to stay and expand.
Since 2022, the UNC3944 threat cluster has always deployed social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain access and expand within a victim’s network. However, in 2023, UNC3944 began to evolve to muster advanced ransomware attacks targeting an array of private sector companies – MGM just being the most infamous of late.
The message is clear with the evolution of the UNC3944 threat cluster and the use of ALPHV or BlackCat (Ransomware-as-a-Service). Ransomware attacks are growing more lucrative and, therefore, common. Attacker tactics, techniques, and procedures (TTPs) will continue to expand in their scope and complexity.
Even the most advanced and well-funded attack cluster, as in the case of UNC3944, still relies heavily on old-fashioned, persistent phone-based social engineering bto begin their attack, highlighting the importance of cybersecurity training and rigorous zero-trust networking access (ZTNA) policies to reduce lateral movement after attackers gain entry into a victim’s infrastructure.
In the case of the recent MGM and Caesar Entertainments attack, UNC3944 TTPs suggest an evolution to the organization’s capabilities, building off of social engineering tactics and shifting into high tempo targeting using smishing of credentials, use of phishing kits, and publicly available credential theft.
While specific details of the attack may not be publicly disclosed due to ongoing investigations, it's crucial to understand the broader security lessons drawn from such an incident. Here are a few logical attack methods deployed that may have affected MGM that every security stakeholder should be aware of and continuously test their security stack against.
More importantly than pontificating ‘what happened’ to MGM, it’s important to discuss what we can learn from this incident. To avoid falling victim to similar vulnerabilities in the wake of more high-profile and expensive attacks, companies need to scale out their cybersecurity program and search for efficiency gains to outpace that of malicious actors like UNC3944 / Scattered Spider.
Security and IT organizations must work in unison to bolster their security posture with a scrutinous assessment in the following areas:
Check this guide to learn more about building a risk-based vulnerability management program.
For more on the topic of vulnerability detection and remediation using custom logic, read our****blog post****on the release of first-party software risk management.
The recent Scattered Spider attack on MGM reinforces the ongoing and evolving nature of cyber threats in the digital age. Cybersecurity remains a top priority for organizations across all sectors, and lessons from incidents like these underscore the need for continuous improvement in vulnerability management. And threat mitigation is a matter of business risk – just not cyber risk.
By taking proactive measures, staying informed about emerging threats, threat actor TTPs, and investing in advanced security solutions, businesses can better protect their sensitive data and the trust of their customers in an era where cybersecurity threats continue to grow in complexity and sophistication.
Risk-Based VM strategy (RBVM) is more than just applying risk scores to vulnerability management. It’s about applying risk-based threat prioritization to response and remediation paths across the entire organization.
However, it must be seamless and holistic to amicably respond to threats across an organization. By unifying patching, anti-ransomware, and endpoint security, organizations can better identify but also remediate threats wherever they may be.
To learn more about how to build an effective RBVM that stands up to**emerging threats and innovative threat actors,**don’t miss our webinar on September 28th, 7 Signs Your Vulnerability Management Is Failing.