The ransomware attacks this week on MGM International and Caesars Entertainment are all over the news, and it’s been widely reported that Caesar’s allegedly paid several millions in ransom and that MGM was in negotiations with the attackers.
While these incidents have caused great disruption at Las Vegas casinos, what’s been most frustrating to security industry pros is that the social engineering and execution tactics of Scattered Spider — the threat group behind the attacks — have been well-known for several months.
Callie Guenther, cyber threat research senior manager at Critical Start, said Scattered Spider operates as a financially driven threat actor that has been active since at least May 2022.
In one of their recent attacks, Guenther said Scattered Spider used what's known as a Bring Your Own Vulnerable Driver (BYOVD) technique that involves the deployment of a vulnerable kernel-mode driver, such as the Intel Ethernet diagnostics drivers, as a way to gain elevated privileges within Windows systems, thereby evading endpoint detection and response (EDR) solutions.
“Since device drivers have direct kernel access, exploiting a flaw in them allows threat actors like Scattered Spider to execute code with the highest privileges in Windows,” explained Guenther.
Scattered Spider, also known as UNC3944 by Mandiant Google Cloud, is composed of hackers based in the United States and UK, some as young as 19 years old.
In a LinkedIn post yesterday, Charles Carmakal, a Mandiant Consulting CTO at Google Cloud, said while members of the group may be less experienced and younger than many of the established multifaceted extortion/ransomware groups and nation-state espionage actors, they are a serious threat to large organizations in the United States. Carmakal added that many members are native English speakers and are incredibly effective social engineers.
Researchers such as Crowdstrike and Trellix have repeatedly observed these tactics and published them in blogs earlier this year. The Crowdstrike blog was posted in January and the Trellix blog was more recently in August.
Guenther said Scattered Spider has specifically attempted to bypass security products like Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR, and SentinelOne. An interesting aspect of their operation is the exploitation of an older vulnerability, CVE-2015-2291, within the Intel Ethernet diagnostics driver. While this vulnerability was fixed in 2015, Scattered Spider plants an older, still vulnerable version on breached devices, enabling them to exploit this flaw regardless of the system's updates.
Researchers shed light on the attackers
While the insights on BYOVD are of interest and shed some light on what could have happened, it’s still not confirmed that Scattered Spider used those tactics on MGM or Caesars.
It’s also not fully clear as has been reported that ALPHV worked with Scattered Spider to employ the social engineering tactics that allegedly led to Scattered Spider gaining access to the MGM network.
According to a post on the X platform, formerly Twitter, vx-underground said APLHV used social engineering tactics to compromise MGM: "All ALPHV ransomware group did to compromise MGM resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation."
Guenther said while the initial compromise via the Help Desk might have given the attackers a foothold in the network, it's the subsequent actions they took inside the network that would cause the most concern. If the attackers discovered and exploited an unknown vulnerability (a BYOVD scenario), it would amplify the severity of the breach because it indicates a level of sophistication and ability to move within the network undetected, explained Guenther.
"If a casino or any organization believes that attackers have deeply penetrated their systems using advanced tactics like BYOVD, and if they have exfiltrated sensitive data or deployed ransomware, it might increase the likelihood that they would consider paying a ransom," said Guenther. "The organization would weigh the potential damage, both financial and reputational, against the cost of the ransom and the likelihood that paying would actually resolve the issue."
As for the connection between ALPHV and Scattered Spider, Mandiant Google Cloud's Carmakal described ALPHV as a ransomware-as-a-service (RaaS) operation that works with multiple affiliates. Carmakal said Mandiant has recently observed a small portion of UNC3944 (Scattered Spider) intrusions that have either leveraged ALPHV’s Black Cat ransomware encryptor or victim-shaming infrastructure. However, Carmakal said the majority of the victims on the ALPHV victim-shaming site are not associated with UNC3944 intrusions.
Michael Sikorski, vice president of engineering and CTO at Palo Alto Networks Unit 42, added that ALPHV/BlackCat has made the group Unit 42 calls "Muddled Libra" (aka Scattered Spider/UNC3944) an affiliate. BlackCat gives affiliates access to their “kit” which includes the ransomware, support, negotiations, and access to their leak site. Sikorski said this also lets Muddled Libra put additional pressures on their targets, and continue to find new revenue streams.
Sikorski said initially Muddled Libra’s end goals were very focused on gaining access to cryptocurrency wallets and banking. Now, with the ransomware, Muddled Libra can put additional pressures on organizations. He said when Unit 42 initially published research on Muddled Libra in June, they hadn't seen any ties between them and ransomware actors. Now, over the last few months, we have seen cases with the two groups overlapping.
“Muddled Libra is a subset of the actors using the 0ktapus phishing kit based on specific trade craft and objectives, which now includes BlackCat ransomware,” said Sikorski. “Recent attacks have focused on social engineering the Help Desk to reset credentials and MFA, not requiring use of the 0ktapus phishing kit. Muddled Libra now prefers to social engineer Help Desk personnel to reset passwords and MFA methods for targets. Once this is done, they will enroll their own device for future MFA requests. If this is unsuccessful, they will fall back to smishing users with a fake login portal, or if they can obtain a username and password, they will MFA bomb users with requests until they accept a prompt.”
So where does that leave us? Recognizing that once again, it’s human error that can do companies in – and that once attackers are in, these incidents can spread to IoT systems.
“From what has been shared publicly, it appears that this massive incident all started from a traditional social engineering attack,” said Sonu Shankar, chief strategy officer of Phosphorus. “However, while this attack may have originated in the IT system, the impact quickly spread to MGM's xIoT networks, including slot machines, digital room access, ATMs, point-of-sale terminals, and possibly even the parking system. What companies need to learn from this is that any cyberattack can quickly spread to your xIoT systems, having a real physical impact on your business operations and security.”
The industry needs to build systems and environments where compromising one employee through social engineering can't bring a multibillion-dollar organization to its knees,” said Alex Hamerstone, advisory solutions director at TrustedSec.
“Another thing to consider is that technology is being embedded in more devices, and we aren’t going back,” said Hamerstone. “When you have a brass key to get into your hotel room, the worst that can happen is you lose the key. But with all these electronic locks/encoding, you can now lose the ability to provide lodging as a hotel. Look in your wallet — most of your credit cards don't even have embossed numbers. If the payment card systems are down, they can’t even use the old knuckle busters/carbon copies to take payment — they just have to close.”