MGM Resorts hit by suspected Ransomware attack
UK military networks was hit by 6 million cyber attacks in 2022
Iranian backed hacker group targets 34 global companies
Sri Lanka hit by massive ransomware attack that impacted all government departments
Ransomware gang steals 13tb from travel booking company Sabre
MGM Resorts, was grappling with a significant IT disruption earlier this week after a cyberattack led to several systems across its facilities being temporarily shut down. Consequently, staff members at the front desk and concierge services resorted to manual pen-and-paper methods. The slot machines at many gaming areas were also rendered unusable, and there were rumours of guests being unable to access their accommodations.
The disruption commenced on Sunday, 10 September and affected multiple MGM establishments across the US. Notably impacted were many iconic casinos located on the famed Las Vegas Strip such as Bellagio, Excalibur, Luxor, Mandalay Bay, MGM Grand, and New York New York.
MGM Resorts stated that upon discovering the cyber security threat, they swiftly initiated an in-depth investigation. The company also informed the authorities, adopted measures to safeguard their systems and data, and temporarily shut down particular systems. Their probe is currently ongoing.
While the specifics of this cyber breach are yet to be revealed, Nevada's stringent breach notification laws will likely necessitate further disclosure. The extensive shutdown of multiple MGM systems points towards the possibility of a ransomware attack, which the IT and security teams are likely addressing.
During the Defence and Security Equipment International (DSEI) conference in London, General Sir Hockenhull, leader of the UK’s Strategic Command revealed that the UK's military communication systems faced over six million cyberattacks, marking an escalation in cyber warfare amidst European conflicts and tensions in the Far East.
The persistent attacks were orchestrated daily by adversarial nations and their criminal allies, coincide with intelligence reports of increased covert actions by countries such as Russia, Iran, and China and North Korea.
General Sir Jim Hockenhull, leader of the UK's Strategic Command, spoke on the issue, emphasizing the unique challenges of space and cyber realms. He stated, "These domains are being exploited to escalate information campaigns aimed at unsettling our societies or to directly compromise our fundamental capabilities."
A state-backed cyber threat group, dubbed 'Charming Kitten' (also known as Phosphorus, TA453, APT35/42), has reportedly used a previously unidentified backdoor malware, termed 'Sponsor', to target 34 global companies.
One characteristic of the Sponsor backdoor is its ability to conceal seemingly harmless configuration files on the affected computer. This allows for stealthy activation using harmful batch scripts, bypassing detection mechanisms. Cyber security researchers team traced this campaign from March 2021 to June 2022. Key sectors targeted included government, healthcare, financial services, engineering, manufacturing, tech, law, and telecommunications. Countries most under threat, were Israel, Brazil, and the UAE.
The researchers highlighted that Charming Kitten chiefly exploited CVE-2021-26855, a vulnerability in Microsoft Exchange, to initially infiltrate its victims' systems. Subsequently, the culprits utilised a range of open-source tools that not only enabled data theft and system monitoring but also ensured they retained access to the breached systems.
Sri Lanka's Information and Communication Technology Agency (ICTA), responsible for overseeing the country's ICT initiatives, has confirmed a significant data loss incident impacting all government offices using the “gov.lk” email domain, including the Cabinet Office.
Established to boost Sri Lanka's economy through ICT, ICTA reported a severe ransomware attack between May 17th and August 26th. This breach compromised roughly 5,000 email addresses. Worryingly, there was no backup system, either offline or online, for a crucial two-month period, meaning many emails lost during the attack are irretrievable.
Responding swiftly, ICTA announced new measures to fortify their systems. A daily offline backup process will be instituted to avert future catastrophic data losses, and the relevant software will be updated to the most recent versions to strengthen cyber defences.
Presently, ICTA and the Sri Lanka Computer Emergency Readiness Team (SLCERT) are making concerted efforts to recover the lost data. Additionally, SLCERT has alerted the public to a phishing scam targeting Sri Lankan citizens.
The ransomware group, Dunghill Leak, has announced its role in a cyber attack on the travel booking firm, Sabre. On its dark web leak site, Dunghill alleges the theft of 1.3 terabytes of Sabre data, encompassing corporate financial details, passenger statistics, ticket sales data, and employee personal information. As evidence, the group released some stolen data, showing information like employee emails, names, nationalities, passport and visa details, and US I-9 forms for specific staff. Notably, one compromised passport belonged to a Sabre vice president.
Sabre has acknowledged the allegations and initiated an investigation into the validity of Dunghill's claims. Sabre spokesperson Heidi Castle stated, “Sabre is investigating the data exfiltration claims made by the threat group.”
Although the exact timing and method of the breach remain uncertain, Dunghill's shared screenshots suggest it transpired around July 2022. In 2022, globally, there were approximately 493.33 million ransomware attempts, with the average cost of an attack standing at US$4.54m.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.