Robin’s Newsletter #274

18 September 2023. Volume 6, Issue 38
Ransomware groups target Save the Children, and Las Vegas casinos, and the Sri Lankan government.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Lots of ransomware this week, coinciding with the UK NCSC and NCA publishing a white paper on the ransomware, extortion and cybercrime ecosystem. Worth a read. 

Save the Children was attacked by the BianLian ransomware group

  • Save the Children International has confirmed a ransomware attack against “part of [their] network”. The charity, which has supported over 1 billion children since being founded in 1919, says there has “been no operational disruption”.
  • The BianLian ransomware group has claimed responsibility for the attack and claims to have made off with 6.8TB of data, including HR, financial and medical data.
  • The charity is working with external specialists and says it’s “confident in the ongoing integrity of our IT infrastructure”.
  • I agree that BianLian needs to be punched in the face.

MGM Resorts and Caesars International 

  • MGM Resorts appear to have been pretty comprehensively pwned by the ransomware group: websites and online reservations at properties were unavailable, ATMs and slot machines in casinos weren’t working, and reports of room keys were no longer working. How much of that was precautionary, and how much was the direct result of attackers actions is unclear. ]
  • The attack is being attributed to the Scattered Spider group, who Mandiant believe are fluent English speakers operating from the US, UK or Europe and “are very good at research”. The threat group is known for the social engineering IT support desk at its victims. In an unverified interview, people claiming to be part of the group claimed that the original intent of the attack was to manipulate slot machines, in an attack that wouldn’t be out of place in an Ocean’s Eleven style heist movie.
  • Later reports suggested that the cybercriminals had managed to gain access to and encrypt more than 100 ESXi hypervisors that run the company’s IT systems.
  • In a separate incident, Caesars Entertainment says its customer loyalty database was stolen. In an ‘8-K’ filing (required when a US public company suffers an event likely to have a material effect on their business), Caesars said personal data of a “significant number of members” was stolen, including driving license and Social Security numbers. 
  • The hotel and casino firm is rumoured to have paid half of the $30 million demanded by the attackers in exchange for not releasing the information as part of “steps to ensure that the stolen data is deleted by the unauthorized actor”. 
  • ALPHV, of which Scattered Spider is believed to be an affiliate, has claimed responsibility for the breach at Caesars.
  • Threat intelligence firm Dynarisk claims to have seen around 100 account details for staff at both MGM and Caesars being traded on a Telegram channel on 1st September.

Sri Lanka investigating ransomware incident

Interesting stats

12% of Fortune 100 companies specifically disclose cyber security or privacy as a consideration in determining executive pay in 2023, up from  0% in 2018, according to analysis by EY.

Other newsy bits / in brief

And finally

  • WiKI-Eve: A paper from Chinese and Singaporean researchers claims to be able to infer numbers typed into smartphones by analysing beam forming feedback information (BFI) data used to improve signal strength between devices and wireless access points. Moving your fingers and tapping the on-screen keyboard disrupts the beam-forming signals. Machine learning models can achieve an accuracy rate of 88% for numeric-only and 40% for alphanumeric input.

  Robin's Newsletter - Volume 6

  “National Cyber Security Centre (NCSC)” “National Crime Agency (NCA)” “Ransomware” “Cybercrime” “Save the Children” “BianLian” “MGM Resorts” “Caesars Entertainment” “Critical National Infrastructure (CNI)” “Redfly” “Facebook Messenger” “Phishing” “Online Advertising” “Malvertising” “Spyware” “Wi-Fi” “Data brokers” “Side channel”