The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.

The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here:

In the year 1209 the Cathars were besieged at Carcassonne in southern France. The Cathars were a religious group branded heretical by the Pope. Within the heavily fortified city the Cathars were protected but vulnerable to a supply chain attack.

The Castle Comtal within the fortified city in France’s Aude department, stands as a monumental testament to medieval military architecture and strategy. One of the most distinctive features of this castle is its portcullis with two independently controlled gates. This engineering marvel serves as an apt metaphor for the need to separate your Information Technology (IT) and Cybersecurity teams.

The Portcullis at Carcassonne

The fortified city of Carcassonne has a complex defensive system that has stood the test of time. One of its remarkable features is the portcullis, a heavy grilled door that could be dropped or raised to secure the castle’s entrance. But what sets Carcassonne’s portcullis apart is its two independently controlled gates. This means that even if one gate were compromised, the other could remain secure, providing an additional layer of defense.

Separating IT and Cybersecurity Teams: A Modern-Day Portcullis

In modern organizations, the IT and Cybersecurity teams often have different mandates but overlapping responsibilities. The IT team is generally responsible for managing the hardware, software, and networks that keep the company running. In security terms this is called “Availability”. The Cybersecurity team, on the other hand, focuses mainly on protecting the “Confidentiality” (controlling who can see what), and the “Integrity” (who can change what).

Much like the dual gates of Carcassonne’s portcullis, these teams should operate independently but in tandem. A Change Board approves software installations and updates; The Cybersecurity team updates the allow policies and the IT team implements the changes.

Advantages of Separation

1. **Focused Expertise**: Specializing allows each team to become experts in their area, leading to better performance and problem-solving.

2. **Risk Mitigation**: Separating the approval and installation of software makes it almost impossible for a disgruntled employee to wreak havoc.

3. **Checks and Balances**: Independent operations allow for internal checks, reducing the likelihood of systemic failures and oversights.

The Harmony of Independence and Interdependence

While it’s crucial for these teams to operate independently, they should not work in silos. Much like the independent but harmoniously functioning gates of Carcassonne, IT and Cybersecurity teams should have protocols for secure communication and collaboration. For instance, while the IT team may be responsible for implementing a new software platform, the Cybersecurity team should be involved in assessing its security features and updating the allow policies.

Conclusion

The dual-gate portcullis at the Castle at Carcassonne serves as a timeless symbol of defense in depth. In a world where cyber threats are increasingly sophisticated, the need for separate but coordinated IT and Cybersecurity teams has never been greater. By learning from the past and applying its lessons to the present, your company can fortify your castle against the ever-evolving challenges facing you.

Put On Your Cyber Armor Before Your First Cup

Knights Prepare: In the early Middle Ages, knights spent hours getting ready for battle putting on their armor with the help of a squire.  There were hooded coats, trousers, gloves and shoes made of chain mail. Add the helmet, shield, and sword, and they were ready for war.

Cyber Protection: In order to be safe in the cyber world, computer users need to be prepared for the cyber battle that we did not request. We need protection.   Here are two examples of attacks and how to defend your home or business.

Ransomware Attacks: To avoid having to pay the ransom for your data held hostage, your organization should be backing up data nightly or more often if operations require.  In that case, you will only lose one day’s worth of data plus the time and resources it takes to restore your infected system.    

Suncrypt: This happened to Haywood County School District in North Carolina.  Their computers were attacked by Suncrypt ransomware.  They did not pay the ransom because they had backups, however, they had to delay school for a week to restore everything.  Suncrypt uses a Windows admin utility called “PowerShell” to send a file to execute on other computers in order to rename and encrypt every folder on the infected computer. The hackers now have your data hostage.

Could It Have Been Avoided?: What could the school district have done to avoid the infection altogether? 

Admin Privileges: First, the person who clicked on the phishing email had “administrative” privileges.  Cybersecurity has a concept called “least privilege” where a user has a least amount of privilege to do her work.  All internet browsing and email reading should be done as a non-admin user.  It is critical to only use admin privileges when performing admin functions (configuration and installation).

Outbound Powershell: Second, the computer security policy allowed the use of outbound PowerShell.  The system policy should have disabled outbound PowerShell capability. Powershell is the new favorite of hackers.  According to https://news.softpedia.com/news/malware-created-with-microsoft-powershell-is-on-the-rise-503103.shtml   eighty-seven percent (87%) of common malware uses PowerShell. This one change to your system can block much of the current malware.

Controlled Folder Access: Finally, for this particular attack, and those like it, the entire attack would have been thwarted if the systems had a simple setting enabled called “Controlled Folder Access.”  This feature allows only authorized applications and users to modify folders.  This would have completely blocked Suncrypt.

Phishing Attacks:  Phishing is getting very complex.  There are new targeted phishing campaigns where emails are sent to company users claiming to be from the IT Department.  The emails explain that certain sent emails were quarantined and provides a link for the user to login and review the files.  The link takes you to a screen that looks exactly like the company login.  The hackers grab the user’s credentials when they attempt to login and fix the problem.

Don’t Click It: The lesson here is to always hover over any link.  Do NOT click the link without checking it.  When you hover over the link, the details of the link show in the bottom left-hand corner of your browser or pops out on your email application.  Verify the entire link carefully. Hackers can be creative with their domain names making them similar to the real domain names. So look closely.   When it comes to links, hover, hover, and hover again. 

Put Your Cyber Armor On: So, along with that first cup of coffee or tea in the morning, remember to put on your cyber armor before you check your emails.

Riddled by Ransomware

Ransomware. The word sends chills up your spine; or it should. Ransomware is essentially a cyber-criminal holding hostage your digital life in a binary bag. Cyber-criminals do this by zipping all your important, irreplaceable files and setting a password on them. The crooks “generously” offer to sell you the password for a “minor” fee. Truth is, the fee is not so minor, nor convenient.

How It’s Delivered: Most ransomware comes as either an email attachment, or it comes by infecting you when you visit a compromised website. For example, a few weeks ago, the actual website for the World Health Organization was compromised and serving up malware to every visitor to the site!

Protection: You used to protect yourself from this type of attack by creating a daily backup of your critical files. Files like Quickbooks, family photos, and the digital scan of your high school diploma. I said keeping backups used to work. The crooks have changed their tactics. As more and more of us got better at backing up our files, fewer and fewer of us paid the ransom; therefore, we cut into their profits. That’s bad for business.

Lockout or Stealing: Before, they just stole your access to the files by encrypting them. Now they actually steal copies of the files. If you don’t pay up, they will dump your files on the dark web–not to the highest bidder–but for free. Maybe you’re not concerned if your pictures of Fluffy end up in the darkest corners of the Internet, but how about your Quickbooks, or the scans of your birth certificate, social security card and driver’s license? It is not uncommon (nor is it recommended), for people to keep spreadsheets of all their bank and investment account numbers and the associated usernames and passwords. These are certainly not the files you want to become public!

Anti-Virus Enough? I know what you’re thinking. “I have anti-virus so I don’t have to worry, right?” Wrong. Your antivirus won’t stop it. If it could, you’d rarely hear about these attacks in the news. Don’t delete it though; it will stop some malware.

Two Keys: It is imperative for every user to do two things. First, ensure you don’t surf the web with an account that has administrator privileges. Second, become suspicious of EVERY email you receive; if your gut tells you an email looks “fishy”, then it is probably “phishy”. Additionally, if you receive an email, and the tone is one intended to terrify you with dire consequences for inaction, be on your guard. That is a favorite tactic of cyber-crooks.

Helpful Hint: One last suggestion, if you do store critical files like those I mentioned, then you should zip them and password-protect them yourself with an annoyingly long password. Finally write the password in a book and lock it in your desk drawer. If you follow this recommendation, it won’t matter if those files get dumped onto the dark web, because you have protected them.  You turned the tables on crooks. They will be unaware that the bag they hold is filled with digital dust.