Social Engineering Reemerges
With sophisticated endpoint detection and response software becoming more prevalent and internet service providers implementing basic filtering, bad actors are returning to simple social engineering tactics to circumvent technology. This summer, two groups demonstrated this truth with coordinated cyber-attacks against Ceasars and MGM, the effects of which were most vividly seen in Las Vegas.
MGM and Caesars are rival enterprises on the Las Vegas strip, competing for customers in gaming and resort occupancy. On September 11, 2023, MGM learned it was victimized in a cyber-attack that dismantled their networks and many customer-facing business operations, in which resort patrons were locked out of rooms and facilities lost capabilities. Three days later, Caesars also reported a cyber-attack to the Securities and Exchange Commission.
While two different groups are responsible for the events, they worked in tandem to complete their missions. A group named “Scattered Spider” targeted MGM, while the commonly known Russia-based group ALphV/BlackCat claimed the attack on Caesars.
Relatively new but an affiliate of BlackCat, Scattered Spider is rumored to have operatives based in the UK and USA. Before targeting MGM directly, Scattered Spider launched a successful social engineering attack against Caesar’s and MGM’s shared third-party IT provider. Additionally, Scattered Spider reportedly used its English-speaking, accent free personnel to identify an MGM employee on LinkedIn, and subsequently impersonated him in a phone call to MGM’s IT helpdesk to access the employee’s credential.
According to Security Boulevard, Scattered Spider previously used text messages with links to phishing sites that mimic the authentication pages of the targeted organizations “in order to bypass the MFA mechanism and get direct access to the victim’s environment. Once they gained access to these servers, they were able to escalate their credentials and acquire admin accounts.” If the attacker successfully receives the administrator’s credentials through phishing techniques, they can turn off multi-factor authentication requirements for other users.
In January, CrowdStrike similarly found that "Scattered Spider (aka Roasted 0ktapus, UNC3944) leverages a combination of credential phishing and social engineering to capture one-time-password (OTP) codes, or it overwhelms targets using multifactor authentication (MFA) notification fatigue tactics,” thereby avoiding the use of malware altogether. By focusing on the use of legitimate and trusted tools with real credentials, Scattered Spider avoids detection mechanisms.
Similar tactics were used at the 2016 DefCon (a hacking contest), during which the second-place participant, Rachel Tobac, studied employees of a financial services company online to learn names and positions, before calling that same company posing as a new employee arriving for training. She pretended to need to know about the company’s security procedures to assure her make-believe parents that she would safe in the “big city.” During the phone call, and using names of real employees to sound credible, she received vital information about the physical security measures, including the regular security guard’s name.
The reemergence of social engineering tactics serves as a reminder that cybersecurity is technical, administrative, and physical; but all three vectors can be defeated by a single nice, helpful, or temporarily absent-minded employee.