Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Two giants in the gaming and hospitality industry, Caesars Entertainment and MGM Resorts, recently announced that they were targeted by cybercriminals. But here’s the catch, both ransomware attacks appear to have started with the use of social engineering tactics against IT helpdesk personnel to gain access to systems.

While ransomware continues to be a top concern for organizations, Business Email Compromise (BEC) incidents have been rising and targeting all industries. Based on the FBI’s most recent Internet Crime Report, BEC complaints outpace those of ransomware 10:1, and the losses incurred by BEC are 80 times greater than those incurred by ransomware.

Cybersecurity compliance is complicated. As the cybersecurity industry changes, so do compliance requirements and, depending on your organization’s operations, compliance could mean adhering to multiple frameworks and reporting to multiple governing bodies. In fact, 67% of organizations surveyed by Arctic Wolf follow between one to three sets of guidelines.

On September 7, 2023, Apple released emergency security updates to fix a buffer overflow vulnerability (CVE-2023-41064) and a validation issue vulnerability (CVE-2023-41061) among macOS, iOS, iPadOS, and watchOS products. These vulnerabilities can be exploited with a maliciously crafted attachment or image which leads to arbitrary code execution.

On August 31, 2023, Arctic Wolf sent out a bulletin alerting customers to an ongoing brute force campaign targeting Cisco Adaptive Security Appliance (ASA). Subsequently, on September 6, 2023, Cisco published a security advisory warning of a zero-day vulnerability (CVE-2023-20269) in the remote access VPN feature of Cisco ASA and Cisco Firepower Threat Defense (FTD) Software.

There was some good news on the cybersecurity front in August, starting with a joint effort by U.S. and European authorities that broke up a far-reaching network of compromised computers used in attacks on healthcare organizations around the world. The takedown also netted more than $8 million in illicit cryptocurrency from Russian-affiliated hacking groups.

The value of cybersecurity solutions is uniquely difficult to quantify. As with any risk-reduction investment, the ideal outcome is we simply avoid the outcome we’re defending against. But then how can we understand the value of our security strategy? Even if we can identify attempted compromises that are thwarted, it’s still challenging to scope out the potential impacts we were able to avert.

On Tuesday, August 29, 2023, VMware disclosed a critical authentication bypass vulnerability (CVE-2023-34039) in VMware Aria Operations for Networks–formerly known as vRealize Network Insight–that could result in a threat actor gaining access to the Aria Operations for Networks CLI by bypassing SSH authentication. The vulnerability was responsibly disclosed to VMware and has not been actively exploited in campaigns.

Arctic Wolf has been tracking multiple intrusions where Cisco VPN account credentials were harnessed by Akira ransomware for initial access. In a recent Cisco PSIRT advisory, Cisco stated they were aware of reports that Akira ransomware threat actors have been targeting Cisco VPNs that are not configured for multi-factor authentication to infiltrate organizations. Our case data supports the observation that affected accounts did not have MFA enabled.

Threat actor groups maintain dark web shame sites to negotiate ransoms with their victims, name them, and leak their data as punishment for not paying. These sites serve as a major tool for threatening victims and securing ransom payments but are not a precise record of global cyber attacks. However, there’s a lot to learn from the dark web behavior observed in the first half of this year to help contextualize the current threat landscape.