Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are uninterested in card counting or using loaded dice at the craps table. In fact, these adversaries don't bother going into the building or even visiting the country where the casino is located.
Cyber threat groups.
To help shed light on what is happening in the casino and entertainment industry, Trustwave SpiderLabs has created a comprehensive list of the threat groups and their Tactics, Techniques, and Procedures (TTPs) that have attacked casinos.
The reasons behind these attacks are not dissimilar to those hitting the healthcare, retail, or manufacturing sectors. All are repositories for substantial wealth and extensive troves of personal and financial data. None of these industries can have even a minimal tolerance for operational disruptions, making them an enticing target for ransomware attacks.
Phishing through social engineering or spear-phishing links remains the prevailing method for gaining initial access, as humans are often the weakest link in the cybersecurity chain. However, the groups, as we will see, use a variety of tools for initial access.
These ransomware gangs have proven successful over the last few years, successfully attacking MGM Resorts and Rivers Casino, among others. In a non-ransomware incident, Ceasars Entertainment suffered a data breach of its rewards program when an attacker gained access through a third-party vendor.
Let's examine some of the ransomware threat groups that have recently targeted the entertainment sector, particularly casinos, and review Trustwave SpiderLabs’ analysis of their initial access methods.
BlackCat/AlphV
The BlackCat (aka AlphV) ransomware group has, of late, endured some issues. as an international law enforcement operation in late 2023, disrupted its operations. This action forced the group to go dark for a period, but recently, it has started making claims of successful attacks. This could mean the group is back in action or is still offline but attempting to present itself as functioning.
Since BlackCat's emergence in November 2021, the group has earned a reputation as a remarkably formidable and inventive ransomware operation and had consistently ranked among the most active ransomware groups.
BlackCat employs a double extortion scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensifies the pressure on victims to comply with its demands by promising to keep the victim's system locked and release the data to the public if the ransom is not paid.
In a recent attack, the BlackCat gang breached the entertainment and hospitality giant MGM Resorts through social engineering. As stated on the threat actor's data leak portal, multiple network vulnerabilities allowed for access to, and exfiltration of, various types of confidential data from the Eastern Cape Gambling Board.
Initial access vectors include:
- Phishing: When adversaries send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.
- Drive by compromise: Occurs when adversaries compromise a legitimate website by injecting malicious code, such as JavaScript, iFrames, and cross-site scripting.
- Stolen credentials: Using stolen credentials belonging to valid accounts or access via external remote services.
- Exploiting Vulnerabilities: Such as Microsoft Exchange Server Vulnerabilities, including CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.
Akira
The Akira ransomware was first seen in March 2023. It should not be confused with another ransomware bearing the same name that appeared in 2017, but the two are not considered to be associated.
Akira operates as a Ransomware-as-a-Service (RaaS) collective, enlisting partners to execute cyberattacks in return for a share of the earnings they generate. The group's primary targets are generally small to medium-sized enterprises, but Akira is known to demand significant ransom amounts.
Akira's methodology is a bit specialized and specifically abuses Cisco VPN accounts that lack multi-factor authentication for initial access.
Like BlackCat, Akira uses phishing, drive-by compromise, and compromised credentials for valid accounts as its initial threat vectors. It's also known to exploit public-facing applications such as Cisco's Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software remote access VPN feature vulnerability (CVE-2023-20269.)
Medusa
Medusa Ransomware, also known as MedusaLocker, emerged in June 2021. Medusa also employs the RaaS model, collaborating with affiliates worldwide, which significantly expands its scope and influence. Typically, Medusa ransomware actors exploit vulnerable Remote Desktop Protocol (RDP) configurations to infiltrate their victims' systems.
Medusa's initial access vectors include basic phishing and spear phishing with malicious attachments, as well as accessing external remote services using valid account credentials.
Royal
Royal ransomware initially appeared in early 2022 and is thought to be led by highly skilled individuals previously affiliated with other cybercriminal organizations, such as the Conti. Royal's primary focus has been targeting victims in the US and Brazil. Like Akira, Royal is not shy when it comes to ransom demands, often demanding millions of dollars to release a compromised system.
Once Royal breaches a network, the group executes actions commonly observed in other cyber operations, such as deploying Cobalt Strike for persistence, gathering login credentials, and moving laterally through systems until they ultimately encrypt all the files.
Royal's primary differentiating factor when it comes to initial access vectors is its use of drive-by attacks using malvertising resulting in BATLOADER disguised as TeamViewer, Zoom, and AnyDesk installers.
Otherwise, Akira's bag of tricks mirrors that of BlackCat.
BianLian
BianLian ransomware surfaced in June 2022. The group attacks a wide variety of vertical sectors, including financial institutions, healthcare, manufacturing, education, entertainment, and energy.
BianLian directs its attacks against targets in the US, UK, and Australia. BianLian also employs the double extortion approach, combining data encryption with data theft tools as a key part of their offensive tactics. In 2023, the FBI noted that BianLian shifted primarily to extortion via data exfiltration, leaving victims' systems intact, and the ACSC reported that BianLian exclusively adopted exfiltration-based extortion.
Initial access vectors used remain consistent with the other groups.
