CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Unveiling the Latest Ransomware Threats Targeting the Casino and Entertainment Industry

Anyone who has visited a casino knows these organizations go to a great deal of expense and physical effort to ensure their patrons do not cheat. Still, there is a large group of actors who are uninterested in card counting or using loaded dice at the craps table. In fact, these adversaries don't bother going into the building or even visiting the country where the casino is located.

Cyber threat groups.

To help shed light on what is happening in the casino and entertainment industry, Trustwave SpiderLabs has created a comprehensive list of the threat groups and their Tactics, Techniques, and Procedures (TTPs) that have attacked casinos.

The reasons behind these attacks are not dissimilar to those hitting the healthcare, retail, or manufacturing sectors. All are repositories for substantial wealth and extensive troves of personal and financial data. None of these industries can have even a minimal tolerance for operational disruptions, making them an enticing target for ransomware attacks.

Phishing through social engineering or spear-phishing links remains the prevailing method for gaining initial access, as humans are often the weakest link in the cybersecurity chain. However, the groups, as we will see, use a variety of tools for initial access.

These ransomware gangs have proven successful over the last few years, successfully attacking MGM Resorts and Rivers Casino, among others. In a non-ransomware incident, Ceasars Entertainment suffered a data breach of its rewards program when an attacker gained access through a third-party vendor.

Let's examine some of the ransomware threat groups that have recently targeted the entertainment sector, particularly casinos, and review Trustwave SpiderLabs’ analysis of their initial access methods.

 

BlackCat/AlphV

The BlackCat (aka AlphV) ransomware group has, of late, endured some issues. as an international law enforcement operation in late 2023, disrupted its operations. This action forced the group to go dark for a period, but recently, it has started making claims of successful attacks. This could mean the group is back in action or is still offline but attempting to present itself as functioning.

Since BlackCat's emergence in November 2021, the group has earned a reputation as a remarkably formidable and inventive ransomware operation and had consistently ranked among the most active ransomware groups.

BlackCat employs a double extortion scheme, combining data encryption with data theft tools as part of its attack strategy. This approach intensifies the pressure on victims to comply with its demands by promising to keep the victim's system locked and release the data to the public if the ransom is not paid.

In a recent attack, the BlackCat gang breached the entertainment and hospitality giant MGM Resorts through social engineering. As stated on the threat actor's data leak portal, multiple network vulnerabilities allowed for access to, and exfiltration of, various types of confidential data from the Eastern Cape Gambling Board.

Initial access vectors include:

  • Phishing: When adversaries send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems.
  • Drive by compromise: Occurs when adversaries compromise a legitimate website by injecting malicious code, such as JavaScript, iFrames, and cross-site scripting.
  • Stolen credentials: Using stolen credentials belonging to valid accounts or access via external remote services.
  • Exploiting Vulnerabilities: Such as Microsoft Exchange Server Vulnerabilities, including CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523.

 

Akira

The Akira ransomware was first seen in March 2023. It should not be confused with another ransomware bearing the same name that appeared in 2017, but the two are not considered to be associated.

Akira operates as a Ransomware-as-a-Service (RaaS) collective, enlisting partners to execute cyberattacks in return for a share of the earnings they generate. The group's primary targets are generally small to medium-sized enterprises, but Akira is known to demand significant ransom amounts.

Akira's methodology is a bit specialized and specifically abuses Cisco VPN accounts that lack multi-factor authentication for initial access.

Like BlackCat, Akira uses phishing, drive-by compromise, and compromised credentials for valid accounts as its initial threat vectors. It's also known to exploit public-facing applications such as Cisco's Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software remote access VPN feature vulnerability (CVE-2023-20269.)

 

Medusa

Medusa Ransomware, also known as MedusaLocker, emerged in June 2021. Medusa also employs the RaaS model, collaborating with affiliates worldwide, which significantly expands its scope and influence. Typically, Medusa ransomware actors exploit vulnerable Remote Desktop Protocol (RDP) configurations to infiltrate their victims' systems.

Medusa's initial access vectors include basic phishing and spear phishing with malicious attachments, as well as accessing external remote services using valid account credentials.

 

Royal

Royal ransomware initially appeared in early 2022 and is thought to be led by highly skilled individuals previously affiliated with other cybercriminal organizations, such as the Conti. Royal's primary focus has been targeting victims in the US and Brazil. Like Akira, Royal is not shy when it comes to ransom demands, often demanding millions of dollars to release a compromised system.

Once Royal breaches a network, the group executes actions commonly observed in other cyber operations, such as deploying Cobalt Strike for persistence, gathering login credentials, and moving laterally through systems until they ultimately encrypt all the files.

Royal's primary differentiating factor when it comes to initial access vectors is its use of drive-by attacks using malvertising resulting in BATLOADER disguised as TeamViewer, Zoom, and AnyDesk installers.

Otherwise, Akira's bag of tricks mirrors that of BlackCat.

 

BianLian

BianLian ransomware surfaced in June 2022. The group attacks a wide variety of vertical sectors, including financial institutions, healthcare, manufacturing, education, entertainment, and energy.

BianLian directs its attacks against targets in the US, UK, and Australia. BianLian also employs the double extortion approach, combining data encryption with data theft tools as a key part of their offensive tactics. In 2023, the FBI noted that BianLian shifted primarily to extortion via data exfiltration, leaving victims' systems intact, and the ACSC reported that BianLian exclusively adopted exfiltration-based extortion.

Initial access vectors used remain consistent with the other groups.


Latest Trustwave Blogs

Trustwave, Telarus Announce Strategic Global Partnership

Trustwave is partnering with Telarus, a leading technology services distributor (TSD), which will allow it to leverage Trustwave’s comprehensive offensive and defensive cybersecurity portfolio and...

Read More

Unlocking the Power of Offensive Security: Trustwave's Proactive Approach to Cyber Defense

Clients often conflate Offensive Security with penetration testing, yet they serve distinct purposes within cybersecurity. Offensive Security is a broad term encompassing strategies to protect...

Read More

Behind the Scenes of the Change Healthcare Ransomware Attack Cyber Gang Dispute

Editor’s Note – The situation with the Change Healthcare cyberattack is changing frequently. The information in this blog is current as of April 16. We will update the blog as needed. April 16, 2024:...

Read More