Did Teens Ally with Ransomware Gangs for MGM Breach?

Recent breaches of MGM's casino systems "were probably carried out by teens and young adults who have allied themselves with one of the world's most notorious ransomware gangs," writes the Washington Post's technology reporter.

Their alliance with the "Scattered Spider" group is described as "part of a trend that has alarmed security experts and defenders of corporate computer networks." The group is said to be "very active in the past two years, targeting large companies via stolen employee credentials and tricks such as convincing tech support employees that they have been accidentally locked out of their computers and need a new password." They moved from cryptocurrency thefts to targeting businesses that provide third-party business functions such as help desks and call center staffing, allowing them to infiltrate networks of many customers. And they extorted Western Digital and other technology firms after stealing internal data before heading for the jackpots in Las Vegas. But their willingness to deploy crippling ransomware while demanding money is a major escalation, as is their choice of a business partner: ALPHV, a hacking group whose affiliates include members of the former Russian powerhouses BlackMatter and DarkSide, the groups responsible for the Colonial Pipeline hack that awoke Washington to the national security risk of ransomware. ALPHV provided the BlackCat ransomware that the young hackers installed in the casinos' systems...

[According to new research presented Friday at the LABScon security conference] they came together through crimes enabled by SIM-swapping, which usually involves convincing phone company employees to hand over control of someone else's phone number. Because of poor security controls around those numbers, such gambits have allowed criminals to amass millions of dollars by beating SMS text-based two-factor authentication on cryptocurrency accounts. The extra money has made alliances possible with criminals who have different skills to bring to the table, including some who had hacked police servers and could send emails from purported officers demanding emergency disclosures of information on phone and internet customers. Worse, the researchers said, they have now attracted recruiters for the Russian gangs who want to combine their business savvy with the techniques and local knowledge of the native English speakers.

So it’s a hardened criminal group

[hdyoung]

Using a bunch of useful idiots to get the legwork done. This is an ancient story.

Somehow, it never works out well for the useful idiots, as this particular group of teens is about to learn the hard way. For some life lessons, every new generation has to start from scratch.

Re:

[oblom]

Maybe this particular group of teens will pay the price, maybe they won't. The problem is that there's always another batch of fools ready to step in. Yes, it's an ancient story, but the scale of the internet and the ease of access makes it a new and very difficult problem to solve.

put them into the griffin book!

[Joe_Dragon]

put them into the griffin book!

Re:

[e3m4n]

both the teens and the ransomware gang will learn the hard way what happens when you fuck with a casino. This isnt a bunch of white collar hedgefunds they ripped off. This is mafia-like organized crime. They will likely make cement shoes and throw them in a river somewhere and let them drown stuck at the bottom. They probably even have enough political ties to call in favors to have these people cut up in their foreign countries like the incident in Turkey with Saudis cutting up that journalist.

Re:

[sg_oneill]

The advantage of course, of using teenagers, is in most countries, the most they can expect is a few weeks in juvie. Judges (for solid reasons, prison turns petty juvenile criminals into serious adult criminals) are *very* reluctant to book kids for serious prison.

The downside for the criminals however is, kids squeal.

Paving the road to mass surveillance

[oblom]

As someone who always believed in the possibility of building free and anonymous internet, it hurts me to accept the possibility that the cost of these security breaches will drive the world towards mass surveillance. Perhaps new machine learning tools can mitigate the problem, but the multi-year trend is not encouraging.

Re:

[Anonymous Coward]

Every time something like this happens, there are always pushes for tougher DMCA laws, tougher DRM, less anonymity, tougher penalties in the country, more anti-jailbreak stuff on devices, gutting of right-to-repair laws... none of which will address the actual problem, and because it doesn't, it will just mean the attacks happen again.

Every time those useless, knee-jerk laws are passed, these are propaganda coups for Russia, China, and other states because they can show that the perps never get caught, and

Re:

[drinkypoo]

it hurts me to accept the possibility that the cost of these security breaches will drive the world towards mass surveillance.

Don't worry, it won't. The internet is already under mass surveillance (NEVER FORGET QWEST) and the casinos are all already under mass surveillance, so you really can't have more surveillance here. Any surveillance added "due" to this event was in the works anyway, and this is just being used as an excuse.

Splattered Spider

[geekmux]

"...tricks such as convincing tech support employees that they have been accidentally locked out of their computers and need a new password."

Sure, we understand those selling clickbait wish to add a nice twist of 8-legged fearmongering with notorious namedropping, but that tactic isn't exactly some highly advanced method of covert data exfiltration exclusively reserved for only the most skilled of hacking groups.

Even the script kiddies were rolling their eyes at that "example". Train your monkeys in 'support' better, and you'd severely cripple the worlds most evilist worstest hacking group, stopping them dead in their tracks. Wouldn't that be a hell of a headline instead, even if it is bullshit.

Re:

[PPH]

Train your monkeys in 'support' better,

Won't work. Because your support people aren't going to refuse a password reset request that comes from the CEO.

Strange. He sounded like a 13 year old kid. But I guess being a corporate officer is now a pretty low T job. So, it's plausible.

Re:

[geekmux]

Train your monkeys in 'support' better,

Won't work. Because your support people aren't going to refuse a password reset request that comes from the CEO.

That's why you implement additional security measures based on the position. Call-back to the CEO cell. Or home line even. Something so wrong with assigning your CxOs a PIN as a secondary method of verification? We all know what a PIN is. Both parties holding physical authenticator cards with unique encoded messages or even a 'duress' word assigned can all be used to validate a password reset.

If you can't train the monkeys, then stop fucking hiring them. That might have to start with firing the one in

Re:

[PPH]

That's why you implement additional security measures based on the position. Call-back to the CEO cell.

I lost my cell phone.

Or home line even.

I'm not at home.

Something so wrong with assigning your CxOs a PIN as a secondary method of verification?

You expect me to remember a PIN that I'm going to use once every three years?

We all know what a PIN is. Both parties holding physical authenticator cards with unique encoded messages or even a 'duress' word assigned can all be used to validate a password reset.

The card went through the wash in my pants pocket last month. The plastic lamination melted in the dryer.

Look, punk. I run this company. There's a multi-billion dollar deal waiting on me to log in. If you don't reset my password, you'll never work another day in this industry again. Anyway, I'll take full responsibility for any fallout. Trust me.

This is one good argument for replacing support desks with AI bots. They have no fear, always follow the script and, if implemented properly, prevent an outsider from ever contacting a human employee.

Happy path coding

[phantomfive]

It's a result of the modern "happy path coding" paradigm, where if it works in the happy path, then you push it to production. Security can't be bolted on as an afterthought, you have to build it into your systems from the beginning. If fishing attacks can lock down your casino for a week, that's an "insecure by design" problem.

A good clue that your company is going to have problems is a quick look at your bug tracker. Is it overflowing and ever growing? Guess what, you're doing happy path coding.

Re:

[Anonymous Coward]

The problem is that places don't care to have security. The casinos are cashing in their insurance claims, and I wouldn't be surprised if some of their VPs shorted their stock before all the slot machines crashed, which would have made them a ton of money. A casino is far more worried about a card counter than nation-state attacks.

For many businesses, just paying the ransom is cheaper than actually having security. Ransomware has better customer support than most licensed products, so might as well have

Re:

[PPH]

No problem. I still have some of that pizza [investopedia.com] I bought for 10,000 Bitcoin. Efficient economic theory says that you should be willing to take a couple of slices as payment.

Oblig. obvious Re:Happy path coding

[davidwr]

A good clue that your company is going to have problems is a quick look at your bug tracker. Is it overflowing and ever growing? Guess what, you're doing happy path coding.

The opposite is not true:

A low number of known bugs is not a reliable indicator of high-quality code.

--
Yes, I know 99.99..9 % of Slashdot readers know this. I posted it for the remaining few. I hope you know who you are. Unfortunately, you probably don't.

Re:

[phantomfive]

A low number of known bugs is not a reliable indicator of high-quality code.

How many bad code bases have you seen with a bug tracker and a low (hopefully zero) bug count?

Rip Off Artists Get Ripped Off.

[zenlessyank]

Musta been those pesky kids again.

No proof who was behind the Colonial pipeline hack

[Rujiel]

But if you want to just taie the FBI at their word, go ahead

Drop SMS 2FA

[PPH]

they came together through crimes enabled by SIM-swapping, which usually involves convincing phone company employees to hand over control of someone else's phone number. Because of poor security controls around those numbers, such gambits have allowed criminals to amass millions of dollars by beating SMS text-based two-factor authentication on cryptocurrency accounts.

Not just crypto accounts. Every bank I deal with pops up a nag box, begging me to give them my cellular number for 2FA. Nope.

Can we just drop 2FA using SMS altogether? Cellular providers' security is shit and now, with eSIMs, you won't have to acquire a physical thing (SIM chip) which could be tracked back to you.

Dope name

[Hugedatabase]

If you're on the Web and you're not a spider, you're food.