It’s not a matter of if but when an organization will face a cybersecurity incident. Incidents like what happened to MGM Resorts after the ransomware groups ALPHV/BlackCat and Scattered Spider brought systems down for days, causing severe strains on revenue due to disrupted productivity, lost business during downtime, attorney fees, and remediation costs.
While insufficient information has been disclosed to understand the full extent of the MGM Resorts breach, in recent years we have directly witnessed a significant shift in the tactics employed by highly coordinated threat actor groups, such as ALPHV/BlackCat. These groups are increasingly prioritizing targeting infrastructure over endpoints during our incident response engagements.
What can organizations do to prevent becoming the next headline? Here are five areas to watch out for.
Enhance help desk procedures to include video chats and photo IDs to verify the authenticity of requests
The 2023 Data Breach Investigations Report by Verizon unveiled that in 74% of the reported breaches, a human factor played a role, whether partially or entirely, in causing the breach. The term “human element” encompasses various situations, ultimately pointing to human involvement in creating a vulnerability, whether it’s deliberate or accidental.
Recent incidents, such as the breach at MGM Resorts, serve as stark reminders of the potential consequences of inadequate security measures.
In this particular instance, the threat actor reported that they monitored LinkedIn profiles to identify potential targets and then infiltrated the organization by vishing or “voice phishing” the IT help desk. They have been known to employ social engineering tactics targeting individuals with answers to validation questions commonly used by the help desk.
Relying solely on text or email, or even voice calls, is no longer sufficient. ALPHV/BlackCat and other threat actor groups have even resorted to employing voice impersonators, making it challenging to discern their true identity based on accent or voice characteristics.
Organizations should update help desk procedures to include measures like video chats and photo identification for verifying the identity of individuals seeking assistance.
Choose multifactor authentication features wisely
Multifactor authentication should be enabled whenever possible, but be sure that your organization is choosing its policies and procedures wisely.
In particular, ALPHV has been known to leverage SIM-swapping techniques by investing as much as $1,500 to $2,500 per targeted employee to swap their phone number to a device they could control. SIM swapping occurs when the device tied to a customer’s phone number is fraudulently manipulated. With this technique, a bad actor can successfully authenticate as the employee if the organization still allows text messaging for multifactor authentication.