Cyber Intelligence Weekly (October 8, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight Episode 1 of our Hackin’ SaaS Webinar Series on October 10th, 2023, where we dive deep into the world of SQL Injection.

At Echelon, our Offensive Security team confronts web app vulnerabilities daily, and SQL Injection remains one of the most prevalent threats. In this webinar, we'll not only demonstrate how to break into SQL statements but also teach you how to prevent these attacks.

Don't miss this chance to boost your application security expertise and safeguard your web apps with Jake Murphy, Evan Isaac, and Kristofer Johnson. Secure your spot now!

📅 Date: October 10th, 2023

🕒 Time: 3:00 PM EST

Register for this LinkedIn Live event here: https://www.linkedin.com/events/hackin-saas-top10webappvulnerab7105295202419949568/theater/

Away we go!

1. Clorox Suffers Suspected Scattered Spider Cyberattack

A notorious hacking group, Scattered Spider, previously implicated in attacks on major US casino brands, is now believed to be behind a cyberattack on Clorox, leading to a significant shortage of the company's cleaning products nationwide. This breach, first reported by Clorox in August, was allegedly executed by the same group that used social engineering tactics on giants like Caesars Entertainment and MGM Resorts International. The aftermath of these cyberattacks has been staggering; for example, at MGM, guests faced inconveniences like slot machines being non-operational and reservation websites crashing. However, Clorox has arguably suffered more severely.

Following the attack, Clorox announced a significant drop in sales and profit for the quarter ending in September. On Wednesday, the company revealed that the cyberattack would lead to a net sales reduction of up to 28% compared to the previous year. Organic sales might also see a fall of up to 26%. Contrary to previous predictions of organic sales increasing by mid-single digits and a rising gross margin, Clorox now foresees an adjusted loss of as much as 40 cents a share. Analyst expectations were for a profit of $1.37 a share before the cyberattack.

The attack's aftermath was particularly ill-timed for Clorox, as it was amidst internal restructuring and grappling with a sales decline in disinfectants post the pandemic's peak. The company’s IT systems were compromised, disrupting operations across all US facilities, though factories stayed open, with a focus on cleaning, maintenance, and training. Presently, as production gains momentum, no timeline for operational normalization has been provided. This situation may allow competitors to capitalize on Clorox’s market share. Details about the attack methodology, like the use of ransomware or social engineering, remain uncertain. However, it's known that Scattered Spider collaborates with a ransomware group named ALPHV and comprises 5-6 core members aged 19-25. The FBI is currently investigating the group, believed to operate in the US and UK.

2. MGM Faces $100 Million Blow from Data Breach

MGM has announced that their recent cyberattack will set the company back by over $100 million. This incident, which came to light on September 10, prompted the Las Vegas-headquartered casino magnate to disable several computer systems in its casino and hotel establishments across the US in a bid to shield data. The MGM cyber incident details were reported last week to the SEC via Form 8-K, utilizing Regulation FD as the disclosure mechanism.

The attack’s aftermath was discernible as clients reported issues like failed credit card transactions, inability to access cash from ATMs, or troubles entering their hotel rooms on social media. This 10-day computer hiatus culminated on September 20. Observing the nature of the breach, experts believe it might be a high-stakes ransomware assault, a suspicion MGM hasn't verified yet. If true, this might eclipse previous records in ransomware costs, surpassing the $70 million loss incurred by Norsk Hydro in 2019.

MGM's CEO, Bill Hornbuckle, clarified in a customer letter that the majority of their systems have been reinstated and most operations have reverted to their standard procedure. He reassured that the breach didn’t compromise any payment or bank account details. Nevertheless, the hackers made away with a slew of personal information, encompassing data like names, contact details, driver’s license numbers, Social Security numbers, and even passport numbers of certain customers who transacted with MGM before March 2019.

Although there is currently no evidence indicating that stolen data has been misused for fraudulent activities, Hornbuckle expressed regret and apologized to those affected. He further mentioned that MGM would offer its impacted clientele complimentary credit monitoring and identity protection services. Despite anticipating a slump in its Q3 financial outcome, primarily in Las Vegas, MGM remains optimistic about minimal impact on Q4 and the annual operational results. Costs arising from this breach include not only the estimated $100 million in losses related to earnings before interests, taxes, depreciation, and rent but also additional expenses below $10 million covering legal and technological consultation fees.

3. Sony Employees' Data Compromised in Another MOVEit Transfer Breach

Sony recently disclosed that over 6,000 of its current and former employees' data has been exposed due to a cyberattack. The breach transpired earlier this year and was attributed to a vulnerability in MOVEit Transfer, yet another breach utilizing the flaws in the widely used file transfer platform. Notably, this flaw was leveraged by the Russian ransomware group Cl0p, which has targeted various global enterprises. This revelation by Sony follows a separate alleged cyberattack by the Ransomedvc gang.

In a letter to the individuals impacted, Sony explained the specifics of the breach and the subsequent measures taken to mitigate its repercussions. The breach was confined to Progress Software’s MOVEit Transfer platform and did not extend to other systems. While Sony remains uncertain if the exposed data has surfaced on the dark web, they are offering complimentary credit monitoring and identity restoration services. An official notification submitted to the Office of the Maine Attorney General confirmed that 6,791 individuals were affected, with the cybercriminals gaining access to some social security numbers in certain instances.

The MOVEit Transfer vulnerability has wreaked havoc worldwide, affecting over 62 million people across 2,000 organizations. Prominent victims include Siemens Energy, PwC, Discovery Channel, Vitesco Technologies, and Sneider Electric. This disclosure comes on the heels of an announcement by Ransomedvc, who claimed to have breached Sony's defenses and threatened to release the captured data on the dark web due to a non-payment of ransom. The group even shared samples of the purportedly stolen data, which showcased a PowerPoint from Sony’s quality assurance team and potential internal Sony workstation screenshots, among other items.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about