Cyber Intelligence Weekly

Cyber Intelligence Weekly (September 17, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Before we get started on this week’s CIW, I’d like to highlight that last week, 38 members of our team formed deeper connections, ventured beyond the conference room, and engaged in meaningful, intentional discussions at our annual all-hands offsite, ECHECON!

The trip was highlighted by a connection hike that took on four miles of Red Rocks Amphitheater's trails up in Morrison, Colorado. This trek, led by Bart Foster of BusinessOutside, brought us well outside of our comfort zones, outside of traditional corporate norms, and outside into nature above the world-famous concert venue.

We grew closer as a team and company while discussing mentorship, gratitude, energy management, industry inevitabilities, and how we each continuously search for new experiences and improvements.

We encourage any and all to do the same – to seek adventure and authentic connection.

A brilliant team is invaluable, a committed team is unstoppable.

We feel grateful to have both.

Away we go!

1. Vishing Victories, MGM Resorts' Cybersecurity Breach Unraveled

MGM Resorts, a prominent global casino chain, recently fell victim to a major cyberattack that compromised various aspects of its operations. This attack disrupted its digital systems ranging from hotel room digital access keys to slot machines. Even the official websites of its numerous properties faced downtime.

Consequently, guests experienced extensive wait times for physical room keys and had to rely on manual receipts for casino wins. Although MGM has been relatively tight-lipped about the issue, merely citing a "cybersecurity issue" on their platforms, reports suggest the attack could have started from a single phone call.

The hacking group dubbed Scattered Spider, recognized for their social engineering tactics, is believed to be behind the MGM breach. They allegedly utilized ransomware provided by ALPHV, also known as BlackCat. The hackers excel in "vishing" – accessing systems through persuasive phone calls instead of traditional email phishing. It's believed that they leveraged an employee's LinkedIn details to deceive MGM's IT help desk and gain entry. However, ALPHV/BlackCat denies parts of these narratives, especially regarding any attempted slot machine hack, and refutes reports suggesting the group comprises teens based in the US and Europe.

The act of "vishing" remains an underestimated yet effective hacking method. It thrives on exploiting the human element, often the most vulnerable component in cybersecurity frameworks. Recent statistics indicate that phishing-initiated attacks that integrate phone calls are three times as effective as those relying solely on emails. The MGM incident emphasizes the potential risks associated with vishing. Individuals are advised to exercise caution when sharing information, employ multi-factor authentication, and monitor their financial statements. As for businesses, this attack serves as a stark reminder of the necessity for robust cybersecurity training and systems, including safeguards against vishing.

2. Cybercriminal "USDoD" Targets FBI, Airbus, and Possibly More

In an interesting revelation by Brian Krebs of KrebsOnSecurity in December 2022, it was discovered that a hacker under the pseudonym "USDoD" successfully breached the FBI’s InfraGard information network. The culprit put up the contact details of all 80,000 members for sale on a cybercrime forum. Though the FBI took rapid action by re-verifying its members and seizing the platform selling the data, USDoD made a bold comeback on September 11, 2023.

It appears that the hackers are back at it, according to a new story from Brian Krebs. Marking the 22nd anniversary of the 9/11 attacks, the hacker released sensitive vendor data from aerospace leader, Airbus. This leak, suggestive of an "aircraft theme," was accompanied by a brazen message indicating defense contractors Lockheed Martin and Raytheon as the next potential targets.

The details leaked encompassed information on about 3,200 Airbus vendors, including their names, addresses, and contact details. According to USDoD, this information was accessed using stolen credentials of a Turkish airline employee who had third-party access to Airbus’ systems. The threat intelligence firm, Hudson Rock, later confirmed this, revealing that these credentials were indeed compromised when the said employee’s computer got infected by an info-stealing trojan known as RedLine. This malicious software usually enters systems through disguised email campaigns or by getting bundled with cracked versions of popular software online. Hudson Rock’s investigations also found that the Turkish employee's computer was likely compromised post downloading a pirated version of Microsoft Windows software.

Such info-stealing trojans, particularly RedLine, have seen a surge in recent times. Their modus operandi primarily revolves around pilfering employee credentials, enabling cybercriminals to impersonate them. This means attackers can access and manipulate online services, even bypassing multi-factor authentication in some cases.

As we’ve reported on in recent weeks, another significant breach highlighted was Microsoft’s email system, where a China-backed hacking group obtained a secret signing key, giving them near complete access to certain U.S. government agency inboxes. It's noteworthy that the culprit in this case was, yet again, "token-stealing malware." With unsolicited emails acting as a massive medium for such malware, it's crucial for users to exercise caution when downloading software and to steer clear from pirated versions, no matter how enticing they may seem.

3. Update Your Browser Now: Critical WebP Vulnerability Threatens Various Apps

A significant vulnerability, CVE-2023-4863, has been detected in the WebP Codec, putting not just web browsers but multiple applications at risk. Major browser vendors like Google and Mozilla have rapidly released updates to mitigate the threat. Contrary to initial reports that only labelled the vulnerability as a Chrome-specific issue, the flaw actually affects any software utilizing the ‘libwebp’ library. Applications such as Signal, Honeyview, Affinity, Gimp, Inkscape, LibreOffice, Telegram, Thunderbird, ffmpeg, and numerous Android and Flutter-built cross-platform apps have been identified as potentially at risk.

The vulnerability revolves around a heap buffer overflow within the WebP image format, commonly employed by browsers such as Google Chrome and Mozilla Firefox for its efficient image compression capabilities. In simpler terms, a heap buffer overflow can be likened to trying to fit more books onto a shelf than it was designed to accommodate, which could lead to unexpected results, potentially jeopardizing the integrity and safety of a system.

The vulnerability originated from the "BuildHuffmanTable" function in the WebP library, introduced in 2014. This function verifies data accuracy and can be compromised when excessive memory is allocated if the table isn't adequately sized for valid data. Despite the intended changes being meant to optimize the Huffman decoding step, an essential part of compression formats, the vulnerability arose from an overlooked aspect in the Huffman tree that can cause potential overflows.

In response to this widespread threat, Google has already begun distributing updates on its Stable and Extended stable channels, while Mozilla plans to release an update for Firefox in version 117.0.1. Apple too has reportedly released an update addressing the same issue. Users are urged to update their software to the latest versions to ensure protection against this critical vulnerability.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence