Descubre más
Top cybersecurity threats for October 2023
Author: Phil Muncaster
On the third Wednesday of every month, the VTRAC holds a Monthly Intelligence Briefing (MIB) to discuss the current security threat landscape, latest cybersecurity trends, news and threat intelligence. Below is the summary of their most recent briefing and here is the October recording of the briefing.
October 2023 cyber threat intelligence briefing
At a glance, this MIB covered:
1. Big-name casino breaches illuminate the costs and challenges posed by ransomware
2. Chinese hackers target vulnerable network edge devices in major espionage operation
3. Rapid Reset bug exploited to launch some of the largest ever distributed denial-of-service (DDoS) attacks
Top cybersecurity news
October 2023 cybersecurity and threat intelligence news you should know about.
- DNA testing firm 23andMe was hit with a credential stuffing attack, which led to a breach of user profile information
- Researchers discovered a sophisticated new APT group (Sandman) targeting telco networks with a novel backdoor (LuaDream)
- Chinese threat group UNC53 has compromised dozens of organizations by tricking staff into using malware-laden thumb drives
- The ALPHV ransomware group has launched an AffiliatePlus program for its most lucrative affiliates, providing access to its custom Linux OS
- Cobalt Strike v4.9 launched, amid continued efforts to prevent distribution of the tool to threat actors
Like what you're reading?
If you’d like to receive new articles, solutions briefs, whitepapers and more—just let us know.
The information provided will be used in accordance with terms set out in our Privacy Policy.
Casino breaches illuminate the costs and challenges posed by ransomware
Top takeaways:
- ALPHV/BlackCat affiliate Scattered Spider breached MGM International (MGM) and Caesars Entertainment (Caesars)
- MGM estimated possible losses of $100 million while Caesars is said to have paid a $15 million ransom
- Vishing tactics enabled threat actors to compromise MGM's IT systems
Recent cyber attacks
Two of the biggest names in Las Vegas were reportedly breached by the same ransomware affiliate group in recent weeks. Scattered Spider (UNC3944) works with ALPHV/BlackCat ransomware and is said to comprise members based in the U.S. and U.K. These recent cyber attacks underline the serious impact ransomware continues to have on wealthy organizations.
MGM suffered widespread outages following the attack, including several of its websites, the MGM mobile rewards app, online bookings, and in-casino services like ATMs, slot machines and card payment machines. It claimed in an SEC filing that resulting costs could hit close to $110 million, although the company expects its cyber-insurance policy to cover this. In both this incident and a breach at Caesars, customers' personal data was stolen. However, in the latter case, the company elected to pay its extortionists a $15 million ransom.
In the case of MGM, Scattered Spider appears to have compromised the company by targeting its employees. After doing some research on LinkedIn, they reportedly called the IT helpdesk at the company pretending to be an employee and socially engineered the IT admin into handing over credentials within minutes. Such vishing tactics highlight the continued need for cybersecurity training and awareness of cybersecurity trends, at all levels of an organization.
Chinese linked hackers target vulnerable network edge devices in major espionage operation
Top takeaways:
- Japanese and U.S. authorities have discovered a major Chinese linked state spying operation
- The BlackTech group targeted routers in the subsidiaries of large multinationals
- The threat actors went to great lengths to stay hidden, such as by replacing router firmware with malicious versions
A joint U.S.-Japan security advisory has revealed a major Chinese linked state cyberespionage operation in which actors exploited the network routers of multinationals (MNCs) in order to access their networks. The BlackTech (Circuit Panda) group was blamed for the attacks on government, industrial, technology, media, electronics and telecommunication sector firms, "including entities that support the militaries of the U.S. and Japan," according to the alert.
The group exploited various router brands and models using a customized firmware backdoor enabled and disabled through specially crafted TCP or UDP packets. This malware was used for initial access into networks, maintaining persistence and exfiltrating data. Routers were compromised at subsidiaries of large MNCs, with threat actors then pivoting to the networks of the same firms' headquarters. The group made a big effort to stay hidden, by using stolen code-signing certificates and blending in with corporate network traffic, among other tactics.
Rapid Reset bug is exploited to launch some of the biggest ever DDoS attacks
Top takeaways:
- Researchers revealed a new zero-day vulnerability, dubbed "Rapid Reset"
- Exploitation led to some of the largest DDoS attacks ever seen by Cloudfare
- The bug has now been patched by the biggest internet infrastructure providers
Threat actors have been exploiting a zero-day vulnerability in the HTTP/2 protocol since August to launch the largest DDoS attack ever seen by Cloudflare. CVE-2023-44487 is the cause of a series of "Rapid Reset" attacks. They take advantage of the fact that HTTP/2 allows multiple streams to be created over the same TCP connection. Exploiting the Rapid Reset bug allows an attacker to open multiple new streams and quickly send RST_FRAMEs to close them, putting a heavy load on the server with little effort required on the part of the threat actor. Attacks aimed at Layer 7 like this are typically harder to mitigate than network-layer threats.
Google said exploitation of CVE-2023-44487 enabled attackers to launch a series of DDoS attacks that reached a peak of 398 million requests per second (rps). Cloudflare added that it mitigated over a thousand attacks at 10 million rps, including 184 which were bigger than its previous record of 71 million rps. This was apparently achieved with botnets of just 20,000 machines. Whilst infrastructure giants like Google and Amazon have patched the zero-day, organizations that handle this in-house were told to urgently follow suit.
Related briefings
Learn more about the ever-evolving nature of security threats and complex risk environments.
Related products
Verizon Business Internet Security
Qualified Verizon Business Internet customers have access to powerful internet security solutions designed to help protect your business from cyber threats.
Verizon Mobile Device Management (MDM)
MDM provides powerful resources to mitigate mobile risk and help protect against cyberattacks that target corporate, education and business data and personal information.
Mobile Threat Defense (MTD)
Safeguard the data used by your remote workforce with advanced mobile security from Verizon and our partners.
Managed Detection and Response
Take your security program to the next level by quickly identifying and responding to security incidents.
Managed Security Information and Event Management
Get a tailored operational model that integrates Verizon security and intelligence capabilities with your own SIEM solution.
Advanced Security Operations Center (SOC)
To help detect and contain sophisticated threats and help prevent them from spreading.
Cyber Risk Programs
Identify security risks and threats before they can seriously harm
your organization
To find out more, listen to the full threat intelligence briefing from the Verizon Threat Research Advisory Center.
Listen now
The author of this content is a paid contributor for Verizon.
Let's get started.
Choose your country to view contact details.
Call for Sales.
Or we'll call you.
Existing customers, sign in to your business account or explore other support options.