Sign in Subscribe
6 min read

this week in security — september 17 edition

THIS WEEK, TL;DR

Hackers claim MGM cyberattack as outage drags on
TechCrunch: Where do we start this week... oh, right, some casinos were hacked. First up, hotel and casino giant MGM pulled much of its infrastructure offline after a cyberattack, hobbling the company's, well, everything: ATM cash dispensers were down, slot machines were unavailable, guests couldn't charge anything to their rooms or use their digital door keys. Scattered Spider (aka UNC3944) took credit for the hack, saying: "If you have money we want it," but saying little on motive. That came to the ire of ALPHV, the ransomware gang for which Scattered Spider is said to be a subgroup, which issued a lengthy statement complaining about the press and, it seems, its own inability to handle its affiliates or infrastructure. FTC's Lina Khan, who was staying at the hotel, was caught up in the hack. MGM staff asked Khan to write their credit card number on a piece of paper. (Spare a thought for the hotel worker in this shituation — not a typo). We don't yet know what data was accessed or exfiltrated, if any, but the aftermath will likely drag on for some time. (Disclosure alert: I co-reported this story with the excellent @carlypage.)
More: MGM Resorts FAQ | Bloomberg ($) | Las Vegas Review-Journal | BBC News | @VitalVegas | @MGMResortsIntl

Slot machines in MGM's hotel in Las Vegas displaying error messages on their displays during a cyberattack.

Caesars paid ransom after cyberattack
Wall Street Journal ($): Oh — that's not all. Caesars was hacked, too. The also-hotel and casino giant confirmed Bloomberg's scoop in an SEC filing that it had been hacked some weeks earlier and its customer loyalty database — including driver's licenses and Social Security numbers — was stolen. Unlike the MGM incident, Caesars appeared to be hit by a data-exfiltrating extortion attack, where the hackers stole customer data and threatened to publish it if a ransom wasn't paid. The WSJ ($) reports that Caesars did pay about half of the $30 million demanded by the hackers to prevent the disclosure of stolen data. Scattered Spider, though, denied involvement with Caesars, despite sourcing to the contrary. But then again, cyber-crims will say anything if they think it'll get them paid.
More: Caesars Entertainment | NBC News | Bloomberg ($) | NPR

William Turton tweet: "Scoop - caesars entertainment inc paid millions in a ransom to hackers in recent weeks. the hacking group responsible is believed to be comprised of people 19-22 years old in the US and UK. the same group hit MGM resorts."

Microsoft's Patch Tuesday fixes two zero-days
Bleeping Computer: As @todb would say: Happy Patch Tuesday to those who celebrate. Microsoft has patched two zero-day flaws that it says are being actively exploited, both found in-house with help from IBM and outside security researchers. Bleeping has your rundown of all the other vendor patches, including Apple, Asus, and Google. Krebs on Security goes into more detail about some of the recently patched zero-days, including new insight into how the Microsoft flaws work.
More: SecurityWeek | Help Net Security | Bleeping Computer | Ars Technica

Meduza co-founder and publisher hacked with Pegasus
Meduza: Galina Timchenko, the head of Meduza, the exiled Russian independent media outlet based in Latvia, was hacked with the Pegasus spyware while she was in Germany, per a forensic analysis by Access Now. Her phone was hacked in February 2023, likely with the newer PWNYOURHOME exploit, per Citizen Lab. It's clear that Russia would be the ultimate beneficiary of hacking Timchenko, but how, exactly, or rather who hacked Timchenko remains an open question. Was it Russia, a potentially unlikely (and yet unknown to be) NSO customer, or was it a third-country in the European Union with access to Pegasus already? It's something Meduza themselves considered.
More: Washington Post ($) | Access Now | @jsrailton

~ ~

THE STUFF YOU MIGHT'VE MISSED

CISA offers free security scans for public water utilities
CISA: U.S. cybersecurity agency CISA says it's offering free cybersecurity vulnerability scanning for water utilities across the United States. "You can reduce the risk of a cyberattack at your utility by externally scanning your networks for vulnerabilities caused by publicly facing devices," says CISA. The program works by having CISA's scanners externally check an organization's internet-facing devices for flaws. Best of all, it's free.

Password-stealing Linux malware served for 3 years and no one noticed
Ars Technica: For as long as some of us can remember, freedownloadmanager[.]org offered a free download manager, but researchers say for years its website would redirect users to a site with a malicious version of the app for Linux users. Once installed, the malware would permanently backdoor the Linux to access pretty much everything on a victim's device. The site served malware for three years until recently, when the campaign stopped. More from SecureList.

A screenshot of freedownloadmanager[.]org in the address bar of a Firefox window on Linux, showing a download box appear with an installer from a different, malicious domain.

When MFA isn't actually MFA
Retool: Fair play to Retool for a transparent and detailed explanation of how it was hacked in August, which it largely pins on how Google Authenticator syncs MFA codes to the cloud. After one of Retool's employees (a Google Authenticator user) had their Google account hacked, the hackers had full access to the company's MFA codes. This account explains why cloud-based MFA codes can be a real problem.

iOS 17 lands Monday with new Lockdown Mode features
EFF: The next iPhone software lands Monday with a ton of new security and privacy features. Lockdown Mode, which limits certain features on an iPhone to block cyberattacks, gets a refresh with new abilities, including not automatically connecting to unsecured Wi-Fi networks, and the ability to prevent connecting to 2G networks. As the EFF notes, this prevents some cell site simulators (aka stingrays) from targeting your phone. Android also has a similar feature. 2G is nearly off in the U.S., but it's still widely used across the world. Lockdown Mode has been provably shown to block some Pegasus attacks.

~ ~

OTHER NEWSY NUGGETS

CBP to stop buying location data: A huge win for U.S. privacy rights this week after U.S. Customs & Border Protection said they would stop buying smartphone location data at the end of September. Lawmakers and campaigners have long pushed back against CBP's use (and alleged need) for location data, which can be commercially purchased without a warrant. Clearly that has major Fourth Amendment concerns (and rightfully so). But the fact that CBP is stopping its use sends a major signal to other agencies — that those agencies buying location data may not be on the right side of the law. If you're wondering who the good guys are here, it's not CBP. It's journalism that brought you this result. (via 404 Media ($))

Eva toot: "Sometimes the good guys win" followed by a link to the 404 Media story.

DOJ slaps X with new privacy allegations: The feds are ramping up their investigation of X, the Site Formerly Known as Twitter™, which the Justice Department accuses of failing to delete user data on request and poor and inadequate controls around employee data access. The whole filing is worth the read, it lays out a ton of new allegations about Elon Musk's oversight of the slowly sinking company. Documents obtained by Platformer suggest the FTC and DOJ's questions are warranted, citing employees who say (among other things) that they can "improperly gain access to user data." (via Platformer ($))

~ ~

THE HAPPY CORNER

Happy Sunday. This is the happy corner, some say the happiest.

Check out this absolutely not-made-up, totally real infographic of the cat missile defense system that protects us all from inbound threats. We absolutely stan Giant Military Cat. (via @nohackme)

A mocked-up and clearly fake BBC graphic showing a missile defense system, where the final stage is a giant military cat that intercepts and catches the missile.

And, finally: This week's "admin/admin" in the wild.

Ned Pyle tweet: "Saw today, it made me think of IT security budgets," followed by an image of a gate behind a set of stairs, but you can easily just walk around the gate and up the stairs.

If you have good news you want to share, get in touch at: this@weekinsecurity.com.

~ ~

~ ~

CYBER CATS & FRIENDS

This week's cyber cat is Kira, a small tabby kitten who is doing a better job of perimeter defense than some network security appliances 👀. You're doing great work there, Kira. Many thanks to Dominik S. for sending in!

Kira is a small, tabby kitten sitting in some grass outside.

I don't mean to panic anyone but... we're very low on cyber cats. Can you help? Please send in your cyber cats! Drop me your cyber cat (or non-feline friend!) with their name and photo, and they'll be featured in an upcoming newsletter!

~ ~

SUGGESTION BOX

And that's it for this week's newsletter — and next!

I'm taking next week off as this week I'll be at at TechCrunch Disrupt in San Francisco where my team and I will be hosting some of the best hackers, security researchers and experts to chat all things security (🚨 shameless plug alert! 🚨).

In the meantime, please send any feedback you have to my email. I'll be back in a couple of weeks.

See you again soon!
@zackwhittaker

Published by:

Zack Whittaker