www.lastwatchdog.com Open in urlscan Pro
35.215.114.175  Public Scan

Form analysis
1 forms found in the DOM

GET https://www.lastwatchdog.com

<form role="search" method="get" id="searchform" action="https://www.lastwatchdog.com">
  <div> <input type="text" value="Search Last Watchdog" name="s" id="s" onblur="if (this.value == '') 
 {this.value = 'Search Last Watchdog';}" onfocus="if (this.value == 'Search Last Watchdog') {this.value = '';}"> <input type="hidden" id="searchsubmit" value="Search"></div>
</form>

Text Content

Home Podcasts Videos Guest Posts Q&A My Take Bio Contact ☰


THE LAST WATCHDOG

 
 


GUEST ESSAY: HOW THE ‘SCATTERED SPIDERS’ YOUTHFUL RING DEFEATED MFA TO PLUNDER
VEGAS

BY JOHN FUNK

A hacking gang known as Scattered Spiders soundly defeated the cybersecurity
defenses of MGM and Caesars casinos.

Related: Russia puts the squeeze on US supply chain

This cost the Las Vegas gambling meccas more than $100 million while damaging
their reputations. As the companies face nine federal lawsuits for failing to
protect customer data, it’s abundantly clear hackers have checkmated
multi-factor authentication (MFA).

Using a technique known as MFA fatigue, Scattered Spiders put MGM in manual mode
and forced Caesars to pay a reported $13 million ransom. For the moment, hackers
appear to have the upper hand in the global chess match between cybersecurity
professionals and digital criminals.

That’s largely because the splashy headlines and online buzz created by bringing
down the pair of casinos will only motivate more mid-level cybercriminals to
follow Scattered Spiders’ model, putting wide-reaching businesses at risk of
ransomware attacks due to the rise of ransomware-as-a-service models.

Scattered spiders

In early September, Scattered Spiders infiltrated MGM and Caesars using a
variety of relatively common hacking techniques. But the coup de gras was how
easily they brushed aside the multi-factor authentication protections.

The criminals’ ages are said to range between 17 and 25 years old, and their
kung fu was nothing to boast about until they pulled off these crimes.

Using routine social engineering strategies, the cyber-thieves gathered
information about key employees. Professional networking and social media
platforms continue to prove a rich landscape for phone numbers, locations,
hobbies, dates of birth, family members, and friendships.

Funk

Crafting a comprehensive file on select casino workers, Scattered Spiders showed
some bravado by calling their help desks. Fluent in American English, a gang
member convinced a help desk worker to provide a one-time password to log into
the systems.

Defeating MFA

Their social engineering chops seem to indicate the relatively youthful thieves
possessed significant skills. But persuading a poorly trained help desk operator
to provide a temporary password isn’t, unfortunately, out of the ordinary. How
they steamrolled multi-factor authentication is a reason for pause.

According to reports, Scattered Spiders spent a little crypto on ransomware
reportedly engineered by either ALPHV or BlackCat. The rise in
ransomware-as-a-service allowed these seemingly garden-variety hackers to
elevate their game. But their ability to overcome multi-factor authentication
defenses has cybersecurity experts rethinking the once tried-and-true
protection.

Scattered Spiders employed a technique known as “MFA Fatigue.” As the name
suggests, hackers flood a legitimate user with approval requests after inputting
their username and password. Because MFA typically sends a verification code to
a secondary device via text message or email, the hackers cannot usually get
their digital hands on the information.

But Scattered Spiders deployed malware that sent the casino employees an
avalanche of approval requests. These requests typically pressure people to
click on an approval tab.

Much like getting into a disagreement with a relative, MFA fatigue works by
wearing someone down psychologically. At some point in a lengthy dispute, one
party just says “fine” and agrees to end the argument. Employees who receive a
barrage of notifications are likely to approve the request to make the
electronic message stop. That’s how millions of dollars were lost, lawsuits were
filed, and the casinos’ reputations were tarnished.

Dealing with MFA fatigue

To say receiving a one-time password after a 10-minute conversation with a help
desk operator demonstrates a lack of cybersecurity awareness training would be
something of an understatement. Human error remains a primary failing in upwards
of 88 percent of all data breaches.

That statistic also applies to the employees who succumbed to MFA fatigue
tactics and eventually clicked on the login approval. However, there are ways
cybersecurity firms can help organizations harden their MFA protocols to reduce
human error and avoid MFA fatigue, such as the following.

•Reduce the amount of time a temporary password can be used.

•Limit the number of unsuccessful login attempts.

•Onboard biometric and geolocation elements.

Increasing the number of factors and secondary sources used for approvals is
also feasible. If legitimate network users needed to access both email and text
messages, hackers would be forced to flood both devices. That should trigger the
realization something is amiss.

Given that hackers have a relatively new trick to play on businesses, it’s
crucial to harden your cybersecurity defenses and educate staff members about
MFA fatigue.

About the essayist: John Funk is a Creative Consultant at SevenAtoms. A lifelong
writer and storyteller, he has a passion for tech and cybersecurity. When he’s
not found enjoying craft beer or playing Dungeons & Dragons, John can be often
found spending time with his cats. John can be reached online at
johnfunk@sevenatoms.com or at sevenatoms.com. 



November 20th, 2023 | Guest Blog Post | Top Stories | Uncategorized

 
 

The Last Watchdog © 2024
Privacy Policy | Terms of Use

�