To kick-off Cyber Security Awareness Month, consider the different methods and impacts of these cyber-attacks, and the valuable lessons they can teach credit union employees and members.
01./The MOVEit Attacks
The 2023 MOVEit Transfer attacks have been at the forefront of cyber security news this summer. The parent company of MOVEit became aware of suspicious activity on May 28th, which was the Memorial Day long weekend in the US— a clever time to strike, as more employees are on holidays. It’s now four months later, and the fallout from this cyber-attack is still being felt by many victims. Here is a brief breakdown of the attack:
Perpetrators: TA505, a cybercriminal gang most well-known for their Cl0p ransomware attacks. The word “Cl0p” has become a colloquial name for the TA505 group in the media following the unfortunate but major success of their attacks.
Attack type: Cl0p exploited a zero-day vulnerability in MOVEit, and launched an SQL injection attack.
A zero-day vulnerability refers to a security flaw in software or a system that is not known to the software vendor or the public. This means there are zero days of protection against it because it’s “new” and has not been addressed or patched by the vendor.
SQL (pronounced “sequel”) stands for Structured Query Language. “Injecting SQL” is when a hacker communicates with an unsecured and vulnerable database using malicious code. Hackers will use code that “tricks” the database into allowing the unauthorized criminal to possibly steal, modify or delete data.
MOVEit Transfer is used for securely transferring files between different parties. It relies on a database to store information about users, files, and transfer activities. Cl0p was able to recognize the zero-day vulnerability in MOVEit’s software and launched their SLQ attack accordingly.
This gave Cl0p access to the data of millions of people, whose information would have been stored by one of the many organizations using MOVEit Transfer software. Usually, Cl0p likes to encrypt the data that they access, and demand the organization pays ransom for it to be decrypted (this is known as ransomware). This time, Cl0p decided to leave the data unencrypted, but threatened to release the sensitive information to the public unless they were paid.
Victims: Over 2000 organizations and more than 50 million individuals worldwide have been impacted either directly or indirectly by these attacks.
In the weeks following the end of May, airlines, energy companies, government bodies, banks, universities and others began coming forward to announce they had been victimized by the attacks. One of the first Canadian organizations to step forward was the Government of Nova Scotia. Upon investigation, government employees discovered that the personal information of some citizens had been breached.
A more recent victim was BORN Ontario, which had the personal health information of millions breached, but not yet found put up for sale anywhere online. Especially following a data breach, it is wise for an organization to monitor dark web activity looking for any signs of the lost data.
What Can Credit Unions Learn from the MOVEit Attacks?
These attacks demonstrate the importance of having an incident response plan in place, so that you may act fast. Being able to detect and respond to threats quickly mitigates any risks for your credit union.
When Progress Software, the parent company of MOVEit realized that a zero-day vulnerability had been exploited, they began developing and releasing patches or updates to fix the problem.
It then became the responsibility of MOVEit Transfer customers to implement the patch as soon as possible. Customers who moved slowly to implement these updates would have been more susceptible to being breached.
02./ Generative AI Attacks
November 30th marks the one-year anniversary of ChatGPTs release and the subsequential disruption that followed. Not just text generation tools like ChatGPT, but various forms of AI have taken the cybercrime world by storm. Criminals are impersonating, manipulating and stealing more efficiently than ever before. Here is an explanation:
Perpetrators: Multiple. The public and accessible nature of various generative AI tools gives power to many perpetrators.
Attack type: Generative AI is used to create text, audio, video, images or code that tricks victims and steals their money or harms their software and hardware. This means that AI attacks can include, but are likely not limited to social engineering, identity fraud and malware.
While platforms like ChatGPT make small attempts to discourage illicit activity, users can simply reword their requests to get around this or use alternative sites like WormGPT and FraudGPT. Criminals can ask these AI tools to write a code for malware, and then attach the malware to a phishing email also written by AI.
The rise of deepfakes is another issue, as this technology creates alarmingly accurate levels of impersonation that manipulate people into believing false ideas. A deepfake starts with collecting video and audio samples of somebody, often from a public social media account. These samples can be used to “clone” the way the person speaks or looks.
All a victim needs is an email inbox, phone number or social media profile to be the target of an AI generated social engineering attack like a phishing scam or deepfake impersonation trick.
Social engineering scams exploit human instincts and feelings of panic, curiosity and obedience. A worried parent will have a hard time thinking critically when they hear what sounds like their child crying for help during a deepfake call. Employees will eagerly try to follow the instructions of a phishing email that appears to be coming from HR. Social media users will want to purchase an unknowingly faulty product or join a cryptocurrency scam if it appears to be endorsed by their favourite celebrity.
As Canadians become more adjusted to the usual scam scripts and signs, cyber criminals step up their game to be more specific and believable— and AI can help them achieve this.
Earlier this year Global News reported a story of Canadian parents who fell victim to a deepfake phone scam that nearly cost them $10,000. They received a call from someone they believed was their son, who claimed to be in legal trouble in Toronto after causing an accident. The scammers convinced them to withdraw almost $10,000 in cash to secure their son’s release on bail. Later, the parents were asked to send more money to Quebec, which raised suspicions. They contacted their son’s wife, who confirmed their son was not in trouble, revealing the scam.
What can Credit Unions Learn from these Generative AI Attacks?
The rise of social engineering attacks being backed by AI further emphasizes the importance of security awareness training for your employees.
This training teaches employees to pause and think before they click. However, this popular sentiment can be expanded in light of the evolving cyber-threat landscape. Employees should think before they post on social media, before they trust the voice behind a phone call and before they believe a video of a media personality online. Using this mentality can protect them at work and in their personal lives.
Additionally, education should be delivered to members. Social engineering attacks often impersonate financial institutions, so ensure members know what official contact from your credit union looks like in comparison to a scam.
03./ The MGM Attacks
The recent attack against the MGM Resorts in Las Vegas garnered major attention for all the worst reasons. The attack was rather simple, preventable and yet detrimental to MGM and the guests of their hotels and casinos.
Perpetrators: The ALPHV/BlackCat ransomware group is suspected of being behind the attack.
Attack type: According to a provocative tweet by Vx-underground, it all started with a quick vishing phone call. The criminals found an MGM employee on LinkedIn to impersonate and called the help desk for a password change. The request was approved, and chaos ensued from there.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk.
A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
— vx-underground (@vxunderground) September 13, 2023
The goal of these cyber gangs after gaining entry using social engineering is usually to initiate a ransomware attack. For example, just a few days before the MGM attacks, the Las Vegas casino and hotel operator Caesars paid a $15 million ransom to appease a cybercrime group disrupting their systems.
MGM reportedly did not pay any ransom, and instead worked alongside the FBI to try and catch the criminals and resolve the issue, all while suffering through the turmoil of the attack.
Victims: MGM Resorts and subsequently their hotel and casino guests, who would have experienced attack-related disruptions to their Vegas vacation plans.
What Can Credit Unions Learn from the MGM Attacks?
Following the news of the attacks, North America watched as MGM’s name was dragged through the media. The hotel and casino operations were severely impacted, including gaming machines being out of order and guest key cards not working. This led to reputational damage and the economic loss of $100 million.
Consider a ransomware attack that causes credit union members to lose access to their accounts or essential banking services. Members would be rightfully upset and panicked, like the guests of the hotels and casinos in Vegas. However, unlike giant companies like MGM or Caesars, credit unions do not have the means to simply pay off an attacker in hopes that they will go away.
This means prevention is key. Rumors have begun circulating about MGM’s security levels prior to attack, including one account claiming that they were using outdated and vulnerable servers. Organizations of all sizes need maintain up to date security measures, and train employees about social engineering.
In this exploration of recent cyber-attacks, we’ve uncovered a common thread: the need for organizations to implement unwavering security vigilance. Credit unions must safeguard their systems and educate their employees and members— and Celero is here to help.
To learn more about how we can assist you with all your security needs and questions, talk to your Celero Account Executive or contact us.