The Federal Bureau of Investigation is warning that ransomware threat actors are targeting casino servers and use legitimate system management tools to increase their permissions on the network.
In a private industry notification, the agency says that third-party vendors and services are common attack vector. Ransomware gangs continue to rely on third-party gaming vendors to breach casinos.
“New trends included ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate
network permissions,” the agency explains.
Starting 2022, the FBI noted ransomware attacks that targeted small and tribal casinos to encrypt servers and personally identifiable information of employees and patrons.
The alert also details that the threat actor known as ‘Silent Ransom Group’ (SRG) and ‘Luna Moth’ has been carrying callback-phishing data theft and extortion attacks since June.
The attacker tricked the victim to call a number under the pretense that there were pending charges on their account. If the victim fell for the ruse, SRG would convince them to install a system management tool, which was later used to install other legitimate utilities that can also be used for malicious purposes.
“The [SRG] actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies” – Federal Bureau of Investigation
Previous reports note that among the phishing lures associated with Luna Moth/SRG attacks are fake subscription renewal ruses. This group is focused on data extortion and does not encrupt the files.
Mitigation advice
The FBI recommends organizations to implement several mitigations to limit an adversary’s use of common system and network discovery techniques.
Organizations should keep offline backups that are encrypted and immutable for the entire company’s data infrastructure. Implementing policies for remote access and executing only known and trusted applications is also a step towards an improved security stance.
Strong password policies and multifactor authentication are encouraged, along with auditing and managing administrative privileges.
Network segmentation, adding solutions that monitor for abnormal activity, secure RDP usage and up-to-date software components are common recommendations that many companies still have to meet.
Finally, system admins are recommended to turn off unnecessary ports and protocols, add email banners for messages that originate outside the organization, and restrict command-line and scripting activities.