Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.
GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.
“The Maze ransomware was discovered on May 29th 2019 by Jerome Segura. Maze is a complex piece of malware that uses different techniques to gain entry to systems. It relies on exploits kits, remote desktop connections with weak passwords or via email impersonation. These emails come with a Word attachment that was using macros to run the malware in the system. The mind-blowing thing here is that all of these methods are easy to prevent. I am genuinely surprised businesses get caught by this.”Peter Bassill – CEO – Hedgehog Cyber Security
On Monday, April 1st, SBTech confirmed it had been the target of an attempted ransomware attack. SBTech went on to state customer data was not taken.
Once again, Maze announced their victims in a public post and on their victim shame site. SBTech was among them. Victims also included Curacao-licensed online sportsbook BetUS, cybersecurity insurance firm Chubb, and the French firm Bouygues Construction.
Amar Singh, CEO at the Cyber Management Alliance, found it hard to believe a gaming company could have such a low level of security.
“Gaming companies are usually ahead of the curve in defending against these types of attack. For Maze to have been successful, they would have needed a foothold inside of SBTech. That means a breach occurred, and if this is the case, client records were accessed. So while SBTechs statement that there was no access to customer data, if it was Maze, then it SBTech was breached.”Amar Singh – CEO – Cyber Management Alliance
“Ransomware can be tricky to clean out, and often you end up resorting to a restore from your last known good backup.” Bassill went on to say. “One of the hardest things SBTech are going to face now is the uncertainty. Maze group got in before. Have they closed all the doors and have they eradicated all the malware?”
SBTech is coming to the end of a recovery phase, and restoration of all services is complete. All customer data was securely encrypted, and there has been no data breach.
What can operators do to prevent this happening to then?
The best defence against this particular form of malware and ransomware is good cyber security hygiene — a real multi-layered defence-in-depth approach to securing the business.
Singh had this advice for businesses: “As in other walks of life, you can only treat a problem by first admitting it exists. Consequently, management needs to begin by accepting that cyber criminals will establish a foothold and that they are likely ‘living’ in your digital networks right now. What does that mean in real terms? Create and implement a corporate cyber resilience strategy (rather than a cybersecurity strategy) where you focus equally on protection, rapid detection and rapid response. “
“There is no real tangible information on how the attack happened, but we took the time to go through the limited dumps published by Maze and from this we can, assuming the dumps valid which they do appear to be, pull out some findings for people”. Bassill added, having reviewed the published materials.
It all starts with the user, implementing stronger passphrases, and monitoring user account for signs of compromise. Ensuring that the passphrases are changed every 90 days is essential too. The simplest way for a breach to occur like this is to guess a users password. With services like Have I Been Pwned, you can check where your passwords have been published. But attackers use this too in order to identify any password patterns you may use. So, change your password up a bit.
While we are discussing the user, we would be remiss not to mention reminding users not to open files they are not expecting. And not to click on links unless they know where the links can from and go to.
Segmentation of the internal filing is important. Keep all of your customer data logically, and ideally physically, separate from your business data. This looks to be something SG Tech did really well as there is no player data within the dumps. My keeping good internal filing segmentation, should the worse happen and you be hit with Ransomeware malware, you stand a good chance that not all of your files will be rendered unreadable.
We have long said that two is one and one is none. With backup now, you really need three. One is your local backup and is always cycling, probably on a weekly job. You should also have one that is stored remotely from your systems. This should be pushed to a remote store every time the backup runs, but never overwriting any previous backups. This is your saviour from Ransomware. The third backup should be stored on removable media and kept disconnected. If you suffer a full breach this is the backup that might just save you.
And remember to do test restores of each of the backup locations at least every four months.
With your technology stack, regular patching of all systems, applications and services is imperative. Upgrading servers that are approaching end of life is vital too.
Performing patching around seven days from the release of security updates is essential. After day seven the attackers have typically reversed the security patches and will have started to weaponise their code. By day nine, we usually see attack tools release to take advantage of the security vulnerabilities described in the patches.