FBI: Ransomware actors hacking casinos via third parties

A new Private Industry Notification focuses on ransomware trends involving attacks against casinos as well as a callback phishing campaign perpetrated by the Luna Moth gang.

Ransomware threat actors are gaining access to casinos via third parties, according to a Private Industry Notification from the FBI issued on Tuesday.

FBI Private Industry Notifications are published to provide information and relevant trends to organizations. The Nov. 7 PIN was primarily dedicated to initial access, or the means that threat actors use to break into a victim's network.

The bureau said it noted several emerging or continuing ransomware trends "as of July 2023," including threat actors exploiting flaws in "vendor-controlled remote access to casino servers" and attacks against small and tribal casinos.

"Between 2022 and 2023, the FBI noted ransomware attacks compromising casinos through third-party gaming vendors," the PIN read. "The attacks frequently targeted small and tribal casinos, encrypting servers and the personally identifying information (PII) of employees and patrons."

The FBI did not specify which gaming vendors had been used in attacks or how those vendors had been compromised.

The PIN is timely, given the September disclosure of high-profile social engineering attacks against gaming giants Caesars Entertainment and MGM Resorts. In the case of MGM, the Alphv/BlackCat ransomware gang took responsibility for the attack in a post to its data leak site, where the group claimed to have compromised MGM's Okta super administrator accounts. The attack caused massive disruptions at MGM hotels and casinos for several days.

Another trend noted in the PIN was the victimization of companies via "legitimate system management tools to elevate network permissions." The FBI cited a campaign from June involving the Luna Moth ransomware gang, which specializes in callback phishing and has reportedly operated since March 2022. The FBI said Luna Moth, also known as the Silent Ransom Group, sent victims a phone number in phishing emails that claimed to have information about pending charges on victims' accounts.

"Once the victims called the provided phone number, malicious actors directed them to join a legitimate system management tool via a link provided in a follow-up email," the PIN said. "The threat actors then used the management tools to install other legitimate system management tools that can be repurposed for malicious activity. The actors then compromised local files and the network shared drives, exfiltrated victim data, and extorted the companies."

Callback phishing typically manifests through emails sent to a potential victim that alert the target to some type of issue and list a phone number for the target to call back. Once the target calls back, the threat actor attempts to obtain payment or sensitive information using social engineering.

The PIN also contained a number of mitigations for organizations attempting to fortify their identity and access management practices. The FBI recommends that organizations require phishing-resistant multifactor authentication, review their networks for new or unrecognized accounts, and configure user access controls according to the principle of least privilege.

TechTarget Editorial has contacted the FBI for additional comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing