As the 2023 ICE London gaming industry trade fair is set to begin, a new cyber attack campaign has been uncovered targeting the gaming and gambling sectors since at least September 2022. The identity of the group behind these attacks remains unknown, but Security Joes, an Israeli cybersecurity firm, is monitoring their activity and has dubbed them "Ice Breaker."
According to a report by Security Joes, the Ice Breaker breaches employ cunning social engineering tactics to install a JavaScript backdoor. This advanced technique deceives customer service agents into opening malicious screenshots that are disguised as user issues. This results in a potentially catastrophic security compromise for the company.
In response to the report, Gaming Eminence reached out to Ido Naor, Founder & CEO of Security Joes, to inquire about the report and its timing, as well as to gather recommendations on the best practices for industry operators.
GE) The recent report you released references back to tracking since September 2022, is this type of attack the first of its kind in the industry or have you seen it before?
IN) The gaming & gambling industry is highly targeted by a variety of interest owners and state-sponsored threat actors. One of them is IceBreaker which has been seen for the first time. The type of attack (social engineering customer support) is also unique and as far as we know, the way attackers are usually using customer service is for threatening with a DDoS attack or delivering demands as ransom.
GE) So for some of the skeptics out there that are maybe not so well versed in this topic of cyber security and think this might be a marketing play for ICE, could you break down why the report is being released now and not at the back end of last year?
IN) Attackers with high interest tend to prepare for big events as this is the perfect chance for them. There are many examples:
APT10: This Chinese state-sponsored hacking group used the 2018 Winter Olympics in South Korea to launch a phishing campaign aimed at stealing sensitive information from attendees.
DarkHotel: This APT group has used major international events, such as the World Economic Forum and G20 summits, to target high-level executives and government officials with malware-laden hotel Wi-Fi networks.
Lazarus Group: This North Korean state-sponsored hacking group has been known to carry out cyberattacks timed to coincide with major political events, such as the US presidential election and the Pyeongchang Winter Olympics in South Korea.
SandWorm: This Russian state-sponsored hacking group has been known to launch cyberattacks during high-profile events, such as the 2014 NATO summit in Wales and the 2018 World Cup in Russia.
You may wonder why attackers are waiting for big events. I'll detail a few.
One, to increase attention.
Two, weaknesses in security and management.
Three, distraction.
And those are off the top of my head.
Cyber security is a fascinating world. Let us not disrespect the cunningness and preparedness of hackers as they might surprise us.
GE) Without disclosing names, how many operators that you know about have been targeted so far and to what extent?
IN) A small number of large companies. I can't answer accurately for the nature of things. But companies are being measured by credibility, hence I invite readers to check other blogposts we have, discussing major attacks on that industry.
The Security Joe's Team
Guidance for Operators
GE) Drawing from your expertise, what are the typical cyber attacks that target the gambling industry and what steps would you suggest for effectively preventing and mitigating such attacks?
IN) The gambling industry is a prime target for cyberattacks due to the large amounts of money and sensitive customer information involved.
Here are some typical cyber-attacks that target the gambling industry:
DDoS attacks, Payment fraud, Data breaches (including ransomware) and Insider threats.
To effectively prevent and mitigate these attacks, I believe gaming/gambling companies can implement the following steps:
Implement strong security measures such as multi-factor authentication (MFA), and regular security audits to ensure that systems are secure and up to date.
Another idea could be educating employees of all levels. For example, we provide regular security training for employees that can help to reduce the risk of insider threats and increase overall awareness of cyber security risks.
I'd be always on the watch for software updates and threat intelligence. Keeping your IT Security teams on their toes is a good thing. A strong security firm can follow best practices and the latest industry news to ensure your company is one step ahead of attackers.
My top recommendation, regardless of it being our expertise, is to 24/7 monitor for suspicious activity. Attack vectors such as the ones mentioned above are only the tip of the iceberg. No all attacks are targeted specifically to your company or even to the gaming industry, but a successful attack that would be discovered by a random attacker as a breach to a gaming company can have them discuss serious attackers with it, to sell that backdoor.
Another advice is "prepare to fail, don't fail to prepare". This is what our COO, Alon Blatt, always says. Have an emergency plan in place. It's not hard. Plan how SOC alerts the MDR and how MDR decides the severity level and with the CISO and IT Security, elevate the incident to IR teams. It is always recommended the above teams have a common language at all times.
Lastly, if you're lost - Just make sure you have experts on your side. MDR/IR teams are similar to lawyers, not to insurance agents (as it might seem) IMHO. They are on your side and make sure your interest is preserved all the time. Just like your lawyer, your MDR/IR provider will prepare you and stand in front of you when sh*t hits the fan. You need them.
GE) As technology continues to advance, what security threats do you anticipate will emerge in the future that the gambling industry should be prepared for?
IN) Great question. As the world is slowly being influenced by OpenAI and ChatGPT, the threat landscape of gambling is likely to evolve as well. The future holds attacks of many shapes. One could be involving AI and ML as these are being adopted by the public as we speak. Automating attacks such as social engineering customer service or compiling a fully blown phishing attack had already been proven and shown to be super-fast and intuitive for attackres.
The IoT is another story. The even-increasing use of connected devices in the gambling industry introduces new vectors of attacks which could be leveraged remotely, from the attacker's home office.
Quantum computers are becoming more and more accessible; hence these attacks are just a few clicks aways. Attackers may use this powerful power to break encryption and steal sensitive data
Lastly are the cloud risks. Naturally, industries are becoming more and more adaptive. The cloud is a convenient way to become much more cost effective and increase revenue. It is also a faster communication bridge that increased user experience dramatically. But with every advantage comes disadvantage. It is very easy to make mistakes in cloud infrastructure as it is nothing like on-prem. Leaving databases open to the internet, having services in public spaces instead of private and implementing access key in non-encrypted fashion are only a few risks in the cloud. R&D and IT should be highly trained for the environment to be resilient against attackers.
GE) Could you share your perspective on how you recommend firms to educate and train employees on the importance of cyber security and how to identify and prevent attacks?
IN) I'd recommend "divide & conquer". Units in an organisation work, think and act differently. Same as attackers think of them when they are looking for an attack vector or a way to implement backdoors. Each unity should be trained differently, according to the risks they are open too.
For example, HR should recognise Insider Threat better, if this knowledge will be accessible to them. Customer service should be aware of social engineering, XSS, SQLi and other attacks which might arrive from drive-by web attackers. R&D should be aware of supply chain attack and having their code base on a secure location, to prevent company's intellectual property from being stolen.
In general, companies can't operate by themselves. IT Security, CISO and CTO need an expert by their side. Using experts in the field will grant them the access to knowledge and expertise, will save them precious time and even allocate the responsibility to a 3rd party.
About Ido
Ido Naor is the Founder & CEO of Israeli-based Managed Detection & Response (MDR) and Incident Response (IR) firm Security Joes. He’s a world-renowned security researcher with vast knowledge in Incident Response, Crisis Management, Malware Analysis & Red Teaming.
He is a frequent speaker at security conferences and has written dozens of articles covering the most notorious threat actors in the cybersecurity landscape. Visit https://www.securityjoes.com/