NetworkTigers showcases some simple hacks that took down giants.
Hacks, breaches, intrusions, and ransomware attacks are carried out in various ways.
Many threat actors play the numbers game, blasting out phishing emails or messages across hundreds or even thousands of accounts, knowing that some unlucky person amongst the crowd will be careless enough to fall into the trap.
Others are more technical, installing backdoors on targeted networks via specialized coding and custom malware.
Many cyberattacks, however, are successful due to simply following the path of least resistance by exploiting weak passwords or social engineering schemes. These basic attacks are no less destructive than those leveraged on a technical level. They often leave organizations scrambling to explain their negligence while mitigating the material damage in a cyberattack.
MGM Resorts
The September 10th, 2023, breach of MGM Resorts was performed by hackers who used nothing but publicly available information to gain access to the company’s network and launch a ransomware attack.
The ALPHV hacker gang responsible for the breach browsed LinkedIn, found an MGM Resorts employee, and called the company’s service desk to ask for access to their account while claiming to be them. Once access was granted, the hackers could perform whatever tasks were necessary to set the stage for their attack without having to trip any defensive wires.
The attack that followed caused widespread system outages throughout MGM Resorts’ network, resulting in booking errors, reservation issues, corporate email outages, and even guest keycard failures for the next ten days.
This attack could have been prevented had better verification protocols been established to confirm that the person asking for account access was authorized. The ability of a threat actor to ask for a key to the front door makes this breach one of the most brazen and simple hacks in recent history.
The fact that a major casino organization tasked with a great deal of guest privacy and finance protections was so easily infiltrated has damaged its reputation.
EA Games
Facing an attack similar to MGM Resorts, EA Games was also compromised by hackers who tricked an employee into providing a login token over Slack by claiming that they had lost their phone at a party the previous night. According to the hackers responsible, access to the company’s Slack channel was gained by purchasing a stolen cookie for only $10.
Once within EA’s system, the hackers made off with the source code for FIFA 21, the source code for EA’s Frostbite game engine, and other game development tools. In total, 780GB of data was stolen and advertised for sale on underground internet forums.
The attack on EA was one of several hacks carried out on video game developers that year.
Axie Infinity
High-profile blockchain game Axie Infinity was brought to its knees by hackers who targeted engineers at the game’s publisher, Sky Mavis, with fake job offers.
Reaching out to Sky Mavis employees over LinkedIn and posing as a representative of a fake company, hackers associated with North Korea’s Lazarus hacker group went so far as to engage with their victims through phony job interviews.
Once this process was complete, generously compensated employment opportunities were offered to those targeted. Clicking a malicious file that supposedly contained an official offer letter was all it took to compromise the individual’s computer and access Sky Mavis’ resources.
$620 million in crypto was ultimately stolen from Axie Infinity due to this scam, adding the game to a long list of crypto hacks and thefts that Lazarus has engaged in to finance the North Korean government.
Robinhood
Popular stock trading app Robinhood fell victim to an attack in 2021 that resulted in the personal information of its customers being posted for sale on the internet.
Social engineering was employed for threat actors to invade the company. Over a phone call, a help desk representative was convinced to install malicious remote access software onto their computer.
Once that employee’s computer is compromised, the hacker can move within the company’s network using login credentials saved on their device.
Unnamed UK energy firm
In 2019, criminals used an AI voice emulation tool to impersonate the German CEO of a major UK energy firm’s parent company and trick a high-level executive in the UK into handing over €220,000 to an account they said belonged to a “Hungarian supplier.” The account, however, was under the control of the scammers.
The UK executive became suspicious when more phone calls and requests that originated from an Austrian phone number followed.
While perhaps not as technically deep as many other hacks, this campaign is noteworthy for being one of the first documented instances of criminals employing AI and deepfake technology to engage in a spear phishing scheme.
SolarWinds
2020’s hack of SolarWinds sent shockwaves through the public and private sectors, as the company provides system management tools for hundreds of thousands of companies all over the globe. Its compromise marked one of the largest hacks ever to occur.
While the attack on the company was sophisticated, compromising a piece of software that SolarWinds then distributed to its users via an update, a weak password could have contributed to the hack.
As the event was being investigated, it was discovered that the password “solarwinds123” was set on a GitHub repository under an account that, oddly, allowed complete access to the company’s update server. Not only is this password breaking every rule about best practices, but it was also found to have been compromised.
While the official word from SolarWinds casts blame for the password’s usage on an unnamed intern and stated that the account was not connected to the company’s IT systems, security experts were skeptical.
Researcher Vinoth Kumar, who had discovered the password vulnerability, had tweeted that a proof-of-concept regarding the account allowed him to upload a malicious executable to the update server just as the hackers did. He also retorted that it didn’t make sense to suggest that an intern would have been granted that kind of access and not have their credentials changed afterward.
The role, if any, the weak password played in the hack may never be clear. Still, the fact that a researcher could use it to duplicate the methodology of the cybercriminals casts doubt on SolarWinds’ claims that it was not exploited.
