The Federal Bureau of Investigation (FBI) has issued a caution regarding ransomware attackers who are infiltrating casino operations by exploiting weaknesses in the systems provided by third-party gaming vendors. The criminals gain network access using legitimate system management tools to upgrade their privileges within the targeted systems.
According to the FBI’s private industry notice, these service providers are a frequent point of entry for cyberattacks. It has been observed that ransomware criminals often gain access to casino networks through these vendors.
The FBI has disclosed a pattern where ransomware perpetrators take advantage of remote access controlled by vendors to access casino servers. Perpetrators have also manipulated legitimate system management tools to obtain higher network permissions. “By exploiting these tools, the actors have been able to access local files, network shared drives, steal sensitive data, and demand ransoms from the affected enterprises,” the FBI noted.
Since 2022, there has been a rise in ransomware attacks, specifically targeting smaller and native-owned casinos. These incidents involve encrypting servers and stealing sensitive information from both employees and customers.
The bulletin further reports on the activities of a threat group identified as ‘Silent Ransom Group’ (SRG) and ‘Luna Moth,’ known for initiating callback phishing, data theft, and extortion since June. These actors deceive victims with the threat of purported charges against their accounts, coaxing them into installing system management tools that facilitate the installation of legitimate, yet potentially exploitable, software tools.
Previously identified phishing schemes associated with the Luna Moth/SRG include deceptive subscription renewal scams. Unlike other groups, Luna Moth/SRG focuses on extortion without encrypting the target’s files.
To defend against these threats, the FBI advises implementing a series of protective measures. These include maintaining encrypted, immutable offline backups and stringent policies governing remote access while ensuring only vetted and secure applications run on their systems.
Further recommendations include the enforcement of robust password requirements and the use of multifactor authentication, along with the oversight and regulation of admin rights. Regular updates and maintenance of software, network segmentation, the deployment of abnormal activity monitoring tools, secured Remote Desktop Protocol (RDP) practices, and up-to-date software are also part of the suggested defensive tactics.
As preventive measures, system administrators are urged to disable unnecessary network ports and protocols, mark external emails with banners, and limit script execution and command-line use to minimize the risk of cyber intrusions.