Axios Codebook

Companies need to rethink their cyber defense strategies as cybercriminals fine-tune their social-engineering tactics to target vulnerable employees, experts told Axios.

Why it matters: Recent cyberattacks targeting casino giants MGM Resorts and Caesars Entertainment have highlighted the challenges companies still have in defending against social-engineering attacks.

Catch up quick: Caesars said in a public 8-K filing last week that hackers originally broke into its networks after targeting one of its outsourced IT vendors with a social-engineering attack.

• Reports suggest that the apparent cyberattack on MGM started in a similar way.

The big picture: As companies have gotten better at detecting traditional phishing emails, malicious hackers have had to turn to new techniques to make their lures more believable.

• For instance, one group known as Scattered Spider has made text-message phishing and fake phone calls a core part of its attack strategy.
• The group has been linked to the MGM and Caesars incidents, and its hackers have successfully broken into more than 100 other companies during the group's roughly two-year existence.

By the numbers: 74% of data breaches between November 2021 and October 2022 involved a human element via an error, privilege misuse, social engineering or use of stolen credentials, according to Verizon's 2023 data breach investigations report.

• The number of cyber incidents involving a fake story or other pretext — the form of social engineering seen in recent high-profile attacks — also doubled last year, per Verizon.

Between the lines: Personalizing employee training and awareness programs can go a long way in preventing successful social-engineering attacks, Ashley Rose, CEO and co-founder of Living Security, told Axios.

• Companies are often already collecting data about which employees reuse passwords, who needs access to sensitive data for their roles, and which teams are receiving the largest volume of scam emails.
• Using that data, organizations can easily tailor internal security controls, such as implementing stricter email filters, for those who are most at risk of being duped by an email or call, Rose said.

The intrigue: To go beyond awareness and training programs, companies should also prepare for the inevitability that their employees will be duped by a phone call, text message or email, Kimberly Goody, head of cybercrime analysis at Mandiant, told Axios.

• Limiting the number of employees who have access to sensitive corporate data, as well as employing stricter password reset and multifactor authentication tools, could help prevent attackers from getting too far into a network, she added.

What they're saying: "They don't need the social engineering to work every single time," Goody said of malicious actors. "They just need it to work sometimes — once in a blue moon is enough for them."

Threat level: The rising availability of artificial intelligence tools will only make social-engineering attacks easier to fall for in the coming years, experts say.

• AI tools could help cybercriminals do everything from dig up the information they need about an organization's employees on the dark web to writing more believable phishing emails, Rose said.
• Already, researchers have found that generative AI tools have allowed cybercriminals to build an entire copy of someone's voice for scam calls using as little as three seconds of a clip.

The bottom line: Companies shouldn't stop their human-centered defenses at baseline awareness and trainings.

• Leaning on data to determine which employees are most at risk of falling for a phishing attempt and building stronger internal data controls are the best defenses.

Cisco's $28 billion bet on cybersecurity company Splunk is highly likely to pay off, an analyst told Axios.

Why it matters: Cisco unveiled plans Thursday for what would be its largest acquisition to date — leaving some investors questioning whether the price is worth it.

The big picture: Artificial intelligence has become a major selling point in the tech and cybersecurity industries as businesses eye ways to efficiently bring the emerging tech into their operations.

• Cisco CEO Chuck Robbins said during an investor call Thursday that the Splunk acquisition would bring more threat prediction and prevention tools to his customers, on top of the company's existing detection and response products.

Between the lines: Even aside from the AI gains, the companies have plenty to gain from one another, Steven Dickens, infrastructure practice leader at the Futurum Group, told Axios.

• Cisco has been eyeing ways to pivot further into the software space. "This gets to the end game a lot quicker than doing maybe 10 or 15 of the smaller acquisitions," Dickens said.
• Meanwhile, Splunk is over-concentrated in the North American markets, he said, adding that folding into Cisco would give Splunk an edge as it looks to expand into other global markets.

The intrigue: It's yet to be seen how exactly Cisco would merge Splunk's products into its own offerings.

• Dickens is closely watching for Cisco's plans to integrate its ThousandEyes cloud tool with Splunk's Observability products, which offer similar insights to customers.
• "I'm expecting robust roadmap planning while the acquisition is going through approval," Dickens said. "I don't think there's a problem, but there is some work to do there."

What's next: Everyone in cybersecurity — and the tech sector overall — is eyeing new ways to bring AI into their businesses.

• Expect more deals of this nature, especially as a new crop of AI security startups emerges.

Get ready for a weekend stacked with researchers releasing new details about nation-state hacking attempts.

What's happening: SentinelOne is hosting its second-annual LABSCon, which started late Wednesday and runs through Saturday.

• Security researchers from the company, as well as a handful of other cybersecurity vendors, will debut their top findings to an invite-only attendee list at the event.

Why it matters: Already, on the first full day, researchers have detailed new state-backed campaigns targeting Israeli corporations, African financial and government organizations, and a splattering of telecommunications firms around the world.

Details: Two reports from SentinelOne's research team, and another from Slovakia-based cybersecurity firm ESET, are some of the first to come out of the conference.

• In one report, SentinelOne's researchers detailed how China-linked hackers have been infiltrating telecommunications, finance and government entities throughout Africa as part of China's so-called soft power agenda.
• In a second report, SentinelOne found a suspected mercenary hacking group targeting telecommunications providers in the Middle East, Western Europe and South Asia.

Meanwhile, ESET detailed how an Iran-linked hacking group also targeted several Israeli companies' websites in 2021 and 2022 using a set of never-before-seen backdoors into their systems.

• In the campaigns, the group, known as OilRig, was able to leverage access to the companies' websites to exfiltrate the organizations' data, browsing history and any stored login credentials.

The big picture: Together, the reports highlight how nation-state hacking groups are focusing on non-Western organizations in their espionage efforts.

Of note: SentinelOne plans to place more emphasis on studying hacking campaigns in "undermonitored" regions.

• The company established a working group Thursday to study operations targeting countries in Latin America and throughout Africa.

What's next: LABSCon will continue to showcase new reports through Saturday from an array of speakers and companies.

@ D.C.

🇬🇧 The U.S. and the U.K. finalized a data-transfer agreement that starts Oct. 12 which makes it easier for companies operating on both sides of the Atlantic to send data back and forth. (CyberScoop)

🐛 The Cybersecurity and Infrastructure Security Agency's list of known exploited software vulnerabilities has more than 1,000 bugs after two years. (The Record)

🇵🇱 Poland is investigating a complaint that OpenAI's ChatGPT violates the European Union's comprehensive data protection laws. (Reuters)

@ Industry

📲 T-Mobile blamed a recent data leak that exposed customers' billing details on a "system glitch." (Ars Technica)

🍎 Apple released an emergency update to patch three critical vulnerabilities that hackers are actively targeting. (BleepingComputer)

@ Hackers and hacks

🏛️ The International Criminal Court says hackers broke into its systems last week. (TechCrunch)

👾 The FBI and CISA warned that the Snatch ransomware gang is targeting the defense industrial base and critical infrastructure sectors like food and agriculture. (Nextgov/FCW)

🐦 Donald Trump Jr.'s account on X, formerly known as Twitter, was hacked, a spokesperson says. (Axios)

👀 Seems an MGM Grand IT vendor has posted a job listing for a short-term contractor to completely rebuild the resort's networks from the ground up — and the job listing also confirms the recent incident was, indeed, due to ransomware.

• "This role will be helping the MGM Grand Casino to build its ... new IT environment after the recent ransomware hack," per the listing.
• Pay starts at $100 an hour and the job will likely last until Oct. 15.
• And you'll need to work on-site at MGM and spend 10 hours per day, seven days a week on the job until the systems are back up and running.