SBTech – Behind the Security Curve?

Categories: Attacks, CISO

Last week saw yet another company hit by the hacking group Maze. It seems that every week the group are announcing more victims. 

“The Maze ransomware was discovered on May 29th 2019 by Jerome Segura. Maze is a complex piece of malware that uses some tricks to frustrate analysis right from the beginning. The malware uses different techniques to gain entry to systems. It is mainly using exploits kits, remote desktop connections with weak passwords or via email impersonation. These emails came with a Word attachment that was using macros to run the malware in the system. The mind-blowing thing here is that all of these methods are easy to prevent.” Bassill said

On Monday, April 1st, SBTech confirmed it had been the target of an attempted ransomware attack. SBTech went on to state customer data was not taken.

Once again, Maze announced their victims in a public post and their victim shame site that SBTech was among them. Victims included Curacao-licensed online sportsbook BetUS, cybersecurity insurance firm Chubb, and the French firm Bouygues Construction.

Amar Singh, CEO at the Cyber Management Alliance, found it hard to believe a gaming company could have such a low level of security.

“Gaming companies are usually ahead of the curve in defending against these types of attack. For Maze to have been successful, they would have needed a foothold inside of SBTech. That means a breach occurred, and if this is the case, client records were accessed. So while SBTechs statement that there was no access to customer data, if it was Maze, then it SBTech was breached,” Singh said. 

“Ransomware can be tricky to clean out, and often you end up resorting to a restore from your last known good backup.” Bassill went on to say. “One of the hardest things SBTech are going to face now is the uncertainty. Maze group got in before. Have they closed all the doors and have they eradicated all the malware?”

SBTech is coming to the end of a recovery phase, and restoration of all services is complete. All customer data was securely encrypted, and there has been no data breach.

So what can operators do to prevent this happening to then?

The best defence against this particular form of malware and ransomware is good cyber hygiene — a real multi-layered defence-in-depth approach to securing the business. 

Starting with the user, implementing stronger passphrases, and monitoring user account for signs of compromise. Ensuring that the passphrases are changed every 90 days is essential too.

With the technology deployment, regular patching of all systems, applications and services is imperative. Performing the patching in around seven days from the release of security updates is essential. After day seven the attackers have typically reversed the security patches and will have started to weaponise their code. By day nine, we usually see attack tools release to take advantage of the security vulnerabilities described in the patches.