Unraveling Cisco's $28 Billion Splunk Acquisition and a Breakdown of MGM Resorts Hackers Brilliant Hacking Techniques

Cisco requires plunking blockbuster deal, mgm is finally back up online and much more. Are you interested in starting your career in the cloud? Well, if that's you, then I got some for you. Level Up and Tech is a comprehensive 24 week program guaranteed to help you land a high paying role in the cloud. Some of the skills that they teach you in Level Up and Tech are server config and troubleshooting, aws infrastructure as code, cicd, scripting, containerization and more. Level Up and Tech has helped over 800 people start their career in the cloud. So if you're interested in the program, click the link in my bio, click on the tech resources and click on Start your Cloud Career. What's going on, everybody? Welcome back to the textual talk. It's episode 102 and I'm your host HD. This is going to be your weekly security tech news brief. Yet again, I still got guests and interviews coming for you and other stuff, but they're pretty busy, so I want to give you some of this good news that you need to be able to look out for. But if you're listening on Apple podcast or Spotify, you know what to do Leave a review, follow the podcast, share it out really helps out our numbers. Also, if you're watching on YouTube, go ahead and hit the like button, but hit all notifications and yeah. So I want to briefly get into it. But also a Sunday, and you already know it, it's football. It's football Sunday. So I'm just making this now, my broadcast probably going to start off with three. A lot of their key players on defense are heard. They've been able to stop a nosebleed this year and I don't think they finished out Tyree Keele and Jaylen Powell. So it just is what it is. Hopefully they score at least decent enough points to make it competitive, but I don't see them winning Now they do. I'll come back next week and say shout out to them for winning man. Also, shout out to everybody who's grinding right now in the job search. Like I said, september surge. Keep those linked in it's updated. Keep looking at your inbox. Practice for these interviews. Try to find somebody on the team that you know that's there or whoever, but try to do as best you can on the interview, because you never know how many other shots you may or may not get. So please do your due. Deal is just with there. Also, this is a reminder to be your best free agent when it comes to working in your career. The company may or may not treat you how you want to be treated. I don't care if you've been there six months, seven months, seven years. If a potential offer comes up, that's better for you, better for your family, take the money or see if they'll match it, because, at the end of the day, prices are going and you got to support yourself and your family. So that's what I say about that. I think the first thing we want to talk about is Cisco's mega deal to acquire Splunk, and we're going to talk about that now. All right. So Cisco to acquire Splunk and $28 billion mega deal, let's get into it real quick. Cisco has a reputation of building the company through acquisitions, but it has tended to stay away from the really huge one. That changed this morning when the company announced it was acquiring Splunk for $28 billion. With Splunk, it gets an observability platform that could fit nicely into its security business to help customers better understand security threats, while also helping parse coddles of log data to resolve other program, while also helping parse oodles of log data to resolve other problems, like helping understand system failures or troubleshoot myriada issues across broad array of enterprise systems. Yeah, when I first started using Splunk, we used it in a knock and we used it for system failures or known as someone's down, and it was really good at that. You can throw so much data at it and it's going to show you great trends and everything. So Splunk is great for that. It's just more than Splunk. Yes, like so many other companies, use it for different things. Under the terms of the deal, cisco is paying a hefty premium of $157 per share. When you consider that the 52 week low was $65 a share and it has hovered in the high 80s and low 90s Much of this year, that's a big bump for Splunk stockholders and suggests there may have been some competition for the locking John. The company's most recent market cap sits at just over $20 billion. As you expect, chief executives from both companies were beaming over the deal, with Cisco CEO and board chair, chuck Robbins, pointing out that the AI angle in this deal because these days there's always need to be an AI angle, in this case with a strong focus on cybersecurity our combined capabilities will drive the next generation of AI. Ai enable security and observability, from threat detection and response to threat prediction and prevention, which will help make organizations of all size more secure and resilient. Meanwhile, splunk president CEO Gary Steel, was gushing about the possibilities of combined companies. Uniting with Cisco represents the next phase of Splunk's growth journey, accelerating our missions to help organizations where alive become more resilient. Yada, yada, yada. Let's see if we got anything else interesting in here. So Roy Ryan, founder and principal analyst at Constellation Research, agrees that the companies have the potential to fit well together. This is about natural synergy when you can handle threat detection and security with AI and observability. Wayne told tech crunch, customers get better network security, while Splunk is a key home and Cisco has a better story that draws AI valuations. So Cisco network telemetry in the Splunk observability platform will give customers a huge view of data, he said. Let's see. Both company boards have already approved the deal, but it will have to pass regulatory muster not a given considering the intense scrutiny these kinds of deals are facing across the world. The company's belief. If all goes well, the deal will close, sometimes in the third quarter, and Splunk has been for the most part, for most companies that use it as a superb product. I believe Splunk's been in business for 20 years or something now, and we've seen different companies buy these products and they're not the same anymore. For example, splunk actually bought their sort of platform Phantom used to be called. I forgot who actually owned it first, but they bought Phantom and I believe I've seen Romney's debt. They say Phantom's not as good as it was when they first bought it. I believe Palo Alto bought Cortex XOR from someone just because it makes more sense to acquire it than like to build it in the house. We've seen companies emerge and try to change things and they're not the same either. So I'm interested to see what this comes. They say like to say that if it goes through the regulatory process and gets approved everywhere, then the acquisition happens like the third quarter of next year. So people at Splunk still have time. Like I said, that is a good for the Splunk stockholders. Or listen, if you can buy some Splunk stock now, go ahead, because if it sells for 157 a share you're gonna make out pretty good. So I would say, try to do that. I'm not an investment guy but that still makes sense to me. But the next thing I wanna talk about is we're gonna talk about some ransomware today. We're gonna catch back up on MGM stuff, but I also wanna talk about the city of Dallas. Now the city of Dallas was hit by, I believe, royal ransomware and we're gonna talk about how they found out they were struck about. So let's get into that part of the video. Dallas said Royal ransomware breached this network using a stolen account. Let's see what the stolen account was. The city of Dallas, texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the city's network using the stolen domain service account in early April and maintained access to the compromised systems between April 7th and May 4th. All right, so here's one of the things. I've said this plenty of times. It's gonna be a broken record, but number one, I'm gonna get more into the article pretty soon. But this is why you have to assume that somebody's possibly already in your network, because they're already in network and all they have is time and they had this stolen domain account and I'm just wondering how did this happen? During this period, they successfully collected and exhumed 1.169 terabytes worth of files based on system log data analysis conducted by city officials and external sub security experts. The gang also prepared the ransomware deployment phase by dropping Cobalt strike command and control beacons across the city systems. At 2 am on May 3rd, royal started deploying the ransomware payloads using legitimate Microsoft administration tools to encrypt service. That's crazy. Now I wonder if the city of Dallas has whatever security team or security operations team is at in-house? Is it outsourced? For example, when I went from McAfee, our red team was doing some penetration tests and they wanted to see if we caught it. We did catch it, so we caught it like way before they even said it. They tried to act like they did something, so that we saw them like a week before downloading Cobalt strike and getting ready to implement it, but we didn't have any communication on stopping it. They should have just let us say we got you. We caught you because a couple weeks after that we did come to the tabletop where our systems were down. However, we saw the threat already. So it's gonna like do better next time. But I wonder in this case what happened with the city of Dallas? After detecting the attack, the city initiated mitigation efforts, taking high priority services or service offline to impede Royal's progress. Simultaneously, it started service restoration efforts with the help of teams of internal and external cybersecurity experts. The process of restoring all services took six over five weeks from May 9th when the financial server was reviewed to I'm sorry when the financial server was revised to June 13th, the last server affected by the attack, the Waste Management Server, was restored. The city reported that the Texas OAG that personal information of 26,212 Texas residents and a total of 30,253 individuals was potentially exposed due to the attack. The city said in the post mortem published this week, man. The OAG's website indicates that personal information such as name, address and social security information, health information, health insurance information and other such information was exposed by rules. So far, the Dallas City Council has set a budget of 8.5 million for ransomware. Dallas is the fourth largest metropolitan area in the ninth largest city in the United States, with a population of roughly 2.6 million people. This is a lot. Dallas, like I said, dallas has like a lot of money to pay these people and these are one of the reasons why people don't like to work for the city or something like that. Like systems are old, nothing is updated. You run into issues like this. Now that people who are possibly got the information out there, I wonder what's going to be offered to them Some type of settlement, free credit monitoring? You got to do something because I really wish I knew who works there and see, like actually, like this is summarizing. I want to know how it happened. I want to know these people. Anybody ring the bell or they just not really doing much? Local media first reported that the city's police communications IT system was shut down Monday morning, may 3rd, because of a suspected ransomware attack. You know how crazy it is like if police can't communicate because of a ransomware attack. That's why I always tell people like things that come over and cyber can actually affect real life and why you should take your job seriously. That's one of the reasons why I said, matter of fact, look, I have to wake y'all up real quick. But not only that. We saw the MGM people can do their real job, even us. We have things going on for, if we were ever struck in by this, how we will communicate outside of our typical company communications. So you got to plan for all that kind of stuff. Sometimes this stuff is just actually more strategic in planning and just the processes that you got put in place to be able to navigate things like this. Let's see if I'm going to read a little bit more. Okay, wednesday morning, the city security monitoring tools notified our security operations center that a likely ransomware attack had been launched within our environment. Subsequently, the city has confirmed that a number of servers have been compromised with ransomware impacting several functional areas, including the Dallas Police Department website. The city of Dallas is playing in a statement issue. Don't make. Third, let's see. I'm going to try to get some else. Network printers on the city of Dallas network began printing our ransom notes the morning of the incident, allowing bleeping computer to confirm that the Royal Rancorware game was behind the attack, after a picture of the notes were shared with us. That's crazy. Hello, if you're reading this, it means that your sisters were hit by Royal Rancorware. Please contact us via. In the meantime, let us explain this case. It may seem complicated, but it's not Most likely. What happened was that you decided to save some money on your security. Alas, as a result, your critical data was not only encrypted, but also copied from there. It could be blood and stone. No, then anyone on the internet from dark net, and even your employees, will be able to see your internal documentation persona. Fortunately, we got you covered. Royal office, you unique deal for them, man. That's crazy, man. Imagine somebody taking some of yours and then trying to negotiate with you Say, hey, don't worry about it though. You just give me this money and everything be okay. That's crazy. That's crazy. That is Ridiculous. Royal Rancorware games believe that? Have mercedes in the offshoot of the country cybercrime game getting prominence after the country shut down operations? Let's see. Okay, okay, that's the rest of that. Yeah, so that's crazy. I'm a little spicy to them when they deliver the message, talking about like y'all decided to skip costs and be cheap. I know for a fact that they are definitely being cheap, because how does somebody like a stolen domain account? How does that Happen? That's why I want to know a little bit more. Like it seemed like the attack. My course they set it up perfectly Attackers not gonna make a lot of noise when they in the environment. This is if somebody was, if somebody was in a really big house and they broke into your house. They're not. If they're experienced, they're not trying to go through pots and pans to make noise. No, they hiding out. They didn't probably scoped out your house for a while and they know hiding spots. They know you're a blind spot. Stare, different vantage points they're using. They might be in the attic. They may wait every day. I think this is on the movie or something. But they may wait every day to the kids go to school and you go to work. So then they around your house, walk oh okay, I found a safe in the closet. Every day they may just try to figure out if they can crack that safe. And they're gonna figure out different tools and eventually they're gonna do one or two things, crack it or bring some men to get it. And then, you know, imagine them breaking the safe, taking whatever value was in there. They ain't calling you. Hey See, you decided not to have good security in this house. You know, because you can have it with the infrared sensors and all the other good stuff motion detection, the windows, all the good stuff, he said. So, hey, you know, you decided not to have this stuff in your house. So I got all your stuff in your safe, but if you give me a 5% cut of the stuff in the safe, I get the money back to you. That's how this sounds. So I they you need for one, and this is why we talk about the shout to my guy, marcus Wells and JK swopes Identity and access management a stolen domain account. Who in a city of Dallas is properly Auditing these accounts and seeing what they're used for and how much access that they have and their activity on the account. What type of ticketing system are they using? Do they have any different change tickets? So, because then any time you see a server or somebody using a service name, with a weird name, to do some activity, it should be notified in your same environment. They say, hmm, what is this? That's what we do. We'll see something. A service account or something is doing some alerts. We can say, okay, this is the automatic test. We see this happen every day at five o'clock. We know this is legitimate, they have a change ticket and we talk to the server team. But sometimes you look at it and say, hmm, this is a one-off, what are they doing? What are the process that processes that are running on a server? Then you like, a lot of these tags are a map to mitre. So you start looking into that. That's one part of it. But then you just looking at, like I said, the data. You start really looking at it. I'm saying, hmm, let's not add enough, let me go reach out who to who's supposed to own this over? And they say, oh, this was supposed to be decommissioned, like you, you put in tickets for like service or to be decommissioned. So let's say it didn't be decommissioned. So did they do that? Did they, like I said, did they verify, like whoever supposed to own it was going on with this account? There are a lot of questions that they're gonna have to write up internally, but I know for a fact it's mostly because cities Skip out on paying money for stuff like this. So now I'm gonna tell you, if you're in the Dallas area, they're gonna be looking to hire people that got experience. Listen, hit them over the head and get them for everything they got, because we already know for city jobs like this, they're gonna try to make you come into the office so Get your money, because I can tell you right now this is not gonna be an easy job to do. It's always hard to come in at the terminal has set in. So that's what I pretty much tell you for the city of Dallas, pretty much getting hit by a Royal Resort. This video is being brought to you by course careers. What's going on? Guys, if you're looking to start your IT career, then check out the IT course at course careers, taught by none other than the great Josh matter. Pretty sure you heard of him, but we all know that it could be pretty pricey in the IT and this course is very affordable. And Also, if you don't want to pay back those two loans like I have to, then this is the course for you. So check out the course careers course. My link will be in description. Use code textual 50 in order to get $50 off your course and get started on your IT career today. Last week, you know, we talked about you GM again hack, but this week we want to talk about kind of a little bit more in depth on what happened and how they were able to Get access outside of just social engineering to MGM resorts, information power influence, noirati, the Gen Z hackers who struck MGM and and Caesar's let's get it so. About a year ago, the US security firm Palo Alto networks begin to hear from a flurry of companies that have been hacked in ways that weren't normed for. Cybercriminal Native English speaking hackers will call up a target company's information technology helpdesk why does she want to say helpdesk Posing as an employee and seek login details while pretending to have lost theirs? They had all their employee information needed to sound convincing and once they got access, they quickly find their way into the company's most sensitive repositories instead of that of an extortion. So my question is what information of the employees that they have? Because they could not have the employee ID, unless I don't know either they social engineered the employee through their personal information and got them like that and that's how they got the employee ID to reach. Change their password. That's the only other, that's the only way I could think of. Or they or they social engineered the employee through phishing, got their credentials, then use social engineering to get the IT helpdesk. So if that's what happened, which seems a little bit more plausible then just saying they had kind of all the information outside of things you need to actually confirm and identify yourself. That's why phishing is like. People spend so much money on just preventing phishing. That's right, right there. Rancidware attacks are not new, but this group was extraordinarily skilled as social engineering and bypassing multi-factor authentication, said Wendy Whitmore. Let's see they are much more sophisticated than many cyber criminal actors. They appear to be disciplined and organized in their attacks, she said and that's something we typically see more frequently with nation state actors versus cyber criminals, known in the security industry variously as scatter spider, model Libra and UNC 3944. These hackers were thrust into the limelight earlier this month for breaching the systems of two of the world's largest gambling companies MGM resorts and Seizures Entertainment Behind the scenes. It has hit many more companies, according to analysts tracking the intrusions and cybersecurity experts expert the attacks to continue. The FDI is investigating the MGM and Caesar's breaches and the companies did not come in on who may be behind them. From Canada to Japan, the security firm Crowdstrike has tracked 52 attacks globally by the group since March 2022. Google, on the terms of the firm mandate, has logged more than 100 intrusions by it in the last few years. Let's see what this is. The scatter spiders seem to be everywhere. The scope of their intrusion since March 2020 perspective is pretty broad. They use social engineering, live out the land and RIM tools before deploying ransomware or conducting extortion. So it seems like and I'm not going to zoom in on this thing, but I feel like they haven't really attacked Africa yet, or maybe down here they did, so let's keep right there. Nearly every industry, from telecommunications to finance, hospitality and media, has been hit. They are not able to determine how much money the hackers have made, but it's not just the scale of the breach of attacks that make this group stand out. They're extremely good at what they do and ruthless in their interactions with victims. The speed at which they breach and exfortrate data from company systems can overwhelm security response teams, and they have left threatening notes for staff of the victim organizations on their systems and contacted them by text and email in the past. In some cases many did not say one which one. Hackers tied to scatter spider place bogus and mercy calls to summon heavily on police units to the homes of executives and target companies. That's crazy, bro. Like this is stuff you actually see on TV shows. Literally, it is like. This is crazy. This technique is called swatting. It's something that's only dreadful to live through as a victim. He said I don't even think these intrusions about money, think they're about power, influence, notoriety. That makes it harder to respond to. All right, so let's get into this. There's little detail scattered spiders, location, identity based on the criminal's chats with victims and clues glean from breach investigations. Crowdstrike my head. They are largely 17 to 22 year olds. Mandia estimates they're mainly from Western countries, but it's unclear how many people are involved. Now look, security companies, get this under control. Y'all want people to have five years for entry level jobs. Meanwhile these dudes still going through puberty, breaching the systems. The math is not math and I honestly think that these people saying you know what, they're not going to hire me anyway. I'm going to be a criminal. I'm going to show you, I know how to do this and I'm going to get paid. So take off all the years of experience. I know it's a business. You want people go to school and get these certifications. That's cool. These people might not get the certifications, but they still better than the team that you got. And there's some people that's probably better than the people on your team right now that you have not hired because you think they don't have the skill set or experience to do the job. But they do. But they do. Okay, all right. So that's how I feel about that. Before calling help this. The hackers acquire employee information, including passwords, by social engineering, especially SIM swapping, a technique where they trick or telecom companies customer service representative to reassign a specific phone number from one device to another. Ah, okay, all right, now we're getting somewhere. So it's not as simple as it seemed. They also appear to make efforts to study how large organizations work, including their vendors and contractors to find individuals with privileged access they can target. According to analysts this is what I told y'all last week the attackers have time. All they got to do is sit back and watch who's working on what, who's talking too much, who said I'm on this new project with so and so company. That's all they have to do. That's literally all they do and sit back in the cut and they just watch it. Let's keep on going. That's something David Bradbury, chief Security Officer of the identity management firm octasol, first hand last month, when he discovered multiple octa customers, including MGM, breached by scattered spider. That's something David Bradbury, chief Security Officer of identity management firm octasol, first hand last month, when he discovered multiple octa customers. That's something David Bradbury, chief Security Officer of the identity management firm octasol, first hand last month, when he discovered multiple octa customers, including MGM, breached by scattered spider. I can provide identity services such as multi-fact authentication use to help users securely access online applications. The threat actors have clearly taken our courses that we provide online, that we clearly study our product and how it works. This is the stuff we haven't seen before. A larger group named ALPHV said last week it was behind the MGM hack and endless believe it was brought to software and intact tools for the operation to be carried out by scatter spider. Okay, this is some good stuff. Let me see if I can find some interesting. While many ransomware attacks go unpublicized, the MGM hack was a vivid example of the real world implications of such incidents. It caused chaos in Las Vegas as game machines stalled and hotel systems were disrupted. Ransomware gangs often function like large organizations that continue to evolve their methods to adapt to the latest security measures organizations use. In some ways, this is just like the age old gamer Cadden Malph said with more who compares scatter spider lapses another group behind previous hacks and octa and the technology giant Microsoft. So at the reading that article, actually see that they are way more sophisticated than that reports officially made it seem. So in instances like that, looking for vendors or clients that they work with maybe this person was a contractor, so it's a little bit more lax when they get their pass or reset or have an auto information, they need to verify them, like they said, through SIM swapping, like. So this goes actually. This is actually not only just on MGM, but also telecom companies, because how are you really not verifying who these people are to be so convinced that, hey, I need to switch this, the sim out, and do some swapping, get this information from this person without them even knowing. So this, these are going to be bigger lawsuits on on the hand for everybody. So I would love to see how these things unfold, because now we're we're catching up, but by the time we catch up, they're going to be using a different tactic, and that's the sucky part of happens when trying to find out how attackers are getting access to your system. So this just shows why every time you get those security awareness trainings, you need to take them seriously. Now, I know sometimes they're outdated, so that's the sucky part. So if you can get good security awareness and training that's engaging, I think that's perfect. I think that's perfect. Also, just to leave some last notes for the job searches out there Like I said, be diligent, do your research and when I say research, even research on the jobs you're applying, to try to understand what they're actually looking for. If you can understand what the job's about before you even get to the interview, you have a better chance of succeeding in the interview versus not really understanding the job title at all and trying to get the information from the recruiter and it can lead you to not doing well in the interview. So take your chances in understanding that those functions of the job. Also, if you need help with your resume or networking or all the above, man, you know I do coaching. I got you. Check out my latest testimonials that are on my website now. You can check it out at textualtoconsultingcomcomcom and you'll just see that these are real people Like. One of my most recent ones is a client we worked together for most of this year and it wasn't a whole year, but he had a construction background and now he is about to be a junior cloud engineer and I told him when we started working. I said, hey, this is not going to be easy but it'll be worth it. And that's what I would tell everybody that comes to work with me. It's not going to be easy, but it'll be worth it. But that's what I had to leave you with today. Also, man, a Broncos country, let's ride, ah, man. But if you enjoyed this video, y'all know what to do. Man, get at me on LinkedIn, instagram, tiktok X. I'm my socials man, but it's your boy HD. And, like I always say, let's stay textual and we out Peace.