On high alert: the relentless fight against cybercrime

As the pace of digitalisation has continued to accelerate, in part due to Covid-19 lockdowns and alongside the shift to home working, more businesses are being subjected to cyber-attacks.

According to data from Check Point Research published in January 2022, cyber-attacks reached an all-time high in Q4 2021, jumping to 925 a week per organisation. The study also found there were 50% more attack attempts per week on corporate networks globally in 2021 compared with 2020. Published the same month, an annual survey from Cloudflare found gaming/gambling was the second most targeted industry by application-layer distributed denial of service (DDoS) attacks in Q4 2021.

Andy Jenkinson, group CEO at Cybersec Innovation Partners, says while there is no financial gain from a DDoS attack, it is an inconvenience and causes a cost to the company affected. He alludes to the fact that these attacks could be launched by a competitor and that “you must never rule out espionage”.

A DDoS attack can also act as a precursor to a ransomware incident. For example, if a gambling company was hit by a DDoS attack that took it out of business for three days, next time the operator might be more receptive to somebody threatening such action.

The latest gambling operator (that we know of) to fall victim to cybercrime is Nigerian bookmaker Bet9ja, which suffered a ransomware attack in April 2022. The bookmaker was hit by Russian hacking network BlackCat Group, which reportedly demanded NGN141bn (£260m) to regain control of its betting site.

Despite attempts by EGR Intel to contact Bet9ja for comment, at the time of the incident the operator released a statement saying it was working with its IT team, independent forensics and cybercrime experts to resolve the issue. It also assured customers their funds were safe and that accounts had not
been compromised.

Managed security service provider SecurityHQ has observed a concerted effort from Russian associated adversaries towards gambling and gaming companies on a global scale. These attacks are predominantly financially motivated, with account takeover and ransomware techniques being the key methods used to extort entities to initiate financial theft.

In the case of Bet9ja and all other gambling companies, having your data backed up is essential. But simply relying on a single back-up is not enough, multiple back-ups need to be in place. Former Microgaming executive Kurt Schrauwen, who is a director at Riela Cyber based in the Isle of Man, explains why: “When a hacker goes in, gets permissions and encrypts all the data, they’re going to delete all the back-ups and make sure you can’t recover them. You’ve got to have offline back-ups that aren’t accessible by a threat actor.

“I don’t know whether Bet9ja paid the ransomware or restored the data. It’s more likely they restored the data because if it’s encrypted, when you get the data back it’s not in the same original structure. It’s basically a mess of files. We’ve seen a company who paid ransomware take up to a year to recover and get back to full operation. While companies that restore tend to get back online within two to three days,” he asserts.

However, Jenkinson argues that stopping the event from happening in the first place is more important than back-ups. “The top five gaming companies have suffered cyber-attacks, not because they were sophisticated but because they were exposed and exploitable. So, a cybercriminal has identified open-source intelligence that exposes the exploitable positions,” he remarks.

Jenkinson is not afraid to hammer home the point that insecure domain name system (DNS) positions pose a huge risk. “The first thing I would teach anyone is to make sure they are familiar with internet-facing security, including public key infrastructure, which covers digital certificates and encrypted keys, as well as domain name systems. These are the biggest areas that are exploited.”

Home alone

People working from home during the pandemic created a host of security issues for businesses, with staff using company laptops outside of the safety of the corporate firewall. In addition to this, data from the Crime Survey for England and Wales showed physical crime such as domestic burglaries fell 33% in the 12 months to March 2021 as more people stayed at home, driving criminals to digital law-breaking instead.

Continent 8 Technologies’ cybersecurity director, Leon Allen, says the uptick in cyber-attacks during the pandemic fuelled a further rise in attacks as criminals saw specific types of cybercrime were effective in making money, such as ransomware. Allen isn’t surprised gambling sites are being attacked as they are a lucrative target, holding data from some very high-net-worth individuals.

Cyber-attacks are also seen as a way for hackers to defame people and play on the fact these companies hold a lot of sensitive data they don’t want exposed. “Gambling sites are so heavily built on reputation. They know their customers are easily swayed to go to another site. Imagine if they were the victims of a cyber-attack. They’re going to lose a lot of customers from that,” he adds.

Schrauwen acknowledges that cyber-attacks are becoming more frequent but mostly go unreported due to the risk to reputation. “We’re seeing far more frequent ransomware attacks because it’s become so much cheaper for hackers or threat actors to get into operators’ networks. The attack frequency has increased from around every 25-30 seconds down to about every 12 seconds. That’s increased from 2019,” he explains.

Schrauwen also disclosed that one of the big five gaming companies had a compromise in 2021, which went unreported as it was considered a minor incident. “You won’t read about it. You won’t find out about it because there’s no need. They were able to resolve it because it was picked up and the actual damage was minor. It would go unreported because the reputational damage would be far worse if it got out,” he tells EGR Intel.

In terms of risk to customer data, Riela Cyber’s director explains that it is unlikely a threat actor would ever get hold of payment details due to the layers of security around processing credit card information and the data would not be stored in a place where it could be accessed. Instead, it is more likely that player logins or emails would be accessed.

Hack attack

Bet9ja is not alone within the gambling sector in being targeted by hackers, though. In 2016, William Hill’s websites were hit by a DDoS attack, while in March 2020 SBTech suffered a cyber-attack that left its clients without consumer-facing websites for over 72 hours.

In the case of the DDoS attack on Hills’ websites, the operator experienced smaller probing attacks three or four days before the main attack. Steve Bond, who worked in a variety of security positions at the bookmaker for over 15 years, tells EGR Intel that the operator had previously experienced a run of 15 DDoS attacks in a row, before the large cyber offensive in 2016, but those had caused no business impact.

In turn, Bond, who currently works as head of cybersecurity and risk at N Brown Group, says he had never seen anything like the magnitude of the 2016 security incident. “All the operators, certainly in the UK, share information about DDoS attacks because we face the same people, can help each other and be better prepared for the next time. Nobody else saw an attack like this and we were still seeing attack traffic for seven weeks afterwards. I’ve never seen anything like it,” he recalls.

Service to the production website was restored after 36 hours but there was still disruption within the business such as bringing test environments back up, as well as some staff being unable to work as the systems they used weren’t available. Bond adds: “I think it was about two weeks before we got back to a sense of normality. And even though we had mitigations in place, it was 49 days in total that we saw the attack last for.”

The security incident unearthed some weaknesses in William Hill’s DDoS-prevention provider and after assessing alternative options available within the gambling sector, the operator couldn’t find a solution that met its requirements. So, it ended up building its own mitigation platform in Amazon Web Services in early 2017.

“Effectively, we pushed our protected perimeter wall up to Amazon. We used their DDoS mitigation service combined with the web application firewalls that we had on-premise and we built this perimeter up there. It was quite innovative at the time,” says Bond. Once that was built and implemented, it “killed off the DDoS threat”.

A way in

As operators work with multiple suppliers, whether it be a payment processor, affiliate or sportsbook platform provider, making sure all parts of the supply chain are secure is paramount. Allen explains: “The biggest reason why gambling is so at risk of this is because of that interconnectivity. Every single one of those suppliers is programmatically integrated to one another. It only takes one weak link to be attacked and then that attack can spread through. That’s why it’s so dangerous in this industry.”

His advice is to treat all suppliers with the same level of diligence as if they were directly part of your business. “Request to see their security strategy and ensure it meets the same standards as your core business,” he advises.

Jenkinson agrees the third-party supply chain risk is alive and kicking. “If nobody’s doing any risk assessment or management and control of the security capabilities and position, then it’s a free for all. It’s literally like taking candy from a baby,” he says.

Building a defence

While cyber-attacks used to be opportunistic, Schrauwen says this has shifted to crippling a business through ransomware by encrypting the data. He emphasises the point that having a firewall is simply not enough. That acts as your basic perimeter defence. “If you don’t have monitoring in place, if you don’t have the ability to detect intrusions, they will find a way into your network,” he warns.

In today’s world, humans are the weakest link, Schrauwen asserts. All it takes is for an employee to click on a suspicious link through social media or on email and it opens a gateway for hackers to access an organisation’s network. The way hackers penetrate networks is by getting in at the low level, waiting and listening. Next, they try and elevate their permissions by creating opportunities for an IT employee to log in as an administrator to resolve a problem. Once the hacker has obtained the admin login details, they can access the environment.

From his time at Microgaming, Schrauwen explains the supplier used monitoring to make sure they knew what was happening on a user’s PC, and this would all be reported to a central cybersecurity monitoring environment. Another way gambling companies can better protect themselves from cyber threats is through certification, such as being ISO 27001 compliant. This is the international standard for information security and builds awareness as well as testing that an environment complies with the minimum standards.

Very often vulnerabilities exist through bad patch management or by not knowing which assets you have in your environment, says Schrauwen. He recalls the example of the Log4j exchange vulnerability in December 2021, where Microsoft released a patch but a lot of companies failed to patch, making it easy for hackers to look for systems with that vulnerability.

In terms of assessments, external scans and penetration testing are imperative. Schrauwen reveals that Microgaming hired white hat hackers to penetrate the network, and at times they were successful. “No company is completely safe. It doesn’t matter how much money you spend on security. Cybersecurity is all about layers. The more money you spend, the more layers you have. When there is a penetration or hack attempt, detecting it and then figuring out how to stop it is most important,” he adds.

A spokesperson for SecurityHQ advises that web applications should be continuously scanned for vulnerabilities and remediated on a quarterly basis. In addition, web application traffic should be monitored for suspicious activities/external attacks. Other recommendations include enforcing the use of 2FA and three-tier payment systems while phishing awareness and training of employees should be mandatory.

Cybersec Innovation Partners’ Jenkinson tells EGR Intel about his work with one of the world’s largest technical giants and the Ministry of Defence, advising them on having a robust perimeter defence. “It’s all well and good having a 10-foot barbed wire fence. But if your gates are not manned and controlled, it doesn’t matter,” he says.

Meanwhile, Allen at Continent 8 outlines three ways gambling operators can shield themselves from cyber-attacks: defence in depth, education and preparedness. He emphasises the importance of preparedness being front of mind for what is an inevitable attack. “Let’s get our plans in mind of what we would do. Who do we call? Who are our vendors? Do the authorities need to be involved? Do we pay the ransom? All of those things are part of an incident response plan,” he specifies.

School of thought

Education on cybersecurity is also an important priority at all levels of a business. It’s not just about being savvy when clicking on unknown email links or scanning QR codes.

Allen strongly believes more can be done in educating and training workforces on cybersecurity threats. He himself studies cybersecurity daily and is currently working on a PhD on that very subject. He also advocates the use of interactive training such as engaging companies to run trial attacks. “Red teaming is where we pretend there’s a cyber-attack going on or do a phishing attack towards your employees and see how the business handles it. Then people can get to understand why it’s so important,” he advises.

Allen’s third point on defence in depth refers to using several layers of security to protect an environment as opposed to relying on a single protective measure. Also implementing automated security event monitoring as well as identifying your business’ “crown jewels” and ensuring these are appropriately secured.

As cybercrime continues to grow, companies need to be fully prepared for an inevitable attack. Having the right preventative measures in place as well as boosting awareness of cybersecurity through training and education are crucial to protect all businesses. Continent 8’s cybersecurity director sums it up: “Don’t wait for the inevitable attack. Ensure you have an effective, tested cybersecurity incident response plan. You don’t want to be making critical decisions in a high stress environment.”