A group of hackers recently leveled a successful cyberattack on MGM Resorts and Caesars Entertainment, two of the world’s largest casinos.
The cyberattack, which occurred on Sept. 11, was allegedly carried out by Scattered Spider, a group of U.S. and European hackers aged 19-to-22 years old. It caused a 10-day disruption in services that impacted everything from hotel check ins to room key access to gambling payouts and led to significant data breaches. MGM and Caesars soldiered through — like pre-internet companies — until the matter was resolved on Sept. 20.
5 Cybersecurity Lessons From the MGM and Caesars Cyberattack
- Social engineering can overcome weak help desk policies.
- Voice phishing (vishing) is on the rise.
- Multi-factor authentication isn’t infallible.
- Secure cybersecurity insurance.
- Ransomware-as-a-service Continues to Grow.
The disruption and technology restoration cost MGM an estimated $100 million. Caesars reportedly negotiated with the hackers and paid $15 million, half of the group’s ransom demand.
Given the limitless wealth these gambling meccas often invest in digital security, the hackers exposed some concerning issues.
The MGM and Caesars attacks are likely to become a case study of how a well-organized gang can coordinate attacks anywhere in the world. However, C-Suite executives and cybersecurity experts can learn some lessons in the wake of these attacks.
1. Social Engineering Can Overcome Weak Help Desk Policies
Members of the alleged hacker group, Scattered Spiders, did their homework on casino employees. In many cases, hackers crawl professional networking sites and social media profiles to enhance their social engineering tactics. Personal information posted on Facebook alone allows cybercriminals to learn about people’s friends, family members, addresses, ages and other wide-reaching bits of information that they can use.
Scattered Spiders reportedly compiled thorough profiles on casino employees that included information from LinkedIn, which they used to convince a help desk employee that they were an employee who had misplaced or forgotten their casino login credentials. Once they were issued a one-time password, they were able to ransack casino systems, stealing sensitive and valuable personal identity information that included Social Security numbers and driver’s licenses.
What we’ve learned from this is that an organization is only as strong as its weakest link. Hackers don’t always need advanced technology to break into your data, sometimes it just takes tricking a single victim. Companies would be well-served to conduct an immediate risk assessment and identify network and human vulnerabilities and harden their cybersecurity posture.
2. Voice Phishing (Vishing) Is on the Rise
Most garden variety cyberattacks involve phishing schemes. Hackers find that it’s inexpensive to send out thousands of click-bait emails and other electronic messages, betting that someone will make a mistake. They’re often correct in that assumption. About a third of organizations don’t offer any type of cybersecurity awareness training for remote workers, according to a report from cybersecurity firm Hornet Security. This leaves them increasingly vulnerable to basic phishing schemes.
More sophisticated cybercriminals, however, forgo simple phishing schemes for voice fishing or “vishing.” Vishing is when a cybercriminal harvests information from a specific target and then attempts to call and persuade a person that they are that individual or company to get them to reveal sensitive information. These vishing schemes, coupled with social engineering, are often more effective than standard phishing attempts. This is what happened to MGM and Caesars.
As these types of attacks become more common, it’s on company leaders to drill down on security policies. One important step they can take right now is to render it taboo to provide temporary passwords to network users over the phone or electronically. Consider using a password manager such as Dashlane, LastPass, 1Password and others. While they’re not full-proof, they can make it safer to share sensitive information.
3. Multi-Factor Authentication Isn’t Infallible
Scattered Spiders overcame some of the most reliable cybersecurity defenses, and multi-factor authentication was one of them. Its members reportedly deployed multi-factor authentication fatigue attacks to overcome this seemingly tried-and-true deterrence.
When multi-factor authentication applications sent a notification regarding a login attempt, Scattered Spiders countered by deploying an avalanche of login options, playing the odds a user would click on one. Although this may be the least sophisticated of the group’s modus operandi, it worked.
And Scattered Spiders may not be the only criminal enterprise using the fatigue strategy. Last year, Uber’s defenses were breached by a member of a hacking group known as Lapsus$, which also used a multi-factor fatigue attack.
What we’re seeing on the protection side of the fence is that multi-factor authentication may not be enough anymore. Hackers have devised a way to minimize its effectiveness. Cybersecurity professionals must now adopt new mitigation techniques. Defending against MFA fatigue attacks is possible, but it requires a measured, deliberate approach.
4. Secure Cybersecurity Insurance
The pair of Las Vegas casinos face at least nine federal lawsuits in the aftermath of the massive data breach. One of the civil actions filed in the U.S. District Court in Nevada reportedly claims the entertainment operations were negligent in protecting the personal identity information of customers during the attack. In that particular case, the complainant was a 20-year Caesars Rewards member.
A filing against MGM and two real estate entities — Vici Properties and MGM Growth Properties — asserts that MGM and its peripheral operations failed to follow privacy protection guidelines established by the Federal Trade Commission. In particular, the lawsuit speaks to a lack of cybersecurity awareness training. At least one desk help staffer provided hackers with the one-time password that brought the gambling den down like a house of cards.
Cybersecurity experts are keenly aware that sophisticated hackers and advanced persistent threats continue to craft ways to overcome even the best defenses.
In the aftermath of this cybersecurity disaster, it’s a reminder that even the most determined cybersecurity can be circumvented. It’s wise to have cybersecurity insurance to cover financial losses and hire attorneys to handle civil lawsuits.
5. Ransomware-as-a-Service Continues to Expand
It seems counterintuitive that a group of hackers this young would possess all the skills and tools to shake down Caesars for $15 million and send MGM into manual mode. However, reports indicate that the hackers allegedly had significant help from either ALPHV or BlackCat.
Although both groups reportedly denied direct involvement, one of these criminal outfits created the ransomware used in the MGM and Caesars cyberattacks. It appears the malicious application’s developer rented it out as a service.
This tells us that even garden variety hackers, with comparatively low-level skills, can invest cryptocurrency in ransomware-as-a-service or pay for another attack vector. Cybersecurity experts are now forced to find new ways to mitigate ransomware attacks and rethink the capabilities of threat actors across the board.
For instance, military defense contractors and federal agencies typically worry about advanced persistent threats funded by enemy nations. But if sophisticated cybercriminals continue to offer next-gen hacking tools to anyone who wants them, the threat landscape becomes a lot bigger.
We can anticipate more upstarts to invest in ransomware-as-a-service, elevating minor league players into the pros. If this event tells us anything, it’s that organizations and cybersecurity professionals must continue to adapt and evolve their cybersecurity processes to keep up with ever more capable adversaries.