How did the ransomware attack on MGM Resorts start?
“I know more about casino security than any man alive, I invented it, and it cannot be beaten. They got cameras, they got locks, they got watchers, they got timers, they got vaults, they got enough armed personnel to occupy Paris!” - Reuben Tishkoff, Ocean’s Eleven.
When many of us think about casinos, we probably think about the top-tier security measures we have seen in movies such as Ocean’s Eleven, a film whose entire plot surrounds the slim odds of getting past these impenetrable security measures.
Incredibly, just like the heist in the popular film, the MGM ransomware attack was largely successful. The culprits employed the tried-and-true tactic of social engineering.
The ransomware attack has had a far-reaching impact on both internal and client-facing operations. Since the attack, casino operations have come to a halt with electronic gambling and slot machines being impacted – which is estimated to be costing MGM nearly $8.4 million a day in revenue and cash flow.
Additionally, physical operations across MGM properties, including the Bellagio, Mandalay Bay and the Cosmopolitan, were severely impacted as a result of the system outage. Guests reportedly waited for hours to get physical room keys, verify reservations, access parking kiosks, were stuck in elevators, couldn’t verify reservations and had to get hand-written receipts for casino winnings.
Both Scattered Spider and ALPHV/BlackCat have claimed responsibility for the attack and shared that they used LinkedIn to find an MGM IT help desk worker and simply picked up the phone to start the attack. While we don’t know precisely what was said on the phone call, security experts believe that the end result was that somebody at the MGM help desk handed over the credentials needed to access the system… within ten minutes.
This attack method, known as vishing, relies on phone calls to gain access to systems and, while not as common as email-based phishing accounts, have up to a three-times higher success rate, for several key reasons, including the human factor, limitations of security software and lack of training.
The Human Factor and Vishing
Threat actors target the human factor in nearly all attacks, but it is especially crucial in vishing, since the entry point is a conversation with an actual person, who inherently wants to help the best they can – especially when they work for an IT help desk, as was the case for MGM. The threat actor can impersonate anybody they want on the phone to establish credibility and, assuming they do the proper research, can sound so authentic that they are often given whatever access they need.
Security Software Limitations and Vishing
The very fact the threat actor was able to get through to the MGM help desk illustrates another key vulnerability vishing attacks exploit: access. Think about the amount of phishing or smishing attacks that are automatically flagged and triaged through security software, which effectively minimizes the human risk by simply not letting them reach the recipient.
In the case of vishing, the phone calls may come from an unknown number, but have a familiar area code – or if a company is a national or international conglomerate like MGM, people may expect random phone calls. While most cell phones come with anti-vishing security measures, corporate communication systems most likely do not, and workers expect calls from unknown numbers.
Lack of Training on Vishing
Finally, we know what phishing and smishing communications look like. Common red flags, like demonstrating a sense of urgency, poor grammar, typos, links and attachments, are often easy to spot in the wild with educated eyes.
The reason most people know this is hopefully because they were provided with proper training that includes security awareness materials and simulated phishing attacks. But when was the last time your organization did any training on non-electronic social engineering?
Remember, social engineering can be conducted over the phone and in person, so be sure to educate your employees on how to screen phone calls and physical interactions with the same filter as email or text.
With a recent attack on Caesars Casino (also claimed to be by Scattered Spider) that ended in a reported $15 to 30 million ransomware payment and the demonstrated impact of MGM refusing to pay the ransomware, now is a great time for your organization to remind your end users of how they can identify and prevent attacks.
While the casino attacks are currently at the top of the news cycle, the reality is that an operational shutdown like this within a municipality or hospital can have far more deadly implications than breaking out the sliding credit card machines or writing physical cash out tickets.
If you have any questions about security awareness training, incident response planning or any other cybersecurity-related concerns, please reach out to the Schneider Downs Cybersecurity team at [email protected].
Please note specific details on the attack have not been confirmed by MGM, Caesars or FBI outside of the statement posted on MGM’s website and X.
About Schneider Downs Cybersecurity
The Schneider Downs Cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.