UPDATE: MGM Data Breach Linked to Vishing
Caesars Entertainment Security Breach
Interestingly, some have linked Scattered Spider to the late-August cyberattack on Caesars Entertainment, however, when TechCrunch asked a Scattered Spider representative if they were behind the Caesars incident, they denied it. Whichever crime organization was behind the Caesars attack reportedly gained access by breaching one of Caesars’ outside IT vendors. The Wall Street Journal reported that Caesars paid about $15 million to the hackers to prevent disclosure of stolen data. In a recent 8-K filing, Caesars not only confirmed the breach, but also explained that the data stolen included customer’s driver’s license numbers and Social Security numbers from its loyalty program database.
HT reported earlier this week that MGM Resorts International was the victim of a sizeable security breach. MGM was forced to shut down the company’s network systems meaning that guests could not access their rooms, digital room keys didn’t work, slot machines were out of order, and ATMs weren’t functioning. Guests also reported that TV service and phone lines were down. Additionally, the websites for all 31 MGM resorts and the company’s mobile rewards app have also been down since Monday.
New details on who might be responsible for this attack have emerged. On Sept. 12, malware repository and source code site vx-underground said on X (formerly known as Twitter), “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
On Sept. 14, a representative of Scattered Spider (a subgroup of ALPHV) told TechCrunch that it was indeed behind the MGM cyberattack.
vx-underground also said on X (partially quoted below): “This particular subgroup of ALPHV ransomware has established a reputation of being remarkably gifted at social engineering for initial access.”
But there may be more to this story than just ALPHV’s own expertise at vishing.
X user @EvilSecOfficial replied to @vxunderground and said (quoted partially below):
“Vishing is surprisingly easy right now in terms of people not caring in cyber. Employees are so burnt out and organizations are loading up work combined with alert fatigue....makes things extremely easy.”
Since the COVID-19 pandemic, hospitality organizations have been dealing with massive labor shortages in all areas, making it all too easy for individuals to make mistakes. Unfortunately, people are often the weakest link in a company’s cybersecurity defense.
Lisa Plaggemier, Executive Director at National Cybersecurity Alliance, agrees noting:
“It's important to recognize that, in many cases, attackers initially target individuals rather than systems. In this specific incident, the attackers took a social engineering approach, targeting the Help Desk. This tactic is both a point of strength and vulnerability within organizations. While IT departments play a critical role in assisting employees and ensuring the business runs smoothly, their service-oriented focus can sometimes overshadow security concerns.
“In this case, it appears that a criminal successfully convinced a Help Desk employee into believing they were a legitimate employee in need of assistance,” Plaggemier adds. “This incident highlights the need for a comprehensive approach to cybersecurity that encompasses both technology and human factors. While vigilant monitoring of systems, regular password updates, and credit monitoring services are important steps, organizations must also prioritize security awareness training for employees to recognize and defend against social engineering attacks. By addressing the human element alongside technological defenses, we can better safeguard sensitive data in the hospitality industry, which is an attractive target for cybercriminals seeking financial gain or disruption.”
Alex Waintraub, DFIR Engagement Leader at CYGNVS, adds:
"While we find the hospitality industry at various stages of preparedness against a multitude of threats, this situation underscores the need for proactive cybersecurity posturing, practiced incident response plans and steady awareness campaigns. The alleged use of vishing, or voice phishing, is a stark reminder that people are the biggest risk to cybersecurity and steady awareness campaigns are needed to ensure employees are aware of protocol and prepared to alert leadership of future phishing attempts — especially as ransomware groups continue to push boundaries. The hospitality and gaming industries are prime targets due to the wealth of customer data, financial transactions, and operational systems they handle; and in this high-stakes game, where attackers stand to gain significantly, we cannot afford complacency."
STEPS TO TAKE RIGHT NOW
For those hoteliers who are wondering what steps they can implement now to prevent their team members from making a similar mistake, Pete Nicoletti, Field CISO at Check Point Software Technologies, offered these helpful tips:
- Have the help desk calls back an employee on phone number listed in GAL
- Have the help Desk ask a security questions to validate the employee
- Have the help desk conduct a video call to validate the employee's identity
Additionally, Nicoletti reveals that there should have been other security measures in place to help desk employees discern that something "phishy" was going on. For example,
- Endpoint tool is 1:1 associated with a laptop, a new laptop should have stopped it all
- OOB Authentication app/tool should have been on employees' cell phone
- VPN should have gone nuts over new, never before used IP range being used
- End Point tool should have prevented any tools from being installed
- Segmentation should have prevented multiple systems from being accessed from one place
- God Level Privileges are never a good thing. Use jump boxes with additional authentication to access critical areas Basic Ad account with 2FA to log in to Jump box and then a different elevated account for admin work on different critical systems.
- Resiliency should have been considered if one area is breached
Joe Juchniewicz, Principal Security Consultant, Calian IT & Cyber Solutions, also had some tips for hoteliers:
"First is training. The human interface is still the weakest point for security and accessing the network. A well-defined training program is required for all employees and is ongoing, not just the once-a-year check-off box for compliance. Remember, compliance does not mean security.
"The second is network monitoring. There should have been network monitoring to inform the staff that unusual traffic is occurring within the environment, reporting to their Security Operations Center (SOC). The question arises: Are they getting all the correct logs and data needed to see the malicious events occurring?
"Third is the updated patching process. The issues with some of the environment may have been due to missing or new patches. A robust patching process is required to ensure that all the patches are being implemented on time.
"Fourth is conducting at least yearly testing for vulnerability patching, Incident Response, and Business Continuity and Disaster recovery events, which can help determine where there are weaknesses or deficiencies within an environment and create a lesson-learning object to see what works and what does not."
Fifth is conducting a gap analysis to discover what tools and processes are within the environment, how you use them to the fullest potential, and what gaps you have within your environment.
In closing, security needs to be defined in layers, not just one tool or product, to be a catch-all function. It needs to be ongoing and be flexible to change (internal and external) to the environment. In addition, it requires management support and funding to create a well-defined and protected network environment.