Cybersecurity Breaches at Las Vegas Resorts: Understanding the MGM and Caesars Incidents
Las Vegas is usually known for making and taking fortunes at the casino, but money is changing hands in a new way. Recent cybersecurity attacks at MGM Resorts and Caesars Entertainment have made millions for hackers and deleted hundreds of millions from the pocketbooks of shareholders.
Caesars: Attackers breached the loyalty program database at Caesers, which stored sensitive customer data, including driver's license numbers and social security numbers for a significant number of members. They then demanded a ransom in exchange for not leaking the information online.
MGM: Attackers told the media that they compromised MGM using social engineering. It’s unclear how the initial access gain from social engineering was exploited but we know that large portions of the Casino’s network were down including ATMs, room access and slot machines.
Who Did This?
Initially, Scattered Spider, also known as UNC3944, took credit for the hacks. This group is known for their social engineering driven attacks. As the dust settled on the MGM attack, another entity emerged from the shadows. Alphv, sometimes referred to as Black Cat, claimed to be the true mastermind behind the MGM hack (but made it clear they were not involved in the Caesars incident). Alphv operates a ransomware-as-a-service model, peddling malware to other hackers eager to launch their own cyberattacks. Their influence is undeniable; they were responsible for approximately 12% of all cyberattacks in the initial four months of 2022.
The relationship between Scattered Spider and Alphv adds another layer to this attack. Scattered Spider is known to be an affiliate of Alphv, having utilized Alphv's malware in previous operations. However, the exact nature of their involvement or connection in the MGM hack remains unknown.
Alphv has a well-documented history of holding companies to ransom, which they commoditize and sell as a service on the darknet. Typically, these cybercriminals will sell access to their ransomware infrastructure, and in the event of a successful extortion, the proceeds are shared.
How Did They Get In?
In both cases, the attackers told the media they used a combination of social engineering, multi-factor authentication (MFA) fatigue, and SMS credential phishing attacks. In plain English: Criminals bypassed authentication mechanisms by asking employees for the passwords and playing on employees’ inherent trust.
How Much Will It Cost?
The breaches have been expensive. We don’t know how much they will cost in the end but there are a lot of factors to consider when trying to assess the impact.
Direct Costs: Immediate expenses for incident response, remediation, and legal matters.
Operational Disruption: Downtime, lost reservations, and service interruptions.
Reputation Damage: Eroded customer trust that reduces patronage.
Regulatory Implications: Faced potential fines and penalties.
Increased Security Costs: Invested in heightened cybersecurity measures.
Should the Casinos Pay the Ransom?
The decision to pay is a complex one. It's tempting to weigh the costs of the ransom against the damages incurred and pick the cheapest option but paying a ransom does not guarantee that the hackers will eradicate themselves from the system or that they will delete sensitive data. They might just re-ransom the data or even sell the data for a double payday.
What to Watch For:
In the days and weeks to come, we’ll watch to see if any more information about the breach come out, especially from Alphv or Scattered Spider who seem to be enjoying their moment in the spotlight. We’re also waiting to see how much, if any sensitive personally identifiable information (PII) and credit card information was compromised.
Damage to the Public:
The cyberattacks on MGM and Caesars exposed the public to data privacy threats, including identity theft and financial fraud. Additionally, the operational disruptions at MGM’s properties affected both guests and employees, underscoring the wider societal impact of such incidents.
What Does RISCPoint Think About the Breaches?
Businesses that are more interconnected and dependent on technology than ever before face a massive challenge when it comes to managing the rapidly changing and often unregulated systems. We hope the professionals in Las Vegas will share their lessons for the rest of us and that the cybersecurity community can work together to continue to prevent these widespread outages.
If you are looking to bolster your organization’s security or achieve compliance, RISCPoint has advanced services tailored to your needs. Our certified cyber security professionals have successfully supported companies across a wide range of industries and sizes, from Fortune 10 to pre-Series A startups. To learn more, visit riscpoint.com/contact or call 1-888-320-1327.