MGM Cyberattack Emphasizes Need for Layered Defenses

The odds are stacked in favor of increasingly bold and sophisticated cybercriminals, as MGM Resorts International and Caesars Entertainment learned this week, meaning organizations need multiple layers of defense and heightened vigilance against social engineering tactics.

MGM Resorts, which owns and operates multiple hotels/casinos in Las Vegas, including the Bellagio, Mandalay Bay and Luxor, along with other properties around the country, reported a “cybersecurity issue affecting some of the company’s systems” on Sunday, Sept. 10 in a social media post.

The issue prompted MGM to take some of its systems offline while it dealt with the intrusion and worked with law enforcement. As a result, guests could not use digital hotel room keys, casino gaming was shut down, bars and restaurants could only accept cash, and MGM hotels could not accept new reservations, per news and social media reports.

As of Monday, Sept. 11, MGM said systems were again “operational,” but reports of business disruption—and disgruntled guests—continued.  The hospitality chain has not confirmed any additional details but filed an 8-K with the U.S. Securities and Exchange Commission (SEC) on Sept. 13 alerting regulators to the event. Shortly after news of MGM’s event broke, reports emerged of a ransomware event hitting casino operator Caesars Entertainment. The company also filed an 8-K with the SEC, indicating that cybercriminals had stolen some customer data.

What happened?

A malware research group trusted in the cybersecurity world known as VX-Underground reported earlier this week that threat actors tied to the ALPHV/BlackCat ransomware-as-a-service gang appeared to be behind the attack. This particular threat group, also known as Scattered Spider and UNC3944, is believed to have perpetrated attacks on Reddit and Western Digital and excels at social engineering.

These tactics allowed them to trick MGM’s IT team into resetting an employee’s credentials and multi-factor authentication (MFA) keys, say security experts.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” said VX-Underground in an X (formerly Twitter) post. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

The threat actors themselves claimed responsibility for the MGM attack on Thursday, Sept. 14. They announced they gained access to MGM’s systems on Friday, Sept. 8, and that they were able to deploy ransomware despite MGM taking the systems offline on Monday, Sept. 11. They also alleged MGM had not been responsive and warned they still “have access to some of MGM’s infrastructure” and would carry out additional attacks if MGM refuses to deal with them.

While MGM’s several days of downtime may seem like a worst-case scenario, the hospitality giant’s predicament could have been much worse had they not detected signs of an intrusion and begun remediation quickly by taking systems offline.

“MGM was probably ahead of the game,” Jason Rebholz, chief information security officer (CISO) with Corvus Insurance, told Front Page News. “Most companies aren’t even in the position to make that decision because they’re not detecting it. If they didn’t detect this, we’d be looking at something 10 to 20 times worse.”

MGM’s decision to take its systems offline allowed the company to recover in a more controlled environment, according to Rebholz. Though a “drastic step,” it came in response to an “almost impossible situation.”

“The odds are stacked in the attackers’ favor. This is why cybersecurity is such a difficult game to play,” said Rebholz, adding, “In any security incident, there’s going to be something that goes wrong.”

That said, businesses – whether they are the size of MGM or a single storefront – can’t “throw up their hands” and assume all is lost when it comes to preventing cyber events.

“The biggest concern is that people will look at this and focus on the fact that their systems were down, and they still got infected,” he said.

Redoubling defenses

Rebholz urged organizations to bolster their cyber defenses as targeted attacks and more sophisticated phishing efforts appear. Organizations need to identify their most critical assets and defend them on a day-to-day basis, he said.

“It’s an endless game of survival,” Rebholz said. “You have to continue to train your staff and employees on the current threats. It all starts with the user seeing something that’s suspicious.”

For the insurance industry, the rise in ransomware should prompt underwriters to redouble, rather than relax, their efforts to promote good cyber hygiene for insureds.

“This is going to be an impactful event,” Rebholz said. “Ransomware is increasing in velocity. When we start seeing the severity, we have to ask - are we requiring the right controls?”

Weaker forms of MFA can be bypassed, necessitating multiple layers of security and verification, he noted.

“Defense-in-depth is key here. You can’t rely on a single control. Assume at least one of these is going to fail,” said Rebholz. “Then you’re in a better position to prevent, mitigate or at a minimum respond to an event like this.”

The content of this Cyber Update should not be regarded as legal advice and not be relied upon as such. In relation to any particular problem which they may have, readers are advised to seek specific advice. © 2023 Zywave, Inc. All rights reserved.