Lessons from the MGM cyber attack

On September 12, 2023, MGM Resorts International experienced a cyber attack that resulted in them shutting down their systems. The investigation is ongoing, but crime groups Scattered Spider and APLHV are believed to have used social engineering to hack into the company.

What do we know now? And what can companies do to avoid being the victim of such scenarios?

The MGM system shut down

MGM tweeted September 12 about a “cybersecurity issue affecting some of the company’s systems.” They had to shut them down to protect customer data and their entire infrastructure. However, the issue persisted for several days, with hotel customers unable to use their digital room keys and slot machines not working at all. As of writing, the company has not made any updates on whether or not the system shutdown has been resolved, announcing only that they are continually working on resolving the issue.

Cause and culprits: What happened?

The primary suspect in the incident is Scattered Spider, a hacking group composed of people in their late teens and early 20s. ALPHV, a ransomware-as-a-service company, is also claiming responsibility for the incident, and they are denying that Scattered Spider had a role to play in the incident.

Whichever group is the culprit, they installed ransomware that allowed them to encrypt the system and demand payment in cryptocurrency. The hackers will only provide access to the files, data, and systems if MGM Resorts International sends the ransom.

To hack into the MGM system and install ransomware, Scattered Spider used “vishing,” a type of social engineering tactic similar to phishing. Instead of using email, they called unsuspecting members of the company and convinced them to divulge sensitive information. Hackers used a LinkedIn profile to pose as an employee. Then, they called the MGM Help Desk and stole security credentials after convincing an employee to share them.

MGM’s steps to solve the issue

MGM did not rush to make public announcements declaring the issue resolved. On September 14, they posted a statement on X (previously Twitter) mentioning that they are working on resolving the issue. This declaration was accompanied by a reassurance that their resorts are staying open and that they are still dedicated to addressing their guests’ needs.

Effect on guests and the company

Inconvenience may be the most notable impact on customers. Since systems were shut down, MGM employees had to manually handle many processes, such as checking in guests and providing receipts for casino winnings. There have been reports of long lines as MGM goes manual.

The full extent of the incident’s damage to MGM Resorts International is yet to be determined. In addition to financial costs, guests and customers may also lose trust in the company since their personal information may have been compromised.

In the long term, customers’ private information might be at risk. Most people who play at casinos or stay in hotels generally want their transaction details and personal data kept private from prying eyes.

Measures to implement against vishing

Allegedly, it took only a 10-minute phone call to attack MGM and shut down its systems. Vishing is a new threat that uses social engineering concepts from phishing but at a much faster execution rate. One reason why vishing becomes effective is that, unlike email, phone calls provide a sense of urgency. The receiver may feel more inclined to share information thanks to this demand for immediate action. In addition, hackers may pose as trustworthy or high-ranking members of a company, adding a layer of legitimacy to the request.

As new tactics like vishing become more prevalent, companies must go beyond just training for phishing scams. There should be a protocol to help verify the identity of a caller claiming to be a part of the company, before taking actions based on a call. In addition, cybersecurity training for employees should also address vishing tactics. In this case, focussed supplementary training targeted specifically at service desk staff may have helped.

Vishing works because it relies on hasty reactions, bypassing logic and reason too easily we because we are programmed to want to help. To avoid this type of scenario, employees must be able to discern language and methods designed to appeal to their emotions, especially the fear of disobeying orders or inherent trust. This practice will allow them to detect impersonators and avoid divulging sensitive information.

How to protect from vishing attacks

The cyber attack on MGM is a sobering reminder of how cyber attack tactics are rapidly evolving. With the rise of vishing and the growing risk of AI generated attacks, it may be time to re-evaluate your approach to phishing training to include this method, and support this though more effective technical measures.

Good controls to protect against this would include:

  1. Training service desk staff to know what to look for

  2. Authenticating callers, using multi-factor authentication where possible

  3. Avoiding reliance on SMS based authentication as this is a proven attack method

  4. Minimising admin and superuser credentials available to desk staff, or implementing additional approvals or 4-eyes review for high risk support transactions

  5. Considering passwordless security options and additional authentication for high risk data

  6. Improving monitoring of data access to identify and alert on unusual data access patterns.

  7. Applying zero trust concepts so that data access transactions are continuously authenticated, rather than relying on network logon controls and trusting what happens next.

Previous
Previous

How to get fast board buy-in for your cyber security project

Next
Next

Project assurance skills and Prince 2 for IT auditors