A cybersecurity issue that affects availability looks like an extortion attempt, but the victim is being unusually tight-lipped.
MGM Resorts shuts down some systems because of a “cybersecurity issue.” (Updated.)
MGM Resorts is undergoing what it characterizes as a “cybersecurity issue.” The company has so far been tight-lipped about the nature of that issue, tweeting only, “MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing, and we are working diligently to determine the nature and scope of the matter.”
Outages affected resorts in Las Vegas and elsewhere.
BleepingComputer says the incident began Sunday evening, and that it affected ATMs and credit card readers at resorts as well as MGM Resorts main webpage. Some guests say that their room keys are no longer working, and local media in Las Vegas say there are reports of slot machines in the resorts being out of operation.
The outages are particularly pronounced in Las Vegas, but resorts elsewhere have been affected, too. TechCrunch reports that the websites for “several of MGM’s regional resorts, including MGM Springfield in Massachusetts, MGM National Harbor and the Empire City Casino in New York.”
Speculation about the MGM Resorts attack centers on ransomware (now, on September 13th, 2023, confirmed).
MGM Resorts hasn’t said what kind of issue it’s grappling with, but the involvement of law enforcement and the fact that it appears to be something that’s disrupting availability suggests to many experts that it’s probably a ransomware attack. But that, we stress, is at this point speculation.
Chris Denbigh-White, the Chief Security Officer (CSO) for Next DLP, is among the experts who thinks the issue looks like a ransomware attack. "The recent cyber assault on MGM Resorts has sparked significant intrigue, albeit amid a veil of limited information. Considering the available intelligence and the trajectory of cyber threats this year, it strongly suggests ransomware is the probable perpetrator," he wrote.
It's also significant that business like MGM Resorts is particularly sensitive to disruptions of availability. "Casinos, both repositories of substantial wealth and vast volumes of personal and financial data that harbor a minuscule appetite for operational downtime, render them exceptionally enticing prey for cyber-criminal syndicates on the hunt for financial gain, Denbigh-White said. "Although specific details are lacking, the initial repercussions of this incident are far from unclear. MGM Resorts has instituted a sweeping shutdown of a substantial segment of its infrastructure. This episode accentuates the paramount role of visibility in crafting effective containment strategies. It compels businesses, irrespective of industry, to contemplate the depth to which they should be prepared to suspend or curtail their operations when confronted by such threats. MGM's response, somewhat akin to a "nuclear" option, is poised to affect its near-term revenue-generating capabilities indisputably."
The recovery will offers the prospect of interesting lessons learned. Denbigh-White added, "As MGM Resorts looks toward the eventual restoration of its services, the imperative of a meticulously delineated and rigorously tested system restoration process takes center stage. This process must ensure that when operations recommence, unwavering confidence prevails regarding the fortitude of system defenses. Following such an ordeal, a certain degree of paranoia will undoubtedly pervade as the systems are reactivated. The MGM incident underscores a universal truth—namely, that the calculus of cyber risk knows no industry bounds. The profound implications of this breach reverberate well beyond the casino walls, resonating as a stark reminder to senior leadership teams across sectors that the pursuit of resilience, protection of data, and the preservation of digital trust are mandates of our digital age."
And Fergal Lyons, cybersecurity evangelist with Centripetal, agrees that the issue sounds like ransomware. "While the event has not been officially disclosed, the early indications are that this is severe and widespread ransomware attack," he wrote in emailed comments. "If past performance in this industry is an indicator, then we could anticipate MGM paying the ransom if they see no other option. Cybercriminals are finding ransomware to be a lucrative industry, capitalizing on vulnerabilities and exploiting careless employees. The methods employed are diverse, tailored to the specific companies they target. Thus, it is imperative that all businesses take extra precautions to evade becoming the next target. Utilizing already available threat intelligence on these ransomware groups can thwart impending attacks and avert data breaches. Adopting a proactive, intelligence-based stance against potential threats is crucial as relying solely on a reactive approach to threat hunting may be too late, resulting in irreversible harm.”
(Added, 4:45 PM ET, September 12th, 2023.) Ken Westin, Field CISO of Panther Labs, concurs that it looks like a ransomware attack. "While the details of the attack have not been provided, the response of shutting down the network, particularly bringing down games which are the lifeblood of a casino, tells me that we are dealing with a potential ransomware incident. The shutdown of such critical systems was probably done to stop the spread of malware through their environment. Ransomware groups commonly target not just one company, but entire industries once they identify a common vulnerability or misconfiguration. This should be cause for alarm in the gaming industry, as these networks are tightly controlled with multiple layers of security, if a vulnerability was identified it could mean additional casinos will be hit that may share a vulnerable application or similar misconfiguration."
(Added, 2:15 PM ET, September 13th, 2023.) Some experts suggest that social engineering be considered the leading hypothesis as to how the attackers got into MGM Resorts' systems. Ian McShane, Vice President of Strategy at Arctic Wolf, is one of them. “Current speculation in the industry is that the MGM incident was the result of a ‘simple’ social engineering scheme, involving impersonated employees. These types of schemes are relatively easy, an actor can look up employees on LinkedIn, impersonate them to the organization’s helpdesk and go from there. There’s also a chance that attackers may have leveraged stolen employee personal credentials from previous incidents – information that is readily available on the dark web," McShane writes. "It's important to note that social engineering, if it is indeed the root of this incident, can happen to any organization, no matter how sophisticated. Establishments like MGM invest heavily in physical security, monitoring and visibility of physical people, without inside knowledge you’d assume that they do for cyber, too. I’m almost certain that MGM isn’t underfunded or underinvested in cyber. I suspect this is just more proof that technology is not the silver bullet – people and process need to be continuously monitored and modified as the threat landscape changes. This sounds similar to the Uber incident last year that used social engineering to gain access, and ultimately cause a panic across the industry." McShane thinks that the incident may prompt fresh regulation of the gaming industry in particular. "Long term, given the precedents set in other industries, the recent disclosure rules added by the SEC, and the highly regulated nature of casinos in general, I wouldn’t be surprised if gaming/casino authorities take a look at mandating specific requirements relating to cybersecurity that are part of the gambling license. From a recovery perspective, I think it’s clear that a company of this size is unlikely to pay the ransom. Because of the amount of money involved in the downtime at these places, I would expect them to have a relatively strong disaster and recovery plan in place, as well as business continuity protocols around the loss of computer systems.”
With great connectivity comes great responsibility.
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, wrote to point out that with great transformation comes great responsibility. “For decades casinos have been leaders in security. The MGM hack underscores how digital transformation increases the attack surface and how physical infrastructure can be disrupted by a cyberattack. Guards, guns and vaults cannot defend against cyber-intrusions. Cyber vigilance is paramount in an era of cybercrime.”
The attack surface has changed, and grown more complicated. Erfan Shadabi, cybersecurity expert with comforte AG, explained, “In an era where digital transformation is reshaping the way the tourism industry operates, the reliance on interconnected systems and data-driven processes has never been greater. As such, the sector becomes an attractive target for cybercriminals seeking financial gain or to exploit vulnerabilities for malicious purposes. The MGM Resorts incident is emblematic of this overarching challenge. Recognizing the pivotal role technology plays in enhancing guest experiences, optimizing operations, and facilitating global connectivity, the tourism industry must allocate resources to bolster its cybersecurity posture. To that purpose, data-centric security stands as the most effective approach in safeguarding organizations within the tourism industry due to its inherent focus on protecting the core asset that cybercriminals seek to exploit: data itself. Rather than relying solely on perimeter defenses and assuming that all breaches can be prevented, data-centric security recognizes the inevitability of potential breaches and prioritizes securing the data at its very essence. By doing so, this approach not only fortifies an organization's defenses but also ensures that even if a breach occurs, the stolen data remains indecipherable and effectively useless to malicious actors.
MGM Resorts have been attacked before, and this incident shows how threat and risk change. Shobhit Gautam, Security Solutions Architect with HackerOne, wrote, “The latest cyberattack on MGM demonstrates the major impact these incidents have on company operations, the ability to take in revenue and customers. While the root cause of the attack is not yet clear, the fact that the goal of this incident differs from the 2019 MGM data leak very much is." That incident primarily involved data theft. "Back then, bad actors infiltrated internal systems to steal 142 million guest credentials to sell on the Dark Web. The goal here was likely profit, plain and simple. While money nearly always plays a role in cybercriminal activity, it appears that the intent behind this latest assault was disruption and chaos above all. With guests locked out of rooms, major revenue generators like slot machines down and multiple resorts’ systems impacted, the reputational damage and stress will mirror the likely significant financial loss." Part of the prescription, Gautam believes, is for someone in an organization to think like an outsider. "Organizations across all industries should consider adopting an outsider mindset when considering how best to secure their organization. Ethical hackers have this mindset and help organizations find and fix any security weaknesses they have before they can be exploited on this scale. In 2022, the average bug bounty payout was just shy of $1,000 in travel and hospitality for the most critical vulnerabilities. Compare that to the cost of a data breach at $4.45 million (according to IBM), and it’s clear the investment in bringing third-party experts in to supplement security tools is well worth it.”
(Added, 10:30 PM ET, September 12th, 2023.) Steve Hahn, Executive VP at Bullwall, also thinks the attack on the availability of services strongly suggests a ransomware attack. "MGM isn’t publicly stating the nature of the attack, but looking at the endless stream of negative social media posts from their customers being locked out of their room, or entering rooms with other guests in them, ATMs and slot machines down, this really can’t be anything other than a Ransomware Attack. Ransomware Attacks are designed not just to encrypt data, but to propagate itself to other endpoints, servers, fileshares and even VMs and Domain Controllers. Once this happens wide-scale outages begin across the victims IT and services," Hahn wrote.
He also noted that this kind of attack is hard to fend off when the attacker is determined to push it through. “Ransomware is also nearly impossible to prevent from a focused and dedicated threat actor. Casinos have some of the largest attack surfaces out there. Every IoT device presents the threat actors with another attack vector. I spoke to a casino that was hit recently that had the attack initiate on a temperature sensor in a large aquarium on their property. These types of properties should view these as a “when” not “if” event and look to how to contain an outbreak within milliseconds vs solely focusing on prevention. With a prevention only focus the threat actor only needs to get it right one time. Containment tools and a disaster response plan have to be seen as “table stakes” for casinos in the modern threat world.”
Emily Phelps, Director at Cyware, sees interconnected operations as presenting an inherent, and growing, challenge. “Cybersecurity is increasingly complex, in part, due to the interconnected way in which business now operates. It is more difficult to isolate an issue, leading to widespread impact. Even well-resourced enterprises deal with disparate tools, siloed teams and data, and delayed response. Cybersecurity must become more collaborative to get ahead of threats that interrupt business continuity.”
(Added, 12:45 PM ET, September 13th, 2023.) David Mound, Senior Penetration Tester at SecurityScorecard, drew some lessons from the incident and MGM's response. "When MGM noticed something was off, they immediately took their systems offline. This quick action just goes to show how vital a strong incident response strategy is. By being proactive, you can seriously limit the damage an attack might cause," he said in emailed comments. "Now, the sheer magnitude of this attack suggests that they're dealing with some pretty advanced and possibly very skilled cyber criminals. It's a wake-up call for businesses to always be on their toes and keep updating their security measures in order to stay one step ahead of these ever-changing threats." Mound also drew attention to the way the attack hit the availability of gaming systems. "One of the more alarming aspects of this attack was how it messed with the casino's slot machines. Slot machines are usually on a segregated network so it's not clear if they were taken down as a precaution or if somehow the attackers have managed to traverse across into it. This really drives home the point that cyber attacks can throw a wrench into the most crucial parts of a business, potentially causing massive financial setbacks." And he offered some recommendations to other businesses considering upgrading their defenses against such attacks. "So, what can businesses do to be better prepared? Well, for starters:
- "Layer up your security! Think firewalls, intrusion detection systems, and regularly checking for vulnerabilities.
- "Have a solid game plan in place for when things go south. This means a comprehensive incident response plan that lets you act swiftly if there's a breach.
- "Train your team. Make sure everyone knows about the risks of phishing and other sneaky tactics, because sometimes, human mistakes can be the weakest link.
- "Always, and I mean always, back up your essential data. If you're hit with ransomware, this could be your lifeline.
- "And last but not least, team up with the cybersecurity community. Sharing info on threats and best practices can make a huge difference."
(Added, 12:45 PM ET, September 13th, 2023.) Moody's Investor Service evaluated the incident and said, in an assessment they provided the CyberWire, that the incident is "credit negative" for MGM Resorts International. The downtime was a problem for a business that relies heavily on technology, especially when that downtime entails potential revenue losses. MGM Resorts will also be dealing with "reputational risk and any direct costs related to investigation and remediation." There's a risk of litigation as well. In general, Moody's regards "the gaming and gambling industry as carrying moderate cybersecurity risk" because of its high degree of digitization and the large quantities of potentially valuable personal information companies in the sector tend to hold.
(Added, 2:15 PM ET, September 13th, 2023.) Nicko van Someren, Chief Technology Officer at Absolute Software, sees the incident as further evidence of the growing importance of resilience. "Monday’s cyberattack on MGM Resorts emphasizes the critical importance of cybersecurity resilience in today's interconnected digital landscape. As organizations increasingly rely on technology to conduct their operations and manage the customer experience, they become more vulnerable to malicious actors seeking to exploit vulnerabilities. Cybersecurity resilience isn't just about preventing attacks; it's about having the capacity to detect, respond to, and recover from such incidents swiftly and effectively. It has become quite clear that organizations have got the wrong balance between their spending on defense and their spending on response. Rather than just trying to fend off attacks–because it's very clear that fending off the attacks altogether is a losing battle–what you need to think about is how you minimize the impact. In an age where downtime can result in significant financial losses, reputational damage, and compromised customer data, the ability to maintain system availability and data integrity during and after an attack is critical. Building a robust cybersecurity resilience strategy is not an option but a necessity, to safeguard both an organization's assets and its reputation in these ever-evolving threat and competitive landscapes."
(Added, 4:45 PM ET, September 13th, 2023.) Bobby Cornwell, vice president, strategic partner enablement and integration at SonicWall, added some thoughts on why casinos are attractive targets for this kind of attack. “Casinos are an obvious target for cyber-attacks because of their high financial turnover. A well-executed casino attack can yield a treasure-trove of personal information and financial data, such as credit card numbers, and the names and addresses of its customers," Cornwell said, in emailed comments, adding that MGM's initial response seems to have been the right call. "Out of an abundance of caution, MGM made the right call to lock down all the systems it did, even if it meant inconveniencing its guests as a result of their actions. The fact that they were willing to quickly shut down their lucrative gaming system attests to the seriousness of this breach. On a positive note, the fact that gaming and guest services (to a degree) have resumed leads me to believe the compromised network was isolated, and allowed normal operations to resume for the gaming network." But the prolonged outage of the company's website is probably significant. "The fact that the website is still down suggests this was the real prize for the attackers. While gaming systems do have an abundance of elements that a hacker would look for in a ransomware attack, the resort’s website, which allows for bookings of rooms and entertainment does have a far reaching and very public effect that could lead to a large payday for ransomware threat actors. This is another example of the importance of ensuring critical infrastructure within a networked environment is up-to-date and patched, it also stresses the importance of a layered security approach on the perimeter and critical infrastructure segmentation when using security solutions provided by multiple vendors and education and awareness training of employees.”
Social engineering in a ransomware campaign.
(Added, 11:00 AM ET, September 14th, 2023.) Darren James, senior product manager at Specops Software, an Outpost24 company, described the convergence of publicly available information and social engineering in evidence during this attack. “This is another example of where threat actors are using a combination of publicly available information, technology, and human behavior to gain access to valuable and sensitive systems and data. It's important for organizations to realize that zero trust extends to all processes including those of the service desk. Securely verifying the user at the other end of the line has never been more important, you can no longer rely on weak factors such as a recognizable voice, or a shared code word. Without secure verification at the service desk, you’ll be leaving yourselves open to both monetary and reputational consequences – something that appears in this case that could have been avoided.”
(Added, 11:15 AM ET, September 14th, 2023.) John Gunn, CEO of Token, writes with considerable heat of the consequences of relying on good human behavior and sound practices. "It is beyond ridiculous that we continue to rely on humans as the core of our cyber-defense strategy and expect every employee in the entire organization to be able to identify and fend off sophisticated attacks from hackers using the most advanced tools and techniques. Humans, meaning everyday users, are simply not capable and we have to take this vulnerability out of the process by changing the way they login," he commented. "People are the weakest link in cyber security and their abilities to defend have improved extremely little in the past twenty years while attack methods and tools have raced forward in effectiveness and frequency. When cyber criminals fully implement AI, it will be a bloodbath as breaches and the losses accelerate seemingly unimpeded. We must stop relying on humans to defend our organizations against today’s cyber attacks."
A look at the suspected ransomware operator.
(Added, 11:15 AM ET, September 14th, 2023.) Nick Hyatt, cyber practice leader at Optiv, offered a look at the gang believed to be behind the attack. “Scattered Spider is a financially motivated threat group with loose toolset and affiliate ties to the Alpha/BlackCat ransomware syndicate," Hyatt said. The gang is unusual in being native anglophone, which gives it an advantage in prospecting its deep-pocketed targets. "Comprised of English-speaking individuals, Scattered Spider is known for using social engineering tactics via SMS phishing or phone-call based vishing. They are mostly young hackers and financially motivated. Historically they have shared toolset usage with the Alpha/BlackCat organization. While these are distinctly separate groups, there is likely an affiliate relationship there, given Alpha/BlackCat's operation as a Ransomware-as-a-Service outfit.”