MGM Resorts International and Caesars Entertainment made the news earlier this month because of an expensive and embarrassing security breach. The two gaming giants had a number of business functions compromised, and they were shut down for over a week—including reservation systems, mobile apps, and casino machines. Credit card information from loyalty program members was also stolen.
The cyber attack caught the entire gaming industry by surprise, but it has implications for your organization as well.
What Exactly Happened?
The casino attack began on the evening of September 10th and was reported on the 11th, when members of the casinos’ rewards programs noticed unauthorized purchases on their credit cards. Very quickly, the casinos were shuttered, slot machines were turned off, and nearly every system went offline.
MGM lost an estimated $8.4 million for every day that they were shut down — ten days, in total.
The nature of the business is that casinos typically have a pretty strong security stance. It’s not like this was a garden variety hack. These guys had a lot of hurdles to overcome.
Scattered Spider claimed responsibility for the breaches. They’re believed to be a group of young hackers (aged 17 to 22) who are native English speakers. They’ve been active since May 2022, and they’ve also had major success going after the banking and telecom industries.
Scattered Spider is extremely efficient and extremely ruthless. They have threatened employees of their target organizations. In some cases, they’ve triggered SWAT team responses against company executives’ home addresses. Sometimes this is used as a distraction, other times it’s just pure malice.
Typically, Scattered Spider breaks into a company through a two-factor bypass. They spearphish specific employees with highly privileged credentials. Then they proceed to use information gathered from social media and other social engineering to execute what’s called a SIM swap.
In a SIM swap, a threat actor has enough personal information about you, including your phone number and your phone carrier, to call the phone carrier and impersonate you. They claim to have lost or broken their phone and need to activate your number on a new phone. They take your number from you and put it on a different phone.
Once they have your number connected to their phone, they can coerce help desk personnel to reset two-factor authentication and activate it on the new phone. Once multi-factor is reset, the threat actors have free reign.
In the case of MGM, Scattered Spider actually called the help desk, impersonated the employee, got through whatever security questions they needed to get through, and had the help desk reset the two-factor.
The nature of SIM swapping often causes these particular breaches to be discovered pretty quickly because the victim’s phone goes dead. Typically the hacker will use the credentials for a small window of time and then create their own backdoors and credentials, knowing they’re about to lose access to that front door credential.
Scattered Spider is incredibly fast. They’re capable of overwhelming well-trained, well-qualified cyber teams. They’re incredibly organized, impressively efficient, and terrifyingly ruthless.
Why This Data Breach Is Relevant to You
You should be concerned about the MGM/Caesars breach because your organization likely faces the same problems as the casinos. If you don’t make changes to your MFA and cellular device practices, policies, and procedures, you’re going to be susceptible to this kind of an attack.
It becomes a matter of when rather than if it will happen.
Your Reputation Will Take a Hit
Reputational damage due to a breach should be a huge concern. Organizations are obligated to notify their customers when a breach occurs and that their information may have been compromised. That notice alone impacts MGM’s current customers and creates a loss of trust.
The public nature of the security breach also impacts the casinos’ future business. You may have already read anecdotally about it through headlines. There’s speculation that MGM’s profits are going to remain down for months because people will be hesitant to return to the casino.
Headlines are accompanied by pictures and screenshots of slot machines with a sad, frowny face and a little thermometer saying, “Sorry, out of order today, unable to connect.” That image is essentially the face of MGM right now.
Your Bottom Line Will Take a Hit
Of course, there’s also the expense of cleaning up the mess. It will take the casinos thousands of man hours to clean up from an incident of this scale. We’re talking about highly priced security specialists charging between $150 to $200 an hour on the low end, and up to $3,000 an hour or more on the high end for specialists.
Do the math and it’s several hundred million dollars each for Caesars and MGM in recovery costs. Those numbers aren’t unusual for organizations that get hit by bad actors like Scattered Spider.
Keep Your Organization From Suffering MGM’s and Caesar’s Fate
It’s easy to sit back and armchair quarterback an incident after the fact. For those of us in the cybersecurity industry, it’s our responsibility to learn from these incidents and do better. MGM and Caesars weren’t necessarily doing anything fundamentally wrong, but there are several practices, policies, and procedures that could be improved upon. Keep these in mind as you evaluate your own organization’s security against this type of attack.
Prevent SIM swapping
Organizations that use SMS for two-factor authentication need to seriously reconsider whether that’s a safe choice. Once a hacker has access to a phone number, a simple phone call or a text message is all that’s required to bypass multi-factor and access protected accounts and applications. And in most cases, they can self-service reset that two-factor as well using the phone number.
Better options include authenticator apps, tokens, or biometrics—anything that requires more than an SMS message. In the case of your mobile carrier, you should have a strong unique PIN that needs to be provided before any action can be taken. PINs add that extra layer of protection and are ideal because they’re less likely to be phished through social engineering.
Don’t use anniversaries, birthdays, or simple number sequences. The longer your PIN is the better, because four digit PINs are pretty easy to brute force. Most telecom providers have the capability for a stronger PIN, and if they don’t, it’s likely on the way.
Avoid quizzes on social media, which may seem harmless but often are used to collect data for hackers. Avoid sharing personal information, especially if your job function allows you access to sensitive data and information. We all love to talk about work, but sometimes it’s better to play it safe and not share details.
Combat Phishing
It’s critical that anyone in your organization with access to sensitive data and information is properly trained on how to avoid phishing. With tools like AI out there, phishing has gotten better and deserves much more awareness. Phishing messages used to be in broken English, but AI can write like a native English speaker.
It used to be easy to spot phishing emails, because they would come from gmail.com addresses rather than an internal address, but now they look much more convincing. In many cases, it may actually be coming from a legitimate email because the organization doesn’t have things like DKIM and SPF set up correctly.
Segment Your Network
Lastly, a heavy level of network segmentation must be a part of your security plan. This will help contain any lateral movement that occurs during a breach. If one set of assets does get breached, with network segmentation you can easily and quickly contain the issue to that set.
Unfortunately, this is a pain for service providers and run teams. They’re going to have to re-authenticate frequently. They may require multiple accounts. They may have to jump from one set of servers, go to a different jump box, then access another set of servers. But we need to rely on that micro segmentation to prevent a flat network where everything can talk to everything with no isolation during an attack.
MGM likely had deficiencies in network segmentation. It’s probable that the credentials allowed access to domain controllers, where the attackers were able to gain additional access to various network assets. That might have been one of the more significant downfalls in this situation.
The days where one person has super admin access to everything have to stop. Least privilege prevents the scale of these incidents from being so big and so protracted because lateral movement is more confined.
Strengthen Your Protection with Black Kilt
Black Kilt has worked with several Fortune 10 companies on these exact security problems. Hiring Black Kilt to evaluate your security could, in an instance like the MGM/Caesars hack, literally save your business hundreds of millions of dollars.
Over the last seven years, we have been heavily engaged in securing the financial services sector. We also have experience in entertainment, heavy manufacturing, and many other industries. We have the skills and the talent to work at your level.
We’ll help you with your practices, your policies, and your procedures. Use Black Kilt to shine a light in the dark corners so that you can have a much better visibility of your organization.
