By now, most of the cyber community has heard about the MGM cyberattack. It brought the famous casinos in Las Vegas and other cities to a grinding halt, creating significant financial losses for the company along with reputational harm. Guests couldn’t check in or use door keys. Slot machines went dark, and websites were down. It was not a good 10 days, which is approximately how long it took to recover.
This cyber incident is unique because of how hackers got into their systems. We often think about how sophisticated cybercriminals are with artificial intelligence (AI) tools and sneaky ways to exploit vulnerabilities.
However, that’s not what happened here. Instead, it was social engineering. So, what went wrong for MGM, and could pen testing have prevented it? I don’t have any direct information about the organization’s cybersecurity strategies, policies, or protocols. I’m working with publicly available information. From that, I have some insights to share that are important for any company.
What Happened in the MGM Cyberattack?
MGM initially relayed that they were experiencing a “cybersecurity issue” on September 11. This announcement included the company stating it was shutting down systems to protect them and their data. The immediate impact kept guests unable to use their digital keys and waiting in long lines just to check in to their properties.
Slot machines weren’t working either, requiring handwritten receipts. Everything had to shift to manual mode, which exasperated guests and employees in our tech-connected world. One would expect a multibillion-dollar global corporation to be cyber secure, but everyone’s vulnerable, no matter who you are.
Scattered Spider and Social Engineering
As for how it happened, we have some insights. A group called Scattered Spider may be responsible. Reports say they used ransomware made by ALPHV/BlackCat, a ransomware-as-a-service operation. Scattered Spider’s specialty is social engineering, especially vishing (phishing via phone), which is an old-school but obviously effective approach.
Their ability to be great vishers seems to be because its members, thought to be young and European or American, are fluent English speakers. Such a call from one of these people wouldn’t pique anyone’s curiosity, as would someone calling in with a heavy accent.
The group appears to have done their social homework, finding an employee’s information on LinkedIn and impersonating them in a call to the MGM IT help desk to obtain credentials, which they used to infiltrate and infect the system.
A person claiming to represent Scatter Spider told the Financial Times that they stole and encrypted MGM data and demanded a ransom in crypto to return it. Apparently, this was their plan B. Plan A had been to hack their slot machines, but they were unsuccessful. However, this is uncorroborated, and ALPHV/BlackCat has denied these reports, specifically the slot machine aspect, and that it was a band of young criminals who pulled it off.
So, there are many unknowns, and you can’t depend on the word of cybercriminals. Who did it isn’t as important as the how.
Why Did Vishing Work?
If we dissect the alleged method of the attack, vishing, there are some things to learn. Much of the focus of companies in creating policies about security awareness revolves around phishing. It’s the channel that we assume social engineering attacks will use. Phishing continues to be a top cause of breaches, increasing by 31% in 2022. The policies of cybersecurity professionals are long and detailed on protecting against it, and cyber firms can even conduct phishing exercises to test how your employees will respond.
Vishing, however, doesn’t get as much attention. Maybe we’ve forgotten that people still use the phone since it’s so analog. Leaving it out of cyber policies is likely due to the belief that hackers don’t operate like that. Most don’t, but it’s a successful method.
In phishing or vishing, cybercriminals are targeting the weakest links — people. When combined, hackers get results. According to a report, targeted phishing attacks that also used phone calls were three times more effective than those that didn’t.
All our sophisticated tools monitoring networks and looking for abnormalities don’t mean much when the way to get in is by picking up the phone. Vishing is so much easier to pull off in terms of social engineering. It takes work to create phishing attacks for them to appear authentic.
This incident puts vishing in the spotlight. It’s likely turning on some lights in the heads of CISOs and cyber leaders. In addition to the MGM cyberattack, its rival suffered a similar experience.
MGM Wasn’t the Only Casino Facing a Cyberattack
MGM’s chief competitor on the Las Vegas strip is Caesars. Reports surfaced that Caesars had also been the victim of a hack but opted to pay the ransom. Caesars was mum about this until they had to report the breach as part of filings with the Securities and Exchange Commission. The organization stated that an “outsourced IT support vendor” was the actual hack victim via social engineering, which resulted in the exposure and theft of customer data.
So, should they have paid the ransom? In my opinion, it depends. Many organizations and cyber experts would say you should never pay, believing it may deter hackers. It’s pretty flawed logic to think criminals would take your word for it. The other argument against paying is that you have no guarantee that they’ll release your data. Most, however, seem to do it because they want the money.
An organization could be confident in not paying it if they have an updated and tested incident response plan and data backups that can be restored quickly. If they can source and stop the ransomware, understand the vulnerability, and know the extent of the infection, a company can walk away from the bargaining table.
Unfortunately, not many are in this position. Even those we think have the budget and resources to do this. Now, both companies are the defendants in multiple lawsuits due to the attacks.
So, what could MGM and Caesars have done to be better able to prevent an attack?
Parting Advice on How to Limit Your Risk
No matter what size company you have or your industry, there are some fundamental things you can do to lower your risk. It doesn’t mean that hackers won’t attempt to attack you. The only way to have none is to be offline. You can build a cyber plan and program that puts you in the best position to defend against social engineering and ransomware.
Initiate Regular Vulnerability Assessments by Trusted Third Parties
Vulnerability assessments evaluate every asset in a network to identify any missing patches or configurations. They find all the gaps that allow hackers to gain access. Vulnerabilities can be bugs, code flaws, security procedure issues, or lack of internal controls.
After the hacker allegedly received credentials, they were then just able to infiltrate the system? What weaknesses gave them this advantage? With regular vulnerability assessments by experts, you won’t be in the dark about how hackers can compromise you. It helps you stay on top of patches, provides insight into application security, and looks for compromised passwords. They work even better when paired with pen tests.
Hire Cyber Firms to Do Pen Tests
Could pen testing have prevented the MGM cyberattack? It wouldn’t have averted the phone call, but pen tests show you all your skeletons.
What makes pen tests so valuable is that they simulate an attack. Ethical hackers are the ones trying to gain access, and they can use many different methods to do so, including social engineering. There are specific social engineering pen tests that can determine how equipped you are to thwart phishing and respond appropriately to vishing.
Pen tests can assess any aspect of your technology ecosystem. Any company should use these as a standard part of their cybersecurity program. They also aren’t something you do once. You’ll need testers to do them continuously to ensure remediation efforts are accurate.
Ensure Your Backup System Is Secure
The best way to know your backup system is secure is to test it. It also has to be separate from your primary network. Run simulations on how you’ll restore from backups, too. You would think those backing up data and applications would evaluate their process, but many overlook it.
Include All Types of Phishing and Vishing in Awareness Training
Expanding cybersecurity training to include vishing is essential in avoiding this type of attack. There should be layers of authentication to provide credentials over the phone. Verification and validation are critical here. Thus, there has to be multifactor authentication at play.
So, if someone claiming to be executive John Smith calls in asking for credentials, the first response would be to use other means to verify who’s on the phone. It doesn’t matter that he says he’s a VP; IT has to confirm his identity.
Want to Talk About How to Avoid a Cyberattack?
The MGM cyberattack has some lessons for the entire industry and every organization. No one is immune to cyber threats. The best way to protect your company is to be proactive, and we can help. Get in touch to schedule a strategy session today.