top of page
Mark Munger, CTO

Analyzing MGM and Caesars Cyberattacks: Lessons in Cybersecurity Preparedness


In the wake of recent cyberattacks targeting industry giants MGM and Caesars Entertainment, there are lessons to be learned from both the commonalities and disparities in these incidents. Additionally, there are regulatory compliance, disclosure, and other areas to be considered and rated against your current cybersecurity profile. These high-profile breaches offer valuable insights into the ever-evolving realm of cybersecurity threats within the gaming industry. Furthermore, they underscore the importance of proactive cybersecurity measures and preparedness.


General Considerations


Before delving into the specifics of these cyberattacks, it's essential to emphasize the significance of proactive cybersecurity measures. Post-breach recovery efforts are undoubtedly crucial, but it's far from an ideal starting point. Proper preparation, stringent defenses, and compartmentalized systems are essential. For instance, having segregated gaming environments from administrative ones may have ensured the continuity of operations even during restoration and system rebuilding. As demonstrated in another gaming organization’s experience we were involved in the design and restoration of. A design concept that MGM appears not to have followed.


A robust information security director understands the value of saying "no" when necessary, prioritizing system compartmentalization over new customer service initiatives or cost-cutting measures. The expenses associated with recovery far outweigh any upfront investments or savings.


Based on recent information it appears that social engineering and public social website information was used to conduct the breach. A reminder that an organization must not only protect but also educate its users.


The idea of a zero-trust environment also comes into play. While it may cause some productivity challenges to authenticate into more systems than we would like, the hit to productivity is far less than a cyber incident that goes viral with one administrative login breach.


Caesars Entertainment


Caesars Entertainment, recognized for its ownership of iconic properties like Caesars Palace, publicly disclosed a social engineering attack through a September 14 8-K filing. This breach compromised their loyalty program database, including sensitive data such as driver's licenses and social security numbers, with the attack dating back to at least September 7. Although the responsible group remained unclaimed at the time, subsequent reports suggested Scattered Spider and Alphv as potential culprits. Notably, Caesars appeared to experience relatively minimal disruption compared to MGM.


MGM Resorts Cybersecurity Issue


Sunday, September 10, MGM Resorts (MGM) was crippled by a cyberattack. One of Las Vegas’s and one of the world’s largest hotel and casino company left customers and employees unable to access something as basic as the company's website. Instead, they were met with an apology or worse, no response.


MGM is the owner of iconic Bellagio, made even more famous as the backdrop of the NFL draft and a future backdrop of the inaugural Formula One race in Las Vegas. Other properties include MGM City Center with Aria as the key resort, Mandalay Bay, Luxor, Excalibur, and the newest acquisition, The Cosmopolitan.


The attack was experienced with guests queuing up and waiting hours to check in, unable to use electronic payments, locked out of rooms that used digital key cards, and the effect on the gaming floor seen on slot machines displaying a variety of out of order messages, ATMs not responding, and parking systems initially unable to operate eventually just left open allowing free parking for all.


Attack Details


VX-Underground, a malware research group, posted that a group called ALPHV, also known as BlackCat, claimed responsibility for executing the attack. And also claimed that it was as simple as using social engineering to identify an MGM employee on LinkedIn who worked in IT support. Using that information they called the MGM help desk which was more than helpful in providing access to an administrative login. 10 minutes to execute an attack that may take 10 weeks or longer to recover not to mention the permanent damage to income and reputation.


MGM, like many companies, has several portals from the Internet into their internal systems. These portals make it convenient for customers and employees to access systems and information. While convenient, they are also the source of constant attacks which almost all are prevented. But like the trojan horse being let into the castle, when attackers can get through, if internally it is possible to roam free, there is nothing to stop the bad actor from acting.


The BlackCat ransomware group claimed responsibility for infiltrating MGM's infrastructure. Disturbingly, this infiltration had occurred days before the breach was detected. During this window, the attackers managed to encrypt more than 100 ESXi hypervisors, a critical component of MGM's IT infrastructure, especially in the realm of virtualization.


Data Exfiltration and Ongoing Threat


Besides encryption, the hackers exfiltrated sensitive data from MGM's network and maintained access to certain parts of their infrastructure. This lingering access left the organization exposed to potential further attacks, highlighting the persistence and adaptability of modern cyber threats.


The Scattered Spider Connection


The group behind this cyberattack has been identified as Scattered Spider by cybersecurity experts. Their modus operandi involves a range of social engineering tactics, such as impersonating help desk personnel and conducting SIM swap attacks. These tactics are used to gain initial access to corporate networks. Once inside, they employ various techniques to escalate their privileges and move laterally within the network.


Detecting and defending against social engineering like this attack remains a persistent challenge in the cybersecurity landscape. These attacks, once successful, provide attackers with credentials that effectively grant them an insider's status within the targeted organization.


MGM's Response and Ransomware Deployment


One key aspect of this breach was MGM's response. While the company took steps to disconnect certain servers and contain the incident, the hackers persisted. They maintained super administrator privileges on MGM's Okta environment and Global Administrator permissions for the company's Azure tenant. Despite these actions from MGM, the attackers successfully launched ransomware attacks against over 100 ESXi hypervisors on September 11th.


Data Compromise and Ongoing Threat


The attackers have not disclosed the full extent of the data they exfiltrated, leaving MGM uncertain about the potential compromise of sensitive information. To exert additional pressure on the company, BlackCat threatened to use their ongoing access to MGM's infrastructure to carry out further attacks.


As of now, there has been no confirmation from MGM regarding the ransomware group's claims, and the company has not responded to inquiries. This incident underscores the evolving and persistent nature of cyber threats and the critical importance of robust cybersecurity measures and incident response strategies for organizations in today's digital landscape. MGM's experience serves as a stark reminder of the necessity for businesses to remain vigilant, prepared, and proactive in the face of evolving cyber threats.


MGM reported for the quarter ending June 30 that all its Las Vegas Strip properties generated revenue of around $1.2 billion! Based on those figures, MGM’s Vegas Strip properties bring in more than $13 million per day in revenue. While we do not know how much MGM spent on resources to prevent the cyber security issue, it can be assumed that in addition to what they will lose in revenue from the impact on operations, they will spend much more than a week’s revenue in mitigating and recovery. For the math-challenged, that should approach or be over $100 Million.


Differing Outcomes and Insights


While both cyberattacks shared the commonality of targeting casino industry leaders through social engineering tactics, the outcomes were starkly dissimilar. Caesars faced fewer operational disruptions and hinted at potential ransom payment, aligning with prior reports. Conversely, MGM grappled with extensive disturbances, with the question of ransom payment remaining unanswered.


These incidents underscore the diverse nature of cyber threats and their potential impact on organizations. The gaming industry, in particular, is a prime target due to its possession of valuable customer data, making it an attractive prospect for cybercriminals. To navigate this evolving threat landscape, organizations must comprehend the nuances of each attack and leverage these insights to construct robust and adaptive cybersecurity strategies.


The ongoing threat of cyberattacks necessitates perpetual vigilance, stringent security protocols, and collaborative efforts among industry stakeholders. These proactive measures are imperative for safeguarding sensitive data and ensuring the resilience of operational infrastructure.


Navigating the Legal Landscape of Cybersecurity Incidents


In an age where data breaches and cyberattacks have become an unfortunate norm, corporations find themselves grappling not only with technical challenges but also with complex legal obligations. As these recent events involving industry titans MGM and Caesars Entertainment have shown, understanding and effectively managing the legal aftermath of a cybersecurity breach is critical for any organization. Here are a few items for consideration.


Data Breach Notification Laws: Compliance Is Not Optional


One of the foremost considerations in the wake of a cybersecurity breach is compliance with data breach notification laws. Across numerous jurisdictions, companies are legally mandated to promptly notify both affected individuals and relevant authorities when a data breach occurs. These laws are stringent, often specifying strict timelines for reporting breaches. Failure to adhere to these timelines can result in severe penalties. It is incumbent upon businesses to familiarize themselves with the notification requirements of the regions in which they operate, given the global nature of many cyber incidents.


Regulatory Compliance: Industry-Specific Regulations


For companies operating in regulated sectors such as healthcare, finance, or gaming, compliance with industry-specific cybersecurity regulations is non-negotiable. These regulations lay down rigorous standards for data protection and incident response. Moreover, laws such as the GDPR and CCPA demand stringent data protection measures and impose substantial fines for non-compliance. Ignoring these regulations can lead to not only legal repercussions but also reputational damage.


Civil Liability: Facing Legal Consequences


Civil liability is a significant concern following a cyber breach. Breach victims have the right to initiate class-action lawsuits against the responsible companies, seeking damages stemming from the breach. Companies must be prepared to defend themselves in such cases, and demonstrating diligence in cybersecurity measures is vital for mitigating negligence claims.


Paying Ransoms: Legal and Ethical Quandaries


The issue of paying ransoms to cybercriminals is fraught with legal and ethical dilemmas. The legality of such payments varies across jurisdictions, with some regions strictly prohibiting them while others lack clear regulations. Companies must also grapple with the ethical implications, as paying ransoms can inadvertently incentivize further cyberattacks.


Cyber Insurance: Know Your Coverage and Reporting Obligations


Organizations with cyber insurance policies must meticulously examine the terms and conditions to comprehend the extent of their coverage in the event of a breach. Not all policies provide the same level of protection, and misconceptions about coverage can be costly. Additionally, insurers often impose specific reporting requirements that companies must strictly follow when filing claims. Failure to meet these requirements can lead to disputes over coverage.


Disclaimer: Consult Legal and Professional Resources


It is imperative to emphasize that the complexities of cybersecurity legalities require thorough consultation with legal and professional experts. This article offers a broad overview but should not be considered a substitute for professional advice tailored to specific circumstances. When faced with a cybersecurity incident, businesses should promptly engage with legal counsel and cybersecurity experts to navigate the intricate legal landscape effectively.


In an era where the fallout from cybersecurity incidents can be financially and reputationally devastating, preparedness and compliance with legal obligations are not just prudent choices but essential business imperatives.


~ Mark Munger, CTO, Brightside Industries Group, LLC

Comments


Commenting has been turned off.
bottom of page