Published: November 15, 2023
Our new bulletin Cyber Threat Watch has been created to help small businesses stay up to date on the latest threats, news, and events affecting their business. The content has been curated to make cybersecurity easy and accessible for both technical and nontechnical readers.
Featured Cyber Incident — MGM Casino Hack
Image courtesy of MGM Resorts
As reported on September 11, 2023, MGM Resorts International, a U.S. hospitality and entertainment company, was the victim of a ransomware attack. This incident was first reported the day before and resulted in a breach of customer data, as well as encryption of the systems and data used to run operations in the Las Vegas hotel and casino. Many other properties went offline and, as a result, were forced to switch to manual mode. Customers had to rely on doormen to open their rooms!
Reportedly, the incident started with a phone call to MGM’s IT help desk, for the purpose of committing a ransomware attack—a classic case of social engineering through vishing. A group of perpetrators convinced an MGM employee that they were one of their vendors who had a business relationship with MGM. Their persuasive phone call enabled them to obtain the login credentials of one of MGM’s key systems. Once in, they infected and encrypted the systems and demanded a payment of $100 million in crypto. As of this writing, the company has not paid the ransom.
Lessons Learned
The first lesson learned in reviewing this incident was to determine: how did the criminal gain access to such sensitive data as the login credentials? Using the lowest-paid IT person on the team? Or was it the compelling business data used in the conversation? Once the attacker convinced the help desk that he was a legitimate business partner, asking for login credentials was an easy first step. Leveraging the weakest link in the chain—the human—happens to us all.
Another lesson to be learned is: what was the information the help desk employee used in verifying the caller? One factor? Did the help desk keep the caller on the phone while he called the business? Probably not. Takes too long, too many calls to process? Information overload?
In closing, the most valuable lesson: we need to institute strict enforcement of user identity verification and access management. It is imperative that we limit access to the organization’s resources and services to authorized personnel only, through a set of authentication processes such as incorporating the principles of least privilege, separation of duties, and multi-factor authentication (MFA).
Furthermore, it is crucial that all stakeholders be educated to properly handle and protect company resources. Assuming the ransom was not paid, the MGM must have had a backup plan and service in order to restore operations pre-hack.
About the NCSS
The National Cybersecurity Society (NCSS) is committed to improving the online safety and security of the small business community through education, awareness, and advocacy. As a 501(3)(c) organization, the NCSS uses funds from charitable donations and grants to develop educational materials, webinars, weekly cyber tips, videos, and how-to-guides. The organization’s goal is to enable and empower small and medium businesses to obtain cybersecurity services, assist them in understanding their cyber risk, and advise on the type of protection needed. We want to continue to grow our community and encourage you to tell other small businesses we are here to help.
The NCSS is committed to respecting the use of images in our communication efforts. Accordingly, unless otherwise specifically noted, the graphics in our bulletin are sourced under license from Adobe Stock. The header and footer images were designed and purchased through a contract with Eyedea Advertising & Design Studio.