There’s been a ton of buzz over the cybersecurity attack on multiple resorts in Las Vegas. All over social media, people have been posting pictures and videos of downed elevators:
The Excalibur elevators are still hacked pic.twitter.com/Q3i4wFErV7
— Las Vegas Locally 🌴 (@LasVegasLocally) September 17, 2023
and slot machines:
Current status of MGM Cybersecurity attack pic.twitter.com/0zd5kdaCp1
— Jacob Orth (@JacobsVegasLife) September 12, 2023
From what’s been spread around in the media and the news, it seems as if a gang of hackers has completely pwned several resorts in Vegas.
Wait slow down…what!?
Just last week, MGM’s line of resorts and casinos was hit by a devastating ransomware attack, causing many of its systems to shut down.
A ransomware attack is a type of cyber attack in which hackers use malicious software to hold (usually by encrypting) sensitive data until the victim pays them a sum of money (hence the ransom in ransomware).
In MGM’s case, this was customer data gathered through their loyalty program. This included private information such as social security numbers and driver’s license information.
Not good…
A week prior to that, Caesar’s Palace, another Vegas resort, had their loyalty member’s data held for ransom. The hackers responsible demanded $30 million dollars but Caesar’s ended up only coughing up half. Weak bargaining on the hackers’ behalf if you ask me…
The closeness in the occurrences of both of these similar attacks has led to the speculation that the same people are responsible.
How did this happen?
From what I’ve read in the news, the hackers responsible used some sort of social engineering attack, likely vishing.
A vishing attack is a subset of phishing which is a subset of social engineering. Terminology bingo aside, basically vishing (voice-phishing) is where attackers call victims and trick them into hacking themselves. Kind of like a next-level prank call.
Except the prank is more along the lines of “Hello, this is Darwin with trustworthy IT. I’m scheduled to do remote maintenance on your systems…yatta yatta,” you get the idea.
The attackers behind the fall of MGM did something similar. A member impersonated a trusted IT representative they probably found on LinkedIn to trick the poor sap on the other end of the line into giving them access to all of their systems.
You might be wondering how anyone would be dumb enough to fall for this. These campaigns can actually be pretty convincing. Especially if the attack is sophisticated. And they happen a lot.
Who did this?
There’s a lot of uncertainty around who or what group was responsible for causing such chaos.
Some are pointing fingers at “Scattered Spider,” a young group from the EU/US who launched a similar vishing campaign on Riot Games and Reddit in the winter of 2023. They have also been known to collaborate with BlackCat, a Russian Ransomeware-as-a-Service organization.
But, as with any big cyberattack, “hackers” from all over are jumping out of their gamer chairs to claim responsibility and get a lick of fame.
One individual reported to the Financial Times claiming to be the leader of the group responsible. They said they initially targeted slot machines but settled on ransomware instead.
BlackCat on the other hand, denied those claims. They said that the attack was just a ransomware attack that Scattered Spider had nothing to do with.
Either way, who knows, and who cares? At the end of the day, it was a tough loss for two big players (and their customers) in the Las Vegas scene.
My thoughts
Most of the attention is focused on the complete outage of MGM’s systems. I mean, the idea of hackers breaking into big MGM’s machines and shutting them down is pretty impressive.
But, I’m not quite sure if that’s exactly what happened.
I think that IT shit the bed when the ransomware hit. They hit the panic button, pulling the plug on absolutely everything to avoid spreading any malware.
And this is a correct response. You should sandbox or isolate affected machines.
However, that doesn’t mean you have to pull the plug on everything. MGM may have lost more revenue in business than the $30 million in ransom (I’m guessing would’ve been the price) they would have had to pay.
They also brought a ton of bad publicity. I don’t think I’d ever trust them with my data, let alone with my safety using their facilities (being trapped in an elevator is one of my biggest fears).
Caesar’s Palace may have avoided unwanted attention exploding in their face but that doesn’t mean they did the right thing either.
You never pay hackers a ransom. Not even part of it.
Why?
How are you going to trust that the criminals who stole your data in the first place are just going to give it all back to you and pretend nothing happened? You can’t.
They’re most likely going to sell the data on the black market anyway. Why would they throw away free money?
Conclusion
Being held ransom is a tricky situation. Especially if the data being held is your customer’s data.
Many trusting customers will get their identity stolen at the end of all of this. I feel bad for them. It won’t be long before MGM and Caesar’s get bombarded by lawsuits.
On top of that, they both are going to see a huge drop in customers. There’s no doubt about that!
I was supposed to go to an event in Vegas hosted by my company next week but I can’t say I’m not too bummed I had conflicts!
Anyway, let me know if you enjoyed this change of pace to cyber news. I’m active on Twitter and LinkedIn :).
As always, tune in for more posts, and stay safe out there!
References
https://www.nbcnews.com/tech/security/mgm-las-vegas-hackers-scattered-spider-rcna105238
https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware
https://apnews.com/article/vegas-casinos-mgm-caesars-cyberattack-59644d2cb0f2a765770d30f268b81a11