How MGM and Caesars Got Hacked
Caesars Entertainment Inc. and MGM Resorts International were just on the receiving end of the two most high-profile hacks of 2023 so far. In gambling terms, you could probably say they’re coughing up chips right about now.
It’s being reported that Caesars agreed to pay at least as much as half of a $30M ransom to hackers who stole 6TB of their data when they were able to breach one of Caesars’ IT vendors.
As of September 14th, hackers were still holding MGM’s data (and the company website) hostage. A “representative” for the Western hacker group Scattered Spider (also known as UNC 3944, and possibly a subgroup of an even larger Russian cyber gang called ALPV) claimed responsibility through TechCrunch. “If you have money, we want it,” they succinctly explained. They also denied being involved in the cyberattack on Caesars.
Both companies’ shares have started to fall since the news of the hacks became public knowledge. While Caesars’ share price dropped by 2.7%, MGM’s fell by 6.2%.
How did Caesars and MGM get hacked?
Presently, it doesn’t seem like anybody knows exactly what happened, but from what insiders have shared, we have a pretty good idea.
In MGM’s case, the breach appears to have been caused by a surprisingly simple social engineering attack. Vx-underground, a group that collects and disseminates malicious software, says the hackers told them all they did to compromise MGM was, “Hop on LinkedIn, find an employee, then call the Help Desk.”
Essentially, they tricked MGM’s IT support into revealing login credentials and one-time password codes by impersonating employees claiming to be locked out of their own accounts, thereby bypassing multi-factor authentication.
That is all, of course, according to the hackers themselves through an intermediary, and it hasn’t yet been confirmed by MGM or outside experts.
But Caesars revealed they experienced something similar in their filing with the Securities and Exchange Commission (SEC). They referred to a “social engineering attack” against one of their IT support vendors. Whether or not the MGM “Help Desk” the hackers say they manipulated was also a third-party IT vendor isn’t yet known.
Caesars isn’t the first company to have its customer data stolen because of a trusted vendor’s lax security practices. This “vendor compromise” is one of the most common tactics hackers use to breach their targets.
- Blackbaud, a cloud software company serving non-profits, educational institutions, and other organizations, suffered a ransomware attack that affected many of its clients in 2020. Blackbaud paid the ransom to prevent the data from being published and then paid a further $3M in fines after failing “to disclose the full impact of a ransomware attack,” according to the SEC.
- Codecov, a code-testing platform, was breached in early 2021. The attackers exploited a vulnerability to alter Codecov’s Bash Uploader script, affecting an unknown number of clients and leaking their sensitive information.
- One of the most infamous instances of a vendor compromise is the SolarWinds hack in 2021. Malicious actors compromised the infrastructure of SolarWinds, a company that creates software for monitoring and managing computer networks. Through a tainted software update, they were able to compromise thousands of SolarWinds’ customers, including major governmental organizations and corporations.
These sorts of incidents underscore the need for strong security measures not only within an organization but also with all third-party vendors that have access to the organization’s systems.
And one of the best ways to ensure your vendors can’t compromise your data is to, well, not give it to them in the first place…