SecurityFirst - Beware of Phishing
BEWARE OF PHISHING
In September 2023, MGM Resorts, a major player in the casino and hospitality industry, experienced a significant cyberattack that disrupted operations for nearly a week. This incident affected several iconic properties on the Las Vegas Strip and other MGM-owned resorts across the United States, causing widespread issues such as malfunctioning slot machines, ATMs, digital key cards, electronic payment systems, and online reservations.
Attack Methods Used
The cyberattack was attributed to a hacking group known as Scattered Spider, a subgroup of the ALPHV ransomware gang. Here are the primary methods they used to gain access:
1. Vishing (Voice Phishing): Attackers impersonated IT staff or vendors over the phone to trick employees into revealing their login credentials. This method relies on social engineering to exploit human vulnerabilities.
SecurityFIRST! Tip: You should never tell anyone your password even if asked. IT will never ask for your password.
2. MFA Fatigue: The attackers repeatedly sent multi-factor authentication (MFA) prompts to targeted employees until one was mistakenly approved. This allowed them to gain unauthorized access to critical systems.
SecurityFIRST! Tip: We realize that this can be a pain but if you get repeated messages for any reason, you should assume they are malicious.
Once inside, the attackers exfiltrated sensitive data and deployed ransomware, encrypting portions of MGM’s IT infrastructure and causing days of operational disruption.
Impact and Response
The immediate impact of the cyberattack included significant revenue losses and damage to customer trust. MGM Resorts reported a $100 million hit to its third-quarter 2023 results. The company faced regulatory scrutiny, class action lawsuits, and negative sentiment across social media. In response, MGM committed to a $50 million investment in enhanced cybersecurity measures, including endpoint protection, cloud security, and employee training to prevent future social engineering attacks.
Lessons Learned
This incident underscores the importance of robust cybersecurity practices and employee awareness. Social engineering remains a potent threat, even for organizations with advanced digital defenses. Continuous training and vigilance are crucial in mitigating such risks.
Need a Cyber Protection policy?