When the House Lost: Lessons from the Recent Vegas Casino Ransomware Attacks
…or how to steal 15 million USD from a casino without resorting to “Ocean’s Eleven”-level shenanigans.
When data breaches and ransomware attacks are becoming increasingly commonplace, even the glitzy and guarded world of Las Vegas casinos is not immune. Two weeks ago, the gambling capital was hit by a series of ransomware attacks affecting major players like MGM Resorts and Caesars Entertainment. These attacks resulted not only in significant operational downtime but also led to a massive loss of revenue, tarnishing the reputation of these iconic establishments. In this blog post, we will dissect the incident, examine the ramifications of ransom payouts, and explore the vulnerabilities that facilitated these attacks.
The old truism that says “the house always wins” fell short during this incident.
Several casinos in Las Vegas were forced to shut down their operations for an extended period of time. MGM, a Las Vegas staple, shut down its slot machines and several other systems on their casino floors and hotels for ten days due to ransomware infections and resulting complications. This led to substantial revenue losses, considering that a single day of downtime can cost a large casino millions of dollars.
Caesars Entertainment, one of the affected parties, was compelled to disclose that it paid part of the ransom – approximately $15 million – due to new SEC regulations requiring mandatory disclosure of such incidents. Yet, even after the payment, Caesars admitted that there were no guarantees that the stolen data, which included sensitive customer information, would not be publicly disclosed. It’s easy to understand Caesars’ reluctance to admit the situation is fully resolved with only the extortionist’s word for it.
The Cost of Paying the Ransom
By paying the ransom, companies like Caesars have arguably painted targets on their backs. In the cybercriminal world, a willingness to pay once is often taken as an invitation for future attacks. The mentality is simple: “They paid once; they’ll pay again.”
The Underlying Vulnerabilities
While businesses often allocate extensive resources to cybersecurity measures, this incident highlights that throwing money at the problem is not a silver bullet. The attackers gained initial access through social engineering, impersonating a contractor and contacting support for password recovery. Once they tricked the support personnel, they gained admin access to Okta, which provided identity management across the casino’s entire infrastructure.
Notably, there appeared to be no segregation of roles and privileges across different systems, creating a single point of failure. This begs the question: are we doing enough to address the human factor in cybersecurity?
Don’t Underestimate the Human Factor
The first point of entry in this attack was not a sophisticated zero-day exploit, but a human support agent who was tricked into providing access. Employee training in cybersecurity awareness is as crucial as any advanced firewall or intrusion detection system.
Role Segregation and Privilege Limitation
A lack of role segregation and excessive privileges can lead to a single point of compromise affecting multiple systems. Implementing least-privilege access and segregating duties can go a long way in limiting the potential impact of a breach.
The Double-Edged Sword of Compliance
While SEC regulations mandating the disclosure of ransomware payments increase transparency, they also inform potential attackers that certain companies are willing to pay, possibly making them more attractive targets for future attacks.
Rethink Ransom Payments
Paying a ransom not only encourages the cybercriminals, but also does not guarantee the safety of stolen data. Organizations should weigh the long-term consequences carefully before giving in to ransom demands.
Having plans in place to ensure your organization can continue to operate in the event of a collapse of the IT infrastructure – with clearly defined steps to reproduce during a stressful incident – would have saved millions of dollars in lost revenue (estimated at at least 8 million USD per day for MGM alone). Regularly simulating and validating those plans to ensure they are always up to date is another good practice.
In addition to continuing to operate under a (possibly entirely) different infrastructure, having clearly defined plans for recovering the affected assets should also be considered critical.
Cybersecurity is a continuous, evolving challenge that requires more than just financial investment. It demands a multi-faceted approach that addresses technological shortcomings and human vulnerabilities alike. As the saying goes, “A chain is only as strong as its weakest link,” and – in the realm of cybersecurity – that link is often human.