By Principal Farica Chang
Another day, another piece of breaking news about a cyberattack. They can feel like background noise. After all, things like that only happen to giant corporations, right? For example, St. Louis businesses may feel isolated from huge events like Colonial Pipeline or the recent MGM Resorts/Caesars Entertainment hacks.
The truth is that no one is safe.
The magnitude of some breaches, hacks, or ransomware attacks may not reach the nationwide headlines in the same way as a multi-day Las Vegas shutdown does, but that doesn’t mean you can afford to take a lax approach to cybersecurity.
There are (at least) five major lessons to learn from this most recent attack, but first let’s look at what happened.
An Overview of the MGM/Caesars Hack in Las Vegas
On September 11, 2023, MGM reported a “cybersecurity issue” that was impacting some systems in their more than two dozen hotel and casino locations around the world. Digital keys for hotel rooms, slot machines, and even some websites went down. Casino winners were paid with handwritten receipts.
On September 13, MGM disclosed the “issue” with the SEC, the U.S. Securities and Exchange Commission, confirming that their external cybersecurity experts and law enforcement were both involved, and that shutting down systems was an effort to protect data. By September 20, MGM was mostly up and running again. To date, there is no confirmation of MGM having paid a ransom.
On the other hand, Caesars Entertainment filed a breach with the SEC on September 14th, stating that an “outsourced IT support vendor” had been the victim of a “social engineering attack” tied to its customer loyalty program a few weeks prior (appearing to break SEC rules on when filing is required). Just days before MGM was taken offline, Caesars paid a $15 million ransom to the cybercrime group now known to have attacked both entities.
How did cybercriminals attack these corporations?
The criminal organization that is likely responsible for the attacks, Scattered Spider, is made up of young adults worldwide, perhaps even in the US, who are fluent in English. Their entry into both MGM and Caesars was a tactic referred to as vishing. Where phishing utilizes a lure through email, vishing’s lure is through voice—a phone call.
Allegedly, members of Scattered Spider used LinkedIn to dig up information about an employee and then called the business’ IT help desk to request a password reset. Because the voice call appeared to be on the up and up, the help desk person apparently didn’t verify the caller was who they stated they were, the password was changed, and Scattered Spider had an easy way into the business-critical systems.
From there, they were easily able to unleash ransomware into the network. The ransomware locked down systems and scraped data into the criminal’s hands. We don’t yet know the extent of the data loss, but any past visitor to either chain may benefit from freezing their credit and being extra wary of emails.
Five Cybersecurity Lessons: A Countdown
5. Social Engineering Is Key
Cybercriminals, like those who orchestrated the Las Vegas attacks, know that gaining access to a network is much simpler to do when leading with social engineering attacks. IT teams and managed IT service providers want to help! How many times has yours assisted you with a password reset? Cybercriminals capitalized on several factors to get past the social barriers to the lucrative networks in this hack.
- Urgency: IT team members know a password reset is an urgent problem. They’re trained to give an urgent solution.
- Familiarity: A password reset is one of the most mundane tasks for an IT team, so much so that they may naturally ignore factors that would otherwise give them pause.
- Identity: In some cases, the Las Vegas attackers seem to have been contacting IT team members from known company numbers, obtained through SIM swapping. If there are limited checks on identity verification, IT teams won’t dig further to verify.
When users are prepared for tactics that can be used against them, they’re significantly less likely to slip up and allow cybercriminals to gain entry.
4. Segment Your Networks
Not to suggest that the MGM Grand and Caesars networks were not previously segmented, but the lesson of network segmentation is an important one here. IT teams must build out networks in ways that throw up roadblocks and points of gated entry multiple times before any given user has access to business-critical systems and data. Users who do bear the keys to that very secure kingdom shouldn’t be privy to the same basic IT security measures as users whose access is much more limited.
A user account that can only access function-critical information is much less viable for a cybercriminal than one who can access everything carte blanche. If your networks aren’t already segmented with a Zero Trust/Minimum Necessary Access mindset, this is another opportunity to do so.
3. Prevention > Cure
The Las Vegas attacks revealed a new frenetic pace for cyberattacks. In the past, a cybercriminal might stalk a network for months, learning, gathering information, and taking slow steps to gain access, the criminals in this case acted quickly and with a brutality less prevalent in comparison to previous attacks.
This is a familiar lesson dressed in new clothing. Prevention, prevention, and prevention are the biggest tools against ransomware. Yes, that’s one word three times—but a word that deserves three times the amount of effort and implementation.
If a cybercriminal has accessed your network, more often than not it is already too late.
2. Money Doesn’t (Necessarily) Motivate
Another item that clashes with historical trends for this generation of cybercriminals is that young groups like Scattered Spider don’t seem to be primarily motivated by the money they could earn through holding operations at ransom. We know that paying a ransom doesn’t guarantee a return of access or files, but these criminals take it to the next level.
Rather than wanting to collect a paycheck and move on, they seem to thrive on inflicting chaos and doing the most damage they can. This may be due to how public cyberattacks can tank a company’s reputation with a single headline. Paying an unnecessary ransom in the event of an attack only doubles down on poor cybersecurity practices that may have caused the vulnerability in the first place.
1. Trust No One?
What is an IT team to do when users aren’t users but cybercriminals?
The answer isn’t “treat everyone like a criminal.”
A zero-trust cybersecurity mindset doesn’t stop at network configuration but can be applied to everyday tasks at every level of your business. Email inboxes can be set up in a way that flags messages from outside your organization or prevents downloads of suspicious files or activity. Instead of immediately responding to a strange email from their colleagues, users can be trained to follow up with that person using another method in case their account has been compromised.
Here at Anderson Technologies, we’ve successfully combatted vishing for years by requesting user verification that isn’t findable on social media. We won’t share our exact methods here, just as we don’t share our clients’ names and contact information anywhere on our website or social media. By implementing these security measures, Anderson Technologies helps prevent vishing attacks and our clients maintain a higher level of security overall.
You deserve a managed IT services company that takes a proactive, cutting-edge approach to your cybersecurity. Curious about what Anderson Technologies can do for you? Give us a call.