The MGM Cyber Attack

September 14, 2023 · by · in Security, vulnerable · Leave a comment

I love my mother for all the times she said absolutely nothing…. Thinking back on it all, it must have been the most difficult part of mothering she ever had to do — knowing the outcome, yet feeling she had no right to keep me from charting my own path. I thank her for all her virtues, but mostly for never once having said, “I told you so.

Erma Bombeck

I am not one to say, “I told you so,” but if there were a time for doing just that, this is it.  On Sunday, September 10, MGM Resorts was hit by a cyber attack that may wind up costing the company tens of millions of dollars.  According to multiple reports, the attack was carried out by Scattered Spider (a subgroup of the ALPHV ransomware gang — also known as Blackcat) who used a simple phone call to gain access to the company’s IT infrastructure.  Almost immediately after the attack began, the resort giant’s reservation system, digital room keys, gambling machines, and a host of other systems were paralyzed.  The news reports are still a bit unclear as to whether the attack has yet to be fully mitigated and it’s my guess that it will take months before MGM is completely aware of the damage and feel comfortable that is has been contained.  They don’t want the hack to come back in six months to bite them again.

VX-Underground is a malware repository led by folks from anti-virus companies, threat intelligence organizations, academics, and incident response companies.  Following the attack, they issued the following statement.

The hackers likely posed as an employee of MGM Resorts and called the help desk of MGM for access-related information.

The hackers took to the LinkedIn page of the hospitality and resorts company to find an employee’s data that they could easily exploit to convince the help desk that they were an employee of the company.

“A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

The “I told you so” aspect has to do with the fact that I have been preaching the “You need to protect your voice networks” mantra for years.  I’ve written about securing the SIP protocol, the need for session border controllers, security audits, the NSA voice security protocols, and many other aspects of protecting an enterprise’s voice network from hackers, criminals, and all-around bad people. In fact, it was only a little more than a month ago that I wrote and posted A Guide to Remote Worker Security.  In that article, I detailed many of the methods a hacker employs to gain access to an enterprise’s communications platform.  For example:

Now that an attacker is in your system, what sorts of damage can occur?

  • They look for data they can steal, such as customer information, company details, address books, etc.
  • Launch toll fraud calls by calling high-cost destinations and premium rate numbers.
  • Covertly listen to conversations for ransom, blackmail, data theft, etc.
  • Attack laterally into recording systems, voice mail, etc., expanding the scope of the breach.
  • Spy on call records for extortion, etc.
  • Make outgoing calls for harassment, extortion calls, etc.

In terms of social engineering and voice attacks, go to the 15:47 mark of this video (click here or see below) to hear me describe the MGM attack two years prior to it happening. Note where I say that criminals are “preying on your contact center agents hoping they will give up information.”  It’s not too late to give me a thank you because that is exactly what Scattered Spider did.  If only MGM had listened to me…

The point is that none of this is new and every company that allows people to call in and out (i.e. every company in the world) is in danger of becoming the next MGM.  In fact, as I read about MGM, I also discovered that Caesar’s Palace was also recently hit with a multimillion dollar breach of their own.  Give me another ten minutes of Internet searching and I am sure that I will come up with a dozen other examples.

Thankfully, there are proactive ways to keep your company’s name off the front page.  As many of my readers know, I volunteer as the technical advisor to Assertion, a cybersecurity company that specializes in protecting voice networks.  Our SecureVoice and Identity Assurance products monitor incoming telephone calls to identify, quarantine, and stop attacks before they are able to do any harm.  Do yourself a favor and sign up for a free trial and discover just how vulnerable your voice network is.  Action taken today will save you time, money, loss of productivity, and bad press tomorrow.

Tags: ,

Leave a comment