Cyber Attack at MGM Resorts Locks Guests Out Of Their Hotel Rooms
 |
The MGM Grand Hotel & Casino Las Vegas
|
The probability of a major cyberattack impacting the operations of a global U.S. based company used to be the material of a good Hollywood movie. However, in 2023 it's become a daily occurrence to hear about breaches at major retailers, manufacturers and healthcare systems. As of today, most cyber systems at MGM Resorts International, a global hospitality and entertainment company based in Las Vegas, are offline. MGM operates properties around the world, with 48,000 rooms available in Vegas alone at hotels including the Mandalay Bay, the Bellagio and MGM Grand. This is ironic, as I was just in Vegas last week enjoying Cisco IMPACT with 20k of my friends and colleagues at multiple MGM Resorts properties. While they haven't publicly released details of the attack, we’ll cover a few of the common scenarios, vulnerabilities and attack types that may be discovered later.
The latest news reports tell us that the incident began on Sunday, Sep 10 and is still in effect as of Tues Sep 11 2023 at 5p cst. Calculated speculation tells me this is most likely a sophisticated ransomware attack. Ransomware is the culprit in the majority of cyber incidents today and is on track to have one of its biggest years to date, with $449M extorted from January to June 2023. There is also most likely a sub-scenario that time may tell, this is: 1) simple extortion - confidential information was encrypted and a ransom demanded from MGM, 2) double extortion - not only was confidential information encrypted for a ransom but also moved to a separate location for further extortion or 3) crypto extortion - the company, which operates in countries worldwide, may hold a significant amount in cryptocurrency and an attacker was able to access the holdings and take control with demands.
 |
Twitter photo of slot machines offline
|
Slightly more details have been released that MGM hotel guests have been unable to access ATMs, buy food, or use their digital room keys. While a malicious actor might have been able to breach one of these systems, if they are ALL down worldwide then most likely a CSIRT team met with company leadership, the FBI and local authorities and made the difficult decision to take all systems offline to keep the attack from spreading. This was an extreme choice, since MGM makes yearly revenue of over $13B from its casinos, hotels and resorts. That would amount to $37M per day in potential losses. My guess is that if it is indeed a sophisticated ransomware attack, systems will possibly stay offline for a few days to a few weeks until negotiations are complete or MGM IT determines not all systems are compromised and slowly brings them online.
 |
| The Luxor Hotel & Casino Las Vegas |
With little detail available, it’s hard to accurately speak about which vulnerabilities were exploited (broken authentication, insufficient logging, etc). It’s equally difficult to determine the specific attack type (password spraying, privilege escalation, etc). My best educated guess is that the attack was caused by a team of malicious actors who are well-experienced, located outside of U.S. jurisdiction, have a history of successful ransomware attacks and used a combination of the various vulnerabilities and attack types mentioned to insert malware into the MGM network and establish command and control over a critical system. For the future, financial operations like MGM may have to take notes from critical infrastructure (ICS) and begin to air gap and/or disconnect systems which don’t need to be connected to the Internet. In addition, AI based extended detection and response (XDR) systems should be used to more efficiently monitor the huge amount of security alerts and logging that humans currently do. Unfortunately, there was probably an important clue of the initial penetration buried in the terabytes of daily MGM security logs that was missed by an overworked cybersecurity professional.
Written by Cisco Chris
The latest news reports tell us that the incident began on Sunday, Sep 10 and is still in effect as of Tues Sep 11 2023 at 5p cst. Calculated speculation tells me this is most likely a sophisticated ransomware attack. Ransomware is the culprit in the majority of cyber incidents today and is on track to have one of its biggest years to date, with $449M extorted from January to June 2023. There is also most likely a sub-scenario that time may tell, this is: 1) simple extortion - confidential information was encrypted and a ransom demanded from MGM, 2) double extortion - not only was confidential information encrypted for a ransom but also moved to a separate location for further extortion or 3) crypto extortion - the company, which operates in countries worldwide, may hold a significant amount in cryptocurrency and an attacker was able to access the holdings and take control with demands.
Comments
Post a Comment