If there is a cyber-equivalent of the casino heist movies Oceans 11, 12, and 13, this is close to it. In a matter of days, two highly disruptive cyberattacks by the same threat actor have generated tens of millions in losses for the gaming industry.
The cybercrime group Scattered Spider allegedly penetrated Caesar’s Entertainment on August 27, exposing the casino’s customer rewards loyalty program, including a significant number of driver's licenses and social security numbers. Possibly, the same group of attackers then used stolen credentials to get into the IT system of MGM Casinos around September 11. Across both attacks, the hackers said they seized six terabytes of data.
Caesar’s quickly negotiated with the attackers and handed over a $15 million ransom payout, which allowed it to keep its customer’s data safe. MGM refused to pay a ransom and shut down many parts of its IT system to contain the attack, knocking out room access keys and slot machines. It took 10+ days and millions of dollars in lost revenue each day before the casino and hotel operations were operating normally again.
How They Did It
In both attacks, Scattered Spider allegedly obtained credentials by calling help desks, using the name of an employee found on social media, and pretending to be that person trying to solve an access problem. Unlike the typical Russian hacker, the attackers are fluent in English, so they raised no suspicions.
Once inside the MGM system, Scattered Spider used ransomware developed by ALPHAV or Blackcat, which offers ransomware-as-a-service to cyberattackers. It took the Scattered Spider only five hours to penetrate MGM's IT system. Then, they operated undetected for eight days, according to the Financial Times. The longer the dwell time, the more likely attackers will find the most valuable data, encrypt it, and then demand ransom.
How They Could’ve Been Stopped
Sophos knows how attackers breach IT systems—and how to defend against the attacks. In the latest Active Adversary Report for Tech Leaders, Sophos noted that compromised credentials, followed by vulnerability exploitation, were the most common avenues of cyberattack. Implementing multifactor authentication is one easy way to thwart cyber thieves using compromised credentials. Sadly, 39 percent of all companies investigated by Sophos did not configure their MFA. The report wisely noted, "MFA is your mature, sensible friend." Not having it exposes a company to easy attacks.
No one is free from the reach of bad actors. Still, businesses can make themselves less vulnerable by proactively restructuring their cybersecurity frameworks to repel cyberattacks and emerge resilient.
Read the Sophos Active Adversary Report to understand the risks your customers face and how Sophos can help you craft and implement cybersecurity strategies to defend their most valuable asset—their data.