Security in 2023: the year the Las Vegas casino didn’t win
Where George Clooney and his eleven companions in the Hollywood movie Ocean’s Eleven still performed a physical heist on three Las Vegas casinos (MGM, Mirage and Bellagio), cybercriminals did it from behind their computer screens. And they were able to hit more casinos, namely those linked to casino groups Caesars Entertainment and MGM Resorts.The ransomware gang, which later outed itself as Alphv, used social engineering attacks on it-service desk employees of the hotel groups. They convinced them to reset the multifactor authentication scheme for highly privileged users of the so-called Okta Agent application around identity & access management. They then used compromised Okta super administrator accounts to impersonate users within the targeted organizations.
The ransomware attack had the desired effect: several MGM-owned casinos and hotels, including Bellagio and Cosmopolitan, were forced to stop using their computers altogether and instead check in hotel guests manually and cash out customers.
The so-called Form 8-K that MGM later filed with stock market watchdog SEC showed that the gambling empire estimated losses from the attack at one hundred million dollars. The chain confirmed that the hackers had gained access to customer data, including driver’s license numbers and some Social Security and passport numbers, but not passwords, bank account numbers or payment card information. MGM did not pay the hackers. Caesars, which was thus hit by the same attackers, did decide to dock. And more specifically: fifteen million dollars, reportedly half of the requested ransom of thirty million dollars.
Casinos have an excellent reputation for security, but it seems that security is more focused on physical security than online vulnerabilities. In any case, the hotels, and MGM’s in particular, suffered from faltering service for weeks.
Hollywood did better
Few ransom payments are known to be larger than the fifteen million dollars Caesars coughed up, including the forty million dollar ransom paid in 2021 by insurer CNA Financial Corp. As a result, Caesars in turn has the dubious honor of being one of the record holders on ransomware payments.
But credit where credit is due. George Clooney and his cronies did better: they extracted some one hundred and fifty million dollars from the vaults of MGM casinos in Ocean’s Eleven. But that, of course, is Hollywood.