2 Casino Ransomware Attacks: Caesars Paid, MGM Did Not

14.09.2023 - 18:41 / forbes.com

On Thursday, Caesars Entertainment revealed in an SEC filing what had been reported Wednesday by Bloomberg and the Wall Street Journal: that the company had been the victim of “a social engineering attack on an outsourced IT support vendor used by the company.”

Notably, the attack on Caesars happened weeks prior to the attack on MGM Resorts that has, since Sunday evening, wreaked havoc on MGM’s operations, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs and paid parking systems. The company’s website and mobile app have been offline for nearly four days.

Both companies are now statistics in a worldwide trend. Cyberattacks were up globally 156% in the second quarter of 2023 compared to the first three months of the year, according to a report from the World Economic Forum.

Huge corporations make extremely lucrative targets. Last year, MGM Resorts and Caesars Entertainment generated revenues of $13 billion and $11 billion, respectively.

Both companies appear to have been targeted by known ransomware-as-a-service groups. ALPHV, also known as Black Cat, claimed responsibility for attacking MGM while an affiliated group that calls itself Scattered Spider hit Caesars. Neither MGM nor Caesars responded to Forbes’ requests for comment.

The preferred tactic for both ransom gangs is to use social engineering to gain access into the companies’ IT systems — and they are extremely good at it, say cybersecurity experts. ALPHV reportedly bragged that it took 10 minutes to infiltrate MGM’s system after identifying an MGM tech employee on LinkedIn and then calling the company’s support desk. Scattered Spider gained entry to Caesars’ system by deceiving an employee at a third-party vendor.

“It’s bonkers, says Alex Waintraub, a cyber crisis management expert at CYGNVS who has worked on hundreds of ransom cases. “Companies are spending sometimes hundreds of millions of dollars on preventative care, detection care, protection care, endpoint detection response, and so on. And guess what? The simplest, unsophisticated ways are how the threat actors are getting in: Click on this link and type in your credentials.”

The continued success of social engineering as a tactic demonstrates that humans are often the weakest link in the chain, says Alex Hamerstone, advisory solutions director at TrustedSec, an Ohio-based cybersecurity firm. “If you’re designing a resilient IT infrastructure, calling one person and getting one password or link or whatever should not take down your whole company.”

In stark contrast to MGM, Caesars reported that its customer-facing operations, “including our physical properties and our online and mobile gaming applications,” were not