by Leo Versola
Posted on October 3, 2023
There’s an old saying about going to casinos: “The house always wins.”
But cyberthieves don’t play by the casinos’ rules. Casinos have lots of money, and with today’s electronically connected slot machines, casinos are highly dependent on their IT networks to keep raking in that money. Hence, they may be more willing than most to pay a big ransom to avoid costly downtime. In this case, the house lost – big time.
Caesars Entertainment, operator of the famed Caesars Palace in Las Vegas, paid about $15 million, half of a $30 million ransomware demand, according to a report in the Wall Street Journal.
In an 8k filing with the SEC, Caesars disclosed that hackers had downloaded a copy of their customer loyalty program database, which includes driver’s license and/or social security numbers for many of their customers. In the filing Caesars said, “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” Those steps, presumably, were to pay the ransom.
And Caesars isn’t the only casino to be hit by a cyberattack this week. MGM Resorts International, operator of the Aria, Bellagio, Luxor, Mandalay Bay and New York-New York resorts in Las Vegas, was hit by an attack that seriously disrupted their operations. One witness said it appeared that about half the slot machines at Aria were down on the day of the attack. BetMGM sports betting kiosks were all down. Additionally, some guests were given physical keys to replace digital keys that weren’t working, automatic doors were inoperative, guests could not check in and out online, and the website was down.
The SEC filing states that the data breach was the result of a social engineering attack on an IT support vendor.
In this case, the social engineering attack was highly sophisticated. In an interview with the CISO of cybersecurity firm Okta, Reuters reported that both Caesars and MGM were Okta clients. They, along with three other unidentified Okta clients, were hit with the same basic attack.
The attack was carried out by UNC3944, believed to be an affiliate of the ALPHV/BlackCat ransomware gang.
A week before these attacks, Okta warned its clients to be on alert for this type of attack. In a bulletin sent to clients, Okta said that threat actors had either gotten access to passwords for privileged user accounts or had been able to manipulate the delegated authentication flow in Active Directory. They then contacted the client’s help desk and requested a multifactor authentication (MFA) reset, which enabled them to bypass MFA protections. The compromised super administrator accounts could then be used to assign higher privileges to other accounts, and/or reset or remove other authenticators.
The attackers then configured a second identity provider that acted as an “impersonation app” to access apps in the compromised organization on behalf of other users. By manipulating the username parameter they were able to get Single Sign-On (SSO) access to additional applications as the targeted user.
One cybersecurity specialist called this attack “the Ocean’s Eleven of the cyber age.”
Password reset-based attacks have been around forever – but this was different. This is a highly sophisticated “MFA reset” attack based on the attacker already having some access to the target organization.
The Caesars attack highlights the need for robust Identity and Access Management (IAM).
Our standard advice for stopping password reset attacks would be to recommend implementing MFA. But in this case, the attackers were able to use social engineering techniques to defeat MFA. The human was once again the weak link in the system. Having MFA in place won’t provide protection if hackers can easily circumvent it with a reset request.
In this case, procedure is paramount. Resetting MFA should require an extraordinary level of identity verification.
Another important component of IAM is least privilege access, which is a critical element of a Zero Trust Network Architecture. With least privilege access, users are only granted access to the information they need to get their job done. In the event that a hacker did manage to breach the company’s cyber defenses, the damage they could do is minimized.
Administrator privileges in particular need to be very tightly controlled. By getting access to super administrator accounts, the hackers were able to do anything they desired. Resetting all MFA for an administrator account should not be possible with just a phone call to the help desk.
A $15 million ransomware payment is a drop in the bucket compared to what some cyberattacks can cost. For many small and midsize businesses, a successful cyberattack can be an existential threat. Companies have gone out of business after a successful cyberattack, either because of the direct costs or the reputational damage.
In today’s complex IT environment, with users working from anywhere accessing IT resources that may be anywhere, the best protection is a comprehensive Zero Trust approach. Ericom’s Cloud Security Platform provides small and midsize enterprises a quick and cost-effective way to implement the state of the art in cybersecurity.
Air Gapping Your Way to Cyber Safety
Physically air gapping enterprise networks from the web is a great way to protect operations, keep data safe … and squelch productivity. Virtual air gapping is a better approach.
Motion Picture Association Updates Cybersecurity Best Practices
The MPA recently revised its content security best practices to address, among other challenges, the issue of data protection in the cloud computing age.
FTC Issues Cybersecurity Warning for QR Codes
QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.