The big news this past week was a ransomware attack against MGM Resorts and Caesar’s Entertainment. The attacks have both been attributed to ALPHV and apparently Caesar’s quickly paid the ransom, (which may have been tens of millions according to bloomberg), while MGM seems to have refused to pay up and is still having issues for almost a week at this point.
The technical details are rumored, (according to a now deleted post from vx-underground), to be pretty unimpressive… If the rumor is correct there was no APT, no zero-day, no rogue employee; just old fashioned bad security practices.
So, rather than focus on the technical aspects I’d like to comment on the broader implications for this attack and cybersecurity in general. Mainly, how could this have happened? Casinos are absolutely notorious for being some of the most security conscious and paranoid businesses around. They’ve made several blockbuster movies about it! It’s unthinkable that someone would be able to physically rob them of millions of dollars or shut them down for days on end.
Before I start wildly speculating on the root causes here, let me clarify the reasons I like to make posts about big ransomware attacks.
First, I am old enough to remember a time when the worst thing malware would do is add some weird toolbars to your web browser or generate a bunch of popups. Maybe you’d be an unwilling participant of a botnet. Worst case scenario your OS would become unstable and you might have to reinstall, but your data was almost always safe. It was like there was a gentleman’s agreement with the threat actors back then that the damage would be limited. Those days have been over for a long time and ransomware is BIG business these days whether we like it or not.
Secondly I am always surprised that there are still organizations that are apparently not taking cybersecurity seriously. This case it is especially surprising. Organizations that have literal rivers of cash and digital currency flowing through their casinos on a daily basis really should have been well aware that there was a giant target on their back. That target isn’t going away either after this incident is resolved. I sincerely hope this is a wake-up call for both these companies and everyone else in the casino business. I really shudder at the thought of the CPNI of elderly casino patrons being leaked to scammers.
So how could this have happened? I have no affiliation or experience with either of these organizations so please know this is only speculation and take it with a huge grain of salt. That being said I think there are serious implications here that a lot of organizations, not just casinos or large businesses, need to consider.
Was it a problem with “visibility”? Unfortunately cybersecurity is invisible to the naked eye. You can see a man with a gun robbing your cashiers, you can’t see a threat actor halfway across the world locking down your domain. Often the people making decisions on staffing and budgets for an organizations security posture are non-technical. This is why CSOs and SOCs have to make their reports bright and colorful with lots of pretty graphs to try and explain what is going on. Maybe the board doesn’t take it seriously because they can’t see the consequences heading their way until it is too late.
Was it a problem of hubris? Maybe there was an attitude that it couldn’t happen to them. Maybe they have a lot of partnerships and vendors and top-men in top-positions so they took their security as a given. I’m sure these organizations have substantial annual expenditures on cybersecurity so perhaps they thought it was a problem that could be solved with money and relying on experts. I would hope they were made aware somewhere along their journey that with enough time and effort a threat actor will likely gain access one way or another, but maybe they had too many yes men assuring them it would not happen to them.
Was it a problem of competence? As I mentioned earlier the top decision makers are likely not technical people. Although everyone in an organization is a potential weak link there are several well recognized cybersecurity frameworks in existence designed to mitigate risk and ensure assets are protected while ensuring Confidentiality, Integrity, and Availability. Having the right person in charge of your security program can reduce risk, ensure redundancy, and limit the attack surface as much as possible. Having the wrong people in critical roles does the exact opposite. The fact that MGM is suffering multiple day outages makes me wonder what their Disaster Recovery plan was…
Was it a problem of greed? Maybe they have the right people, the right products, and the right awareness but they just can’t justify the budget. There seems to be a lot organizations trying to “do more with less” by reducing headcount, finding cheaper vendors, skipping out on upgrades and assessments they are being told are necessary all in the name of increasing profitability. In my limited and humble experience I have to say this tends to affect frontline and technology departments more often than not. It seems to be some kind of bizarre paradox where the technology and people running the business and doing the productive work are the first to feel the squeeze when there is even the slightest economic downturn. I don’t want to get into a huge rant about economic and political systems so I’ll just ask, how many SOC Analysts, how many pentests, how much infrastructure could have been bought with that multimillion dollar ransom that was just paid? And how much will the loss of reputation cost both of these organizations going forward? If your profits are that thin it seems you can’t afford to be scaring away customers and having multiple day outages with limited or no revenue.
In closing, it is not my intention to rake these particular companies over the coals too harshly. These are issues I’ll bet most if not all organizations are struggling with to some degree. I truly hope this attack increases awareness both in the SOC and the boardroom. You can’t solve a problem you are not aware of so if these large attacks increase awareness then maybe they will be the catalyst more businesses need to start taking their security posture more seriously. There are very few things that take a large organization completely out of action, especially since they tend to have multiple locations, but a well executed ransomware attack is certainly one of them.