The call is coming from inside the casino! Well, not really.
MGM recently made headlines for one of the more sweeping ransomware attacks we have seen in recent days, taking a total of 10 days to recover regular function. The attack shut down everything from room keys to slot machines, forcing the hotel chain to go mostly analog while addressing the issues.
The source of the attack? If we believe the words of the proclaimed hackers: a single phone call. According to reporting from Vox, “it appears that the hackers found an employee’s information on LinkedIn and impersonated them in a call to MGM’s IT help desk to obtain credentials to access and infect the systems.” This information is corroborated with public statements from Okta who claim upticks in social engineering hacks.
A note on Social Engineering. For those wondering, social engineering is a manipulative technique where attackers exploit human psychology to trick individuals or employees into revealing confidential information, performing actions, or making security errors, often through deceptive emails, phone calls, or in-person interactions. It doesn't rely on technical vulnerabilities but on psychological manipulation to gain unauthorized access or information.
The biggest take home lesson from the MGM hack that we can share is how important every individual is to your overall cybersecurity. Ensuring that employees have proper training of how to spot potential malicious actors or report questionable activity. This also includes the requisite work environment that empowers employees to feel comfortable raising these concerns and providing them with the appropriate tools and resources.
Working with your IT group or MSP to institute security awareness training and making such conversations the forefront of interacting with people across your organization can go a long way to improving your cybersecurity.
Sources:
https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware
https://thenewstack.io/mgm-hack-analysis-security-still-a-test-of-your-weakest-link/