Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses

Hackers Claim It Only Took a 10-Minute Phone Call To Shut Down MGM Resorts (engadget.com) 51

An anonymous reader quotes a report from Engadget: The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group.

"All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk," the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers. The international resort chain started experiencing outages earlier this week, as customers noticed slot machines at casinos owned by MGM Resorts shut down on the Las Vegas strip. As of Wednesday morning, MGM Resorts still shows signs that it's experiencing downtime, like continued website disruptions.
In a statement on Tuesday, MGM Resorts said: "Our resorts, including dining, entertainment and gaming are currently operational." However, the company said Wednesday that the cyber incident has significantly disrupted properties across the United States and represents a material risk to the company.

"[T]he major credit rating agency Moody's warned that the cyberattack could negatively affect MGM's credit rating, saying the attack highlighted 'key risks' within the company," reports CNBC. "The company's corporate email, restaurant reservation and hotel booking systems remain offline as a result of the attack, as do digital room keys. MGM on Wednesday filed a 8-K report with the Securities and Exchange Commission noting that on Tuesday the company issued a press release 'regarding a cybersecurity issue involving the Company.'" MGM's share price has declined more than 6% since Monday.
This discussion has been archived. No new comments can be posted.

Hackers Claim It Only Took a 10-Minute Phone Call To Shut Down MGM Resorts

Comments Filter:
  • I head they did an safety shutdown of many systems also some systems like the TITO ones you can't just restore from backup no you need to keep the data in line.

  • They should demand 3-2 blackjack for unlock codes!

    • by Anonymous Coward

      Most tables are 6:5 Blackjack these days, I don't even play anymore because it's a waste of time and not even fun to sit there getting ripped off.

      • Thank you. Glad you brought up the change in odds. That's as bad as casinos on the Strip charging to park [sfgate.com].

        If I want to get charged to park I can drive to Atlantic City. Gambling is gambling. At least there I can go to the beach if the tables are lousy.
  • Sounds like Kevin Mitnick has risen from the bit bucket.
  • Shameful (Score:3, Interesting)

    by Comboman ( 895500 ) on Thursday September 14, 2023 @08:32AM (#63847818)

    Trying to extract money from stupid people is shameful behaviour. This comment applies to both the hackers and the casinos.

    • Trying to extract money from stupid people is shameful behaviour. This comment applies to both the hackers and the casinos.

      Yes but what about stealing from stupid and corrupt people?

      • by Anonymous Coward

        Victim blaming is always bad.

  • Pay more (Score:5, Insightful)

    by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday September 14, 2023 @08:37AM (#63847834) Homepage Journal

    This is what happens when your staff is dumb.

    And that is what happens when you aren't willing to pay enough for talent.

    It also happens when you don't do enough training, which also costs money. But if you don't spend it... *gestures*

  • In the mafia days doing stuff like this got your self whacked!

  • by Junta ( 36770 ) on Thursday September 14, 2023 @08:40AM (#63847842)

    This news shocks me that it took this long for their IT to be handed it's ass. Any part of the experience that was vaguely IT related was just amazingly amateur hour.

    • by Midnight_Falcon ( 2432802 ) on Thursday September 14, 2023 @09:02AM (#63847910)
      I have tried to hire IT workers out of Las Vegas -- high end salary remote jobs -- and gotten endless resumes from people that worked at Casinos. When interviewed, each one seemed to have outdated knowledge and not a lot of it at that. At some point we stopped recruiting anyone with recent casino backgrounds, which was about 90 percent of the resumes coming from Vegas postings.
      • by Howard Beale ( 92386 ) on Thursday September 14, 2023 @09:19AM (#63847940)
        Tell me about it. Worked as a vendor in the industry for years. Know of one casino that's still running Windows Server 2003 and SQL Server 2000 for the main systems controlling their casino floor. Pleaded for years to upgrade but they wouldn't. Just crazy.
        • Re: (Score:2, Funny)

          by Anonymous Coward

          Casinos are such a low margin business - they just don't have the money to do upgrades to core systems that make them money.

          • Won't anyone think of the casinos?
          • Any business that cant' find the money for core systems that make them money is constrained by incompetence not finance.
            • by tlhIngan ( 30335 )

              Any business that cant' find the money for core systems that make them money is constrained by incompetence not finance.

              I doubt it's financials or not wanting to upgrade. I'd be willing to bet is "impossible to upgrade".

              The slot machines all are networked to provide stats to the managers, and the firmware on these is fixed. So much so the Nevada Gaming Commission will dump the ROMs periodically and verify it matches the official code on file during an inspection.

              So chances are, these systems aren't upgraded

              • I do not doubt anything you've said but it also doesn't quite explain the current situation. If somebody had started with an ethernet connection plugged into a switch in the server room, there's probably little in terms of counter-measures available. However, it seems that an adversary was able to convince a helpdesk to reset a password and then somehow gain enough access *from the outside* to disrupt operations. That's pretty significant because it implies that there were no meaningful layers of securit
          • It really depends on the mindset of the parent organization. There are organizations that heavily invest in technology and there are the ones that don't. The latter don't realize that the hours of downtime they experience on a Friday or Saturday night probably cost them more in lost revenue than it would have cost to upgrade their aging systems. Same with security. Know of one casino that got hit twice within a matter of months by ransomware attacks. They farmed out their IT to a local mom and pop shop
        • so the TITO's are in an windows SQL server?

          • by Idzy ( 1549809 )
            If they are using the same system we are its all SQL server with custom user front end apps that are buggy as heck. The hackers shouldn't have been able to shut down the slots though you need physical access for that, they could put them all in hand pay mode though and really fuck up the accounting department.
            • All depends on what they are permitted to do by their regulatory body. Some will allow continued ticket prints, some will allow one ticket print and then go into handpay, some will only handpay. If the slots are the ones that operate via a center server (think fancy rdp or thin client), they could shut down the master server. Think I know what system you're talking about :)
          • For the vendor I worked for, we had multiple product lines. All used Windows OS/SQL Server to various degrees. Some the main back-end systems were Windows, others Windows boxes were used for routing or caching of patron/ticket data.
        • It's likely regulatory.

          My local state lottery uses 10+ year old servers and development software because everything has to be audited, scrutinized, and approved by regulators before it can be changed (upgraded). The process is far more exhaustive than a normal QA/release management cycle. First hand knowledge from a developer...
        • by antdude ( 79039 )

          That sounds normal for many places. Look at government, banks, etc.

    • With all the blackhat and other hacking-based conventions in LV, I am surprised it hasn't been hacked before...

  • for businesses is not being hacked, it's the share price going down. You could get the CEO to kill his own mother to prevent a hit to the share price.

    • You wait - in response to the share price going down, they'll announce a cost cutting spree, "greater efficiencies" and "do more with less". The share price will bounce right back up - and they'll probably end up *cutting* the IT security budget.

  • Prevention is always hard to place a value on. Did your covid vaccine really prevent you from getting seriously sick with covid? Did the traffic lights and traffic calming save any lives? Did training for every employee against social engineering really work? For all of these preventions the cost is easy to see. There is the initial time and money to set it up plus the on going inconvenience. In the case of social engineering you need everyone to be on board and you need to accept a high level of inco
  • by McLae ( 606725 ) on Thursday September 14, 2023 @09:20AM (#63847944) Homepage
    Noticed that share price went down. The only way to get C-Suite poms to notice an issue is if the share price is down. Maby they will take security serious now.
    • by gtall ( 79522 )

      Yep, and Moody's taking a bite out of their ass will also get noticed in the C-Suite. It affects how easily and at what price they can attract loans. I presume shareholders will notice what Moody's did as well.

    • by Halueth ( 776646 )
      I think they're just gambling that this one just flies over ;-)
    • It's not the only way, but it's an effective one. The other way, which they also got with this incident, is having your company on the front page of the Wall Street Journal because of some colossal data security fuckup. Though that tends to get your stock price going down too.

  • by nucrash ( 549705 ) on Thursday September 14, 2023 @09:42AM (#63847990)

    In years past, MGM has hosted a number of hacking conventions and has been hospitable to the hacking community. Granted, I know there could be some recent fisticuffs I don't know about, but I would assume that MGM probably has some allies on the community that probably won't stand for this.

    I remember BlackHat being hosted at Mandalay Bay for a number of years.

    • How are they going to "not stand for this?" Engage in some vigilante operation against the hackers? That won't restore MGMs lost revenue. They probably already "didn't stand for this" by notifying MGM of security weaknesses and were thoroughly ignored.
    • by cide1 ( 126814 )

      DEFCON was in their facilities last month (and has contracts for upcoming years), and FAL.CON is next week.

  • ...digital isn't always the best answer.

    Doubt they'd have been able to "10 minute" hack a bunch of the old style mechanical slots, but you get what you get when you replace something that was somewhat more secure but provided a slightly higher bulk payout over time.

    Then again they've probably made a metric craptonne of cash tweaking the math on the new digital machines to ensure the "whales" received their dopamine hits by paying out smaller wins at regular intervals, thus ensuring they keep feeding those q

  • Hacker Kevin Mitnick's Art of Deception told the story of a hacker diving in company dumpsters late at night to fish out company directories containing lists of targets with likely high-trust accounts. Now just log into LinkedIn and do the same from the comfort of the living room.

    Despite being 20+ years old, peeps are still ignoring the book's wisdom.
  • And with another successful Social Engineering hack, lying to helpful people, the world becomes colder and less friendly. If you wonder why phone support people cannot or will not help you with your problems, Thank the Social Engineering "Hackers".
    • by PPH ( 736903 )

      So here's a great application for AI: customer support. Ask it a question not on the approved list and it reverts to "asshole mode". Without even feeling bad about it.

  • Business Continuity/Disaster Recovery drills test for most likely and pervasive and detectable scenarios, often scoring highest in six-sigma FMEA(failure mode event analysis). If any senior tech IT person is compromised, at home or in office, by saboteurs or criminal elements of society, then even with zero trust compliant policies in force, and peer-review dual authorization of on-call incident/problem event handling with trusted firewalls, exposure exist even with well-conditioned experienced team member

Badges? We don't need no stinking badges.

Working...