CDSA

The Content Delivery & Storage Association (CDSA) ME-ISAC analyzed the recent security breaches experienced by MGM Grand and Caesars Palace during the Dec. 5 Content Production Summit at The Culver Theater in Culver City, California.

During the session, “ME-ISAC’s Anatomy of a Breach: MGM Grand & Caesars Palace,” Jess Levine, threat analyst at CDSA’s ME-ISAC, and Chris Taylor, director, CDSA’s ME-ISAC and global security director at Skydance, also explained how they watch “bad guys that are out on the internet and then try to turn that into actionable information that you can then use in your environments to protect yourselves,” Taylor said.

“The whole idea behind this is to create a proactive defense for yourselves,” he told attendees. “If your neighbor next to you gets attacked and you’re able to see what that attack looks like, you can change your defenses, and now you’re already ready to defend the attack before you’re the victim of it. And that’s kind of the whole goal of threat intelligence.”

He explained that the “purpose of an ISAC is to share that threat intelligence amongst a community, so that you can each raise up your defenses based off of someone else getting attacked instead of you.”

Levine then discussed the MGM Grand and Caesars Palace security attacks, which shut down most of the Las Vegas Strip for more than a week.

On Sept. 7, Caesars realized it had been breached and its loyalty program had been compromised, she noted. “They were hit with ransomware and the majority of the information included social security numbers, including driver’s license numbers and other contact information for their guests,” she said.

On Sept. 11, users started posting on social media that casinos were down all over and “absolutely inaccessible,” she said, noting hotel guests couldn’t get back into their rooms and ATM cash machines were down also.

A threat intelligence group was one of the first to report that it took just 10 minutes in a phone call to compromise MGM, she said. The hackers looked up information on certain IT employees and then “proceeded to impersonate them to the IT staff,” getting them to change their passwords, she noted. When MGM ignored the hackers, ransomware was deployed against that company.

The name of the hacking group is Spider, which is also known as Roast Octopus, Scattered Swine and Muddled Libra, and it is affiliated with ransomware-as-a- service group Black Cat, also known as Alfie. The English-speaking group was first seen in March 2022 and is financially motivated, according to Levine. The group uses social engineering, including short message service (SMS) phishing and regular email phishing.

“Eventually, the [victim] gets so tired of getting” alerted that y just give up and go along with what the attackers want, she said.

Caesars chose to pay the ransom, which initially was for $30 million but was negotiated down to $15 million, according to published reports, she said.

“It wasn’t necessarily the best outcome,” Levine noted. “They did pay them … but they were told that all of the information that the threat actors have was deleted [and] they were able to fully recover all of the information and unencrypt the data.” That company’s hotels were shut down for a week or less.

On the other hand, MGM “did not want to communicate with the protectors; they chose to not pay and ended up spending about $10 million on various third-party advisors, legal fees and expenses, and had about $100 million or so, maybe $150 million … in total losses,” according to published reports, she said. MGM hotels ended up being shut down on the majority of the Las Vegas Strip for more than a week, she added.

There were a few lessons learned from the breaches and mitigation strategies that were used. “So what can we do to prevent ourselves from being in this situation?” she asked rhetorically. “We can follow Microsoft’s best practices. We can secure our accounts, [use] credential hygiene, [make] sure that you have long, strong, and unique passwords.” Also, if somebody doesn’t need access to a company’s computer system, they shouldn’t have access, she said.

Also crucial is the use and enforcement of multifactor authentication “on all accounts, in all locations, at all times,” she said. “Everything that can have multi-factor authentication should have it. She added: “Prioritize employee information security training. Everyone needs to be on the same page when it comes to securing the company. Everyone needs to have a security culture ingrained into the overall culture. Teaching employees about social engineering tactics [and] best practices for passwords so, if they get a phishing email, they need to know what to do with it.”

Also, if somebody claims to be your company’s CEO and that person wants gift cards, that employee should “know that your CEO is not going to be asking for gift cards,” she added.

Produced by MESA, the Content Production Summit was presented by Fortinet, and sponsored by Convergent Risks, Friend MTS, Amazon Studios Technology, Indee, NAGRA, EIDR, and Eluv.io, in association with CDSA and the Hollywood IT Society (HITS).