Learn From The MGM Resorts Breach

Phishing was the approach used to gain access to the MGM Resorts system, as it is for more than 90% of all cyberattacks.

By Laura Elan, MxD

What can a cyberattack that idled slot machines on the Las Vegas Strip teach manufacturers? A lot.

As in most major cyberattacks, the target is not sharing many specifics. MGM Resorts reported a “cybersecurity issue” in a now-deleted Sept. 11, 2023, post on X (formerly Twitter) and said all was back to normal on Sept. 20.

In early October, MGM Resorts provided some additional detail, stating in a U.S. Securities and Exchange Commission filing that an unspecified amount of customer personal information was stolen in the cyberattack that they estimate will cost the company $100 million.

Most of what is known about the voice phishing, or vishing, attack has largely come from media reports and VX-Underground, described as a malware research group. According to VX-Underground, the ransomware-as-a-service gang ALPHV, also known as BlackCat, claimed responsibility for the attack. Gang members scoured LinkedIn to identify an MGM employee and then impersonated that worker in a call to the company-wide IT help desk.

Pre-Attack

The social network search that the cybercriminals are believed to have used is a common passive reconnaissance tactic. “Attackers spend a lot of time on what is called the pre-attack or reconnaissance phase,” said Allan Kamp, MxD’s Lead Cybersecurity Engineer.

During passive reconnaissance, attackers don’t engage with their target’s systems. They lurk, possibly looking online for clues about a company or its workers that can help them craft a successful phishing scam. Or they may watch or surveil a building, such as a factory, to learn about shift changes, entry patterns, or the presence of physical security features.

Active reconnaissance, on the other hand, involves some kind of interaction, maybe port scanning to find a vulnerability. Manufacturers, Kamp said, must be on guard against both types of threats. Assume, he said, that someone is always trying to break in.

Attack Lessons

What can manufacturers do to repel a similar vishing attack?

Training: Companies should teach workers to always have their antennae up. Workers need regular training on how to detect any kind of phishing threat, whether it’s email or a phone call. More than 90% of all cyberattacks begin with phishing, according to the national Cybersecurity and Infrastructure Security Agency (CISA).

Zero trust: Based on the principle of “never trust, always verify,” a zero-trust strategy means no one should be giving out login information over the telephone to anyone unless measures are in place to remotely verify the caller’s identity. That could be through an automated process or through a required callback.

Multi-factor authentication: Employees should always be required to verify their identity with more than a password. Reports about the MGM Resorts breach say it’s unclear whether attackers turned off or bypassed multi-factor authentication.

Segmentation: A segmented network means that even if an attacker gets loose in the system, physical or virtual barriers that segment the network into subnetworks limit their access and the damage they can do. EP

Laura Élan is Senior Director of Cybersecurity for MxD Cyber: The National Center for Cybersecurity in Manufacturing, Chicago (mxdusa.org). Elan supports MxD’s cybersecurity projects and initiatives and leads the company’s Cybersecurity Steering Committee.