Caesars Admits To Being Pwned In Ransomware Attack…. And They Likely Paid Up

Caesars Entertainment has joined MGM Resorts in being pwned by hackers in a ransomware attack. This came to light in an SEC filing where they admitted to the pwnage:

As Bloomberg reports, citing sources close to the matter, the late-August attack left Caesars Entertainment forking over tens of millions of dollars to the hackers. The incident was described in an SEC filing published today, in which the company states that the breach occurred as the result of a “social engineering attack on an outsourced IT support vendor.” Sources told The Wall Street Journal that this social engineering attack involved a hacker posing as an employee to get the IT contractor to change a password. The hackers reportedly made off with the company’s loyalty program database, which contains a list of driver’s license numbers and Social Security numbers for a “significant number of members” within the database. 

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the company wrote in the SEC filing. “We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused. Nonetheless, out of an abundance of caution, we are offering credit monitoring and identity theft protection services to all members of our loyalty program.”

Another example of a social engineering attack leading to epic pwnage. Just like the MGM attack. Which isn’t a surprise given that the same threat actors are behind both attacks. And if you read the statement, it sounds to me like they paid up but don’t know if this will guaranteed to stop the data from leaking. That’s not a good situation.

Here’s some commentary from some industry experts:

Drew Schmitt, Practice Lead, GuidePoint Research and Intelligence Team (GRIT) at GuidePoint Security:

Scattered Spider is well known for its affinity for large targets, and the victimization of MGM and Caesars proves that the group possesses the motivation and means to be successful in their operations targeting substantial organizations. Scattered Spider is well known for having very well-established social engineering capabilities that many groups do not, mainly because they are rumored to have a significant presence in the United States, a characteristic many other groups do not share. Scattered Spider is exceptionally persistent and technically competent at many techniques, including phishing, SMiShing, MFA bombing, and SIM swapping, which have all contributed to their successful social engineering campaigns. Recently, there have been increasing speculations that Scattered Spider has partnered with AlphV on several occasions to extort the organizations they have victimized successfully.

Regarding the MGM hack, there has been a lot of emphasis on the fact that a brief social engineering phone call resulted in widespread compromise within a huge organization. We currently do not have the complete picture, and although this method of intrusion highlights some potential gaps in cybersecurity processes, there is likely much more to this intrusion than meets the eye. Scattered Spider is highly determined and persistent in their operations; if it wasn’t for this social engineering attempt, it could have been another that relied on more technical means. Sometimes attackers get lucky, and this could be one of those times. 

The reality of this situation is that Caesars and MGM were enormous organizations that became victims of ransomware. Still, so far in 2023, there have been over 2,800 public ransomware victims posted across leak sites belonging to more than 52 different threat actors. This number doesn’t include the victims that pay a ransom demand, a number which organizations like Caesars would belong to. The ransomware pandemic continues to be the most prolific threat that all industries and organizations, regardless of size, face. The Caesars and MGM hacks are a reminder that partnerships in intelligence sharing and investing in cybersecurity teams should be a significant topic of discussion for all organizations and that, as an industry, we need to continue moving fast to keep up with evolving threats.

Chris Denbigh-White, Chief Security Officer for Next DLP:

In the wake of these recent cyberattacks, which appear to have emanated from the exploitation of an external IT provider, it becomes evident that businesses must fortify not only their internal networks but also extend their cybersecurity vigilance to encompass third-party vendors and strategic partners. This underscores the imperative for a comprehensive approach to safeguarding digital assets. In short many organizations need to “lift their vision in order to protect their businesses.”

I note that in the mainstream discussion about the cyberattacks that hit both Caesars and MGM, the use of social engineering tactics seems to be taking center stage. However, it is crucial to bear in mind that social engineering represents just one “link” in the chain of a successful attack. In order to effect the level of impact that we have seen by these attacks many other information security controls must have failed.  

Organizations seeking to implement learning from these disconcerting episodes should delve deeper, evaluating not only the robustness of their initial security layers but also the overall resilience of their security program. This holistic perspective is instrumental in averting scenarios wherein a single inadvertent user click could potentially jeopardize an entire corporate entity.

Mike Hamilton, Founder and CISO of Critical Insight:

  • Caesar’s paid the extortion demand ($30M?) and are up and running
  • That said, their loyalty program data was stolen and they’ve believed the promise to delete it
  • MGM did not pay, and still have threat actor activity inside the network
  • Apparently actors hit LinkedIn and gathered some employee names, then vished the help desk
  • The ALPHV gang was seen bragging online that it took 12 minutes to go from initial access to full domain admin, and this suggests assistance from an insider
  • MGM apparently having trouble making payroll, and employees are walking out:

I’ll add to this before closing. Besides apparently not being able to make payroll, this is also happening to MGM:

Clearly MGM has issues. Lots of issues.

UPDATE: Emily Phelps, Director, Cyware had this comment:

   “If organizations take away anything from the Caesar’s ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn’t. Improving security awareness must be an ongoing effort, and it is only the beginning. 

    “To minimize social engineering risks, it’s important to also ensure you require multifactor authentication, ideally using different types of authentication such as a passphrase and an authenticator app. Threat intelligence is critical to recognizing potential risks before they can cause harm. 

    “Organizations must not only have access to reliable intel; they must also be able to operationalize intelligence quickly. If you aren’t taking action, you aren’t reducing risk. This is why security collaboration and trusted intelligence sharing are critical to enabling enterprises to rapidly act on context-rich insights, moving from a reactive to a proactive security posture.”

Dave Ratner, CEO, HYAS followed with this:

   “Social engineering is one of the most successful ways bad actors breach an environment, and one of the hardest gaps to close.  Continued user training is needed, but this must be complemented with defense-in-depth strategies that assume breaches will occur and  detect the initial telltale signs of a breach, the digital exhaust indicating anomalous activity, so that the attack can be stopped before it expands and impacts operational resiliency.”

One Response to “Caesars Admits To Being Pwned In Ransomware Attack…. And They Likely Paid Up”

  1. […] that crippled Las Vegas hotel rooms for days. The MGM hack is an example of this along with the Caesar’s hack. But the hack of Okta itself has had significant downstream effects. 1Password it turns out was […]

Leave a Reply