As The Washington Post reports, MGM Entertainment shut down some of its casino and hotel computer networks after experiencing what the company called a “cybersecurity incident.” Separately, Caesars Entertainment revealed that it had sustained a “social engineering attack on an outsourced IT support vendor.” Caesars reportedly paid hackers a ransom of about $15 million.
Merritt Maxim, research director of security and risk at Forrester, told Cybersecurity Dive that social engineering attacks have grown increasingly sophisticated, and multi-factor authentication is no panacea. What happened in Vegas, Maxim said, “demonstrate[s] that … the human element remains a vulnerable spot.”
Mandiant CEO Kevin Mandia, speaking in the wake of the incident on CNBC, cited human trust as the factor that threat actors have exploited in infiltrating corporate America.
As Engadget reports, the group that claims responsibility for the MGM cyberattack, the ALPHV/BlackCat ransomware organization, purports that all it took was finding an employee on LinkedIn to impersonate, followed by a 10-minute phone call to the help desk to obtain login credentials.
Kayla Williams, chief information security officer at Devo, told Security Magazine that if the ransomware group’s claim is true, “enhanced caller vetting and employee verification processes in the HelpDesk could have also potentially thwarted the social engineering attempt.
Identity management company Okta has acknowledged that MGM and Caesars are its clients, as Reuters reports. Three other Okta clients in the manufacturing, retail and technology sectors also reportedly fell victim to ALPHV and its affiliate known as “Scattered Spider.”
Some security experts hope that the drama of a Las Vegas heist will draw public attention to the risks of social engineering in a way that life-and-death threats to critical infrastructure somehow haven’t. Brett Callow, a threat analyst at the antivirus company Emsisoft, told Wired, “The more attention the problem gets, the more policymakers may be inclined to try new strategies.”