Why You Should Be Concerned About the MGM ‘Vishing’ Attack
September 27, 2023 Alex Woodie
Las Vegas casino giant MGM Resorts International has lost millions of dollars this month and suffered damage to its brand as a result of a high-profile ransomware attack that is still ongoing across several of its properties. The hackers that infiltrated MGM’s computer systems are said to have used a low-tech social engineering technique dubbed “vishing” that just about any company is susceptible to, including IBM i shops.
The systems that hackers shut down on September 11 may or may not be IBM i servers or connected to them. MGM has been an IBM i user in the past, just as much of the Vegas Strip has relied on the IBM midrange servers for years to run their massive properties. One recent story states the ransomware perpetrators claimed they encrypted 100 ESXi hypervisors.
However, it’s unclear whether MGM still relies on IBM i. For obvious security reasons, MGM is not publicly disclosing details about the nature of its computer systems, nor details of the ransomware attack.
But that radio silence is not extending to IT vendors that MGM relies on to help govern access to its internal systems. According to a story in Bloomberg, an executive with the authentication service Okta said that it’s working with MGM to resolve the cybersecurity incident, and that the incident appears to be the work of a hacker group called Scattered Spider.
Scattered Spider’s modus operandi apparently is to use social engineering techniques to infiltrate victims’ systems. “Scattered Spider is a likely eCrime adversary who conducts targeted social-engineering campaigns primarily against firms specializing in customer relationship management and business-process outsourcing, as well as telecommunications and technology companies generally. The adversary primarily uses phishing pages to capture authentication credentials for Okta, Microsoft Office 365/Azure, VPNs…,” the cybersecurity firm CrowdStrike says in its report on the group.
In MGM’s case, it appears the group used a low-tech phishing technique dubbed “vishing,” a portmanteau of “voice” and “phishing.” The hackers reportedly gained access to MGM’s internal systems by calling the company’s help desk and asking for a password reset. They were able to impersonate a legitimate IT worker by answering basic security questions that the MGM help desk staffer asked, which the hackers reportedly gained by reading the legitimate staffer’s LinkedIn profile.
MGM left itself open to these sorts of attacks by requiring only “basic” information to obtain a password reset by the help desk, according to the Bloomberg story. The publication said a former MGM employee told it that MGM requires only employees’ name, a company identification number, and date of birth to obtain a password reset, “details that would be trivial to obtain for a criminal hacking gang,” Bloomberg writes.
The Okta executive reportedly told Bloomberg that it is also helping Caeser’s recover from a similar ransomware attack. In a regulatory filing, Caesars said it identified suspicious activity in its network “resulting from a social engineering attack on an outsourced IT support vendor used by the company.”
However, Caesars reportedly paid the ransom to unlock its systems and data, while MGM did not. Many of MGM’s systems, including slot machines and restaurant ordering systems, are still down, weeks after the initial attack. The hackers say they will continue to keep MGM’s data encrypted until the company pays the ransom.
Vishing is an emerging technique that provides better results for hackers than regular phishing emails. “The click rate for the average targeted phishing campaign was 17.8 percent, but targeted phishing campaigns that added phone calls (vishing or voice phishing) were three times more effective, netting a click from 53.2 percent of victims,” IBM says in its X-Force Threat Intelligence Index 2022 report.
The whole episode shows that cybercriminals have multiple ways to compromise organizations, and that it’s necessary to have overlapping layers of security. In this case, better training of help desk personnel stand out as possible weak links in the security chain, which will undoubtedly kick off another wave of security service development and training, as it should.