MGM Resorts 'Cybersecurity Issue' Likely Widespread Ransomware Attack
We explore what might be behind the attack.
![MGM Resorts at night, Las Vegas MGM Resorts at night, Las Vegas](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt96f6d032b78d98ad/6537c862d2505604bc2964d9/MGM-Grand-at-Night.jpg?width=700&auto=webp&quality=80&disable=upscale)
Andrew Zarivny/Shutterstock
Piyush Pandey, CEO at Pathlock, said according to early reports, the classic targets of money and data seem to be at play here.
“The lateral movement the attackers have gained has appeared to give them a wide span of control over interconnected systems — ATM and slot machines, electronic room keys, rewards programs, etc.,” he said. “The reports of the rewards program being affected is noteworthy, as that would house a trove of personally identifiable information (PII). Given the wide range of systems affected, it’s possible that a user account in a core application or system was compromised, that allowed for the lateral movement we’re seeing. This is a risk with over-entitled roles in critical business applications such as enterprise resource planning (ERP), finance and HR.”
Having a strong access governance program — the continual testing and enforcement of application controls — significantly reduces the amount of attack surface in those applications, Pandey said.
“Cybersecurity teams also need the ability to detect threats and compromised accounts in real time, limiting the amount of lateral movement and data exfiltration,” he said.
Zane Bond, head of product at Keeper Security, said this devastating cyberattack against MGM Resorts highlights both the high value and extreme vulnerability of the broader hotel and casino industry.
“As with other industries, casinos and hotels collect a wide range of sensitive information about their guests, from credit card information to PII, all while transacting enormous sums of money,” he said. “However, with this industry specifically, the intellectual property that underpins casino operations provides an additional unique and extremely valuable target for cybercriminals. Think of all of the software that runs modern gaming systems, like slot machines. Casinos aren’t just gaming companies anymore; they’re software developers and these systems are some of the most advanced and connected in the world. The technology in gambling is astounding.”
Based on history, the majority of successful casino attacks have happened through insider threats, Bond said.
“These types of threats can be mitigated with a variety of cybersecurity measures including privileged access management (PAM), which protects privileged accounts, reduces lateral movement within networks and provides event logging to track the source of unusual activity,” he said. “With so many of MGM’s systems taken offline, we don’t yet know what type of cyberattack this was or how it occurred, but we do know simply from the response that it was massive and critical in nature. This is not a single slot machine infected with a virus, which can be rebooted and re-imaged to resolve the issue in a matter of minutes. The fact that this affected casinos in multiple cities indicates this is a significant breach that may have come from an insider threat or a worm that has spread wildly.”
Callie Guenther, cyber threat research senior manager at Critical Start, said the nature of the widespread outages and disruptions aligns most closely with a ransomware attack.
“The breadth of affected systems and services suggests a concerted effort to disrupt operations, which is consistent with ransomware tactics,” she said. “While less likely, we cannot rule out a distributed-denial-of-service (DDoS) attack given the sheer volume of outages. However, the internal system disruptions do hint towards something more invasive. An advanced persistent threat (APT)-targeted attack is another possibility. Large corporations, especially those involved in sectors like hospitality and gambling, can also be targets for APTs. These are sophisticated, prolonged cyber-espionage campaigns often sponsored by nation-states. The aim is to maintain long-term access to the victim’s network, often for intelligence gathering. But the immediate and broad impact seems to lean more towards a ransomware-style disruption.”
Casinos, given their high financial turnover, are prime targets for cybercriminals seeking financial data such as credit card information, Guenther said. Personal information is another lucrative target, as evidenced by MGM’s previous breach in 2019. Disrupting operational infrastructure can also cause direct financial losses and tarnish the reputation of the establishment. Due to the significant daily turnovers, attackers may assume that casinos are likely to pay a ransom swiftly to resume operations.
“The data provided does not yield indicators pointing to a specific threat actor or group,” she said. “Attribution is an intricate process requiring in-depth forensic analysis, familiarity with particular malware signatures and often geopolitical knowledge. At this stage, without specific details or a claim of responsibility, any attribution would be speculative.”
Joseph Carson, chief security scientist and advisory CISO at Delinea, said the MGM Resorts IT and security teams are going through security professionals’ worst fears and nightmares right now, with which all security professionals can empathize.
“When cybersecurity incidents occur, they can have a major impact to the business and customers, especially when we are so dependent on technology for payments, communications, digital and physical access, and running critical systems,” he said. “When systems are down, the business can come to a full stop. In this case, it completely turns off the tap of a major revenue stream that relies on availability and access. I have seen many serious incidents in the past and can only hope that MGM Resorts have a solid incident response plan, have practiced and simulated it, and are prepared and ready to handle this incident. Cybersecurity is a strong community, and we should always be supportive during such serious situations.”
Erfan Shadabi, head of marketing with Comforte AG, said in an era where digital transformation is reshaping the way the tourism industry operates, the reliance on interconnected systems and data-driven processes has never been greater. As such, the sector becomes an attractive target for cybercriminals seeking financial gain or to exploit vulnerabilities for malicious purposes.
“The MGM Resorts incident is emblematic of this overarching challenge,” he said. “Recognizing the pivotal role technology plays in enhancing guest experiences, optimizing operations, and facilitating global connectivity, the tourism industry must allocate resources to bolster its cybersecurity posture. To that purpose, data-centric security stands as the most effective approach in safeguarding organizations within the tourism industry due to its inherent focus on protecting the core asset that cybercriminals seek to exploit: data itself. Rather than relying solely on perimeter defenses and assuming that all breaches can be prevented, data-centric security recognizes the inevitability of potential breaches and prioritizes securing the data at its very essence. By doing so, this approach not only fortifies an organization’s defenses, but also ensures that even if a breach occurs, the stolen data remains indecipherable and effectively useless to malicious actors.”
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said for decades casinos have been leaders in security.
“The MGM hack underscores how digital transformation increases the attack surface and how physical infrastructure can be disrupted by a cyberattack,” he said. “Guards, guns and vaults cannot defend against cyber-intrusions. Cyber vigilance is paramount in an era of cybercrime.”
Tom Kellermann, senior vice president of cyber strategy at Contrast Security, said for decades casinos have been leaders in security.
“The MGM hack underscores how digital transformation increases the attack surface and how physical infrastructure can be disrupted by a cyberattack,” he said. “Guards, guns and vaults cannot defend against cyber-intrusions. Cyber vigilance is paramount in an era of cybercrime.”
A massive cyberattack on MGM Resorts has impacted operations at numerous hotels and casinos on the Las Vegas strip, including the MGM Grand, Bellagio, Aria, Mandalay Bay and more.
“MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems,” MGM Resorts wrote on on X (formerly Twitter).. “Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems. Our investigation is ongoing and we are working diligently to determine the nature and scope of the matter.”
MGM updated its statement to say its resorts are operational, guests can access their hotel rooms and front desk staff is ready to assist as needed. The websites of MGM resorts on the Strip remained down Tuesday.
On Monday, KTNV 13, a TV station in Las Vegas, reported that multiple gambling machines at hotels had gone offline and that several guests were unable to charge anything to their rooms, make reservations or use their digital room keys.
MGM Resorts Attacker’s Purpose Unknown
The nature of the incident has not been disclosed publicly and the attacker’s purpose remains unknown. This is the second time MGM Resorts has confirmed a cybersecurity incident since 2019, when one of the company’s cloud services was breached and hackers stole more than 10 million customer records. The company confirmed the breach in 2020. Stolen data included guests’ names, dates of birth, email addresses, phone numbers and physical addresses.
Fergal Lyons, cybersecurity evangelist with Centripetal, said early indications point to a “severe and widespread” ransomware attack.
Centripetal’s Fergal Lyons
“If past performance in this industry is an indicator, then we could anticipate MGM paying the ransom if they see no other option,” he said. “Cybercriminals are finding ransomware to be a lucrative industry, capitalizing on vulnerabilities and exploiting careless employees. The methods employed are diverse, tailored to the specific companies they target. Thus, it is imperative that all businesses take extra precautions to evade becoming the next target. Utilizing already available threat intelligence on these ransomware groups can thwart impending attacks and avert data breaches. Adopting a proactive, intelligence-based stance against potential threats is crucial as relying solely on a reactive approach to threat hunting may be too late, resulting in irreversible harm.”
Scroll through our slideshow above for more on the MGM Resorts cyberattack.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like