Casino giant Caesars Entertainment has confirmed miscreants stole a database containing customer info, including driver license and social security numbers for a “significant number” of its loyalty program members, in a social engineering attack earlier this month.
The admission comes as MGM Resorts enters its fourth day of inoperable IT systems and casinos following a “cybersecurity issue.” Internet crime gang Scattered Spider, understood to be responsible for that intrusion, reportedly bragged that all it took to break into the corporation’s networks was a ten-minute call with the help desk.
It’s also reported the arachnid crew hit both Caesars and MGM Resorts, though reps for Scattered Spider, also known as 0ktapus, claimed they only hit MGM and had nothing to do with the Caesars raid.
Then fall Caesars
In an 8-K form submitted late last week to the SEC, America’s financial watchdog, Caesars – which owns more than 50 resorts and casinos in Las Vegas and 18 other US states – disclosed the theft of its customer database, which it blamed on “a social engineering attack on an outsourced IT support vendor.”
Caesars declined to answer The Register‘s questions. The digital break-in was discovered on September 7, according to its SEC filing. The crooks stole Caesars’ loyalty program database, which was stuffed with people’s sensitive personal information.
“We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor,” Caesars told the SEC. “We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor.”
Upon noticing suspicious IT network activity, the entertainment goliath said it not only immediately launched a probe, it also hired “leading cybersecurity firms” to help with its incident response and remediation efforts, and notified law enforcement and state gaming regulators.
All of this sounds pretty routine, though there is another line in the SEC filing that seems to indicate extortion — and a payment made by Caesars to potentially stop the pain:
That to us sounds like whoever broke into the IT systems made off with the data and wanted some kind of bung to keep the information private. The Register asked Caesars to clarify what specific steps were taken, among other questions about the fiasco: who is the unnamed IT outsourcer? Who was behind the break-in? Did those crooks demand a ransom and if so, how much, and was it paid?
We have yet to hear back from the corporation, though we will update this story as soon as we do.
Extortion seems like a safe bet
Other media outlets are reporting that it was, in fact, an extortion attack.
Vital Vegas earlier this week whispered about hearing “rumblings” that Caesars was trying to play down word of a cyberattack. Bloomberg on Wednesday reported the casino giant had paid “tens of millions of dollars to hackers” who broke in and stole company data.
Vital Vegas updated its coverage of the affair later that day to report Caesars paid $15 million to the extortionists, down from a $30 million demand, citing unnamed sources: “We are not making this up. Caesars talked them down like an episode of ‘Pawn Stars.’”
Meanwhile, as the mass outage across MGM Resorts enters its fourth day, that Las Vegas casino and hotel behemoth issued a second statement about its ongoing “cybersecurity issue.”
“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” it xeeted. In response, hotel guests shared videos of empty casinos and disconnected slot machines, and questioned how to cancel reservations and get a refund with the resorts’ websites, email, and apps still not working.
There is one benefit: free parking at MGM Resorts properties.
Scattered Spider claims it wrecked MGM Resorts
Scattered Spider – a US-UK-based Lapsus$-like gang that specializes in social engineering attacks and is affiliated with the ALPHV ransomware operators – is said to be behind the MGM Resorts debacle. It’s claimed all it took for the miscreants to infiltrate MGM Resorts was finding an employee on LinkedIn, then calling a help desk presumably to impersonate that staffer and gain access, or something like that.
“A company valued at $33,900,000,000 was defeated by a ten-minute conversation,” as malware analysis nerve center VX-Underground put it.
In an interesting twist, and according to a Financial Times report, a spokesperson for the spider-themed crew claimed it had hoped to infect slot machine software at MGM Resort properties to rig the equipment, and then “recruit mules to gamble and milk the machines” of payouts.
When that wasn’t possible, the gang returned to its tried and true method — a simple phone call to hoodwink some hapless employee — that worked in the past to compromise Okta and other high-profile victims.
That said, members of the ALPHV-Spider nexus just now denied going after the slot machines. “Doing so would not to be to our benefit and would decrease the chances of any sort of deal,” they reportedly told VX-Underground.
MGM Resorts declined to answer The Register‘s questions about the security breach. ®