September 25, 2023 • 43 mins
On September 11th, 2023, MGM Resorts International posted that the company experienced a "cybersecurity issue." That issue links to two different hacker groups, a ransomware attack, and a similar incident that happened to another major casino company earlier in the year. This is the story so far.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to tech Stuff, a production from iHeartRadio. Hey there,
and welcome to tech Stuff. I am your host, Jonathan Strickland.
I am an executive producer with iHeartRadio. And how the
tech are you? I am recording live here from the
iHeart Podcast studio powered by Bose at the House of
(00:26):
Music at the iHeartRadio Music Festival. I'm sure you're gonna
be able to hear some of the ambience, let's call
it here at the festival. And that's just proof that
I'm actually here. I don't know how that happened. I
am nowhere near cool enough to have been invited here.
I guess they didn't listen to the show first. That's
(00:48):
fine with me, though. There's some pretty incredible musical acts
that are going to be rocking out in the arena
that's right in front of me, and I will sit
here and talk about geeky tech stuff. So the question
is then, what topic should I cover for this episode?
And I asked myself that several times. I had a
lot of possible answers. Maybe I could talk about the
tech of running a concert, for example, there's a lot
(01:08):
of tech involved in that. Maybe I could just talk
about the tech needed to make sure a band's equipment's
all working properly. I could talk about sound systems, or lasers,
or pyrotechnics or all sorts of stuff, but I'm in Vegas, baby,
And what's more, I'm staying at a hotel that's owned
by MGM Resorts. So I think the topic to tackle
(01:30):
is the recent hacker attack on that company. So what
exactly happened, who is responsible or who do we think
is responsible, how did it unfold, and what are the
ongoing consequences. So sit back, folks, it's time to do
a casino heist podcast episode tech stuff style. Now, Originally
I thought I do a quick history of MGM Resorts International,
(01:53):
you know, the company that became the target of the hackers.
Speaker 2 (01:57):
But as it turns out, that company's history is, let's say,
it's super complicated, and it overlaps the history of MGM Studios,
the film company, as well as numerous other companies both
within the gambling world and beyond.
Speaker 1 (02:11):
So rather than go through all of that, which would
be confusing in an entire episode by itself, I'm just
gonna kind of give you a summary. So, since the
mid nineteen eighties, the company that we now call MGM
Resorts International has had some major ups and downs. It
has also over time swallowed up other companies that operated
(02:32):
resorts and casinos in Vegas and in other places. Today,
MGM Resorts International operates but does not own, numerous resorts
in Vegas and beyond. Among the Vegas properties are the
MGM Grand and assorted MGM properties like Park MGM, the Blagio,
the Aria, the Cosmopolitan New York, New York, Excalibur, the Luxor,
(02:56):
Mandalay Bay, and some more. And it also has a
more than forty ownership of the T Mobile Arena, the
building that is directly in front of me, just the building. However,
they do not own the land. The company made somewhere
in the neighborhood of thirteen billion dollars in revenue last year.
That was an increase from nearly nine point seven billion
(03:17):
from the year before, and it seems that twenty twenty
two saw the highest revenues in the company's history so far.
Of course, revenue is not the same as income. That's
more to the tune of one point four billion dollars
for twenty twenty two. That's a lot of money, princely
sum as I might say they own more than thirty
(03:38):
billion dollars worth of assets. So, in other words, to
enterprising thieves, MGM Resorts International is a tempting target. Heck,
that's the stuff of heist movies, right, except a heist
is typically a high risk endeavor and it's almost bound
to fail. Successful heists have happened in the past, even
in Vegas, but more often not, the house comes out
(04:01):
on top. Moving the heist into the realm of computer
systems becomes a different matter. However, it's more likely that
you can find a way to pull off your crimes
while you protect yourself. Now, before we move on to
the actual hacking attack, I also need to mention the
company Caesar's Entertainment. Like MGM, Caesar's has a really, really
(04:24):
complicated history. It's filled with mergers and acquisitions and sales
and even bankruptcies. It gets bonkers. The most recent move
of that company was in twenty twenty. That's when another
company called El Dorado Resorts Incorporated acquired Caesar's Entertainment Corporation.
Then El Dorado Resorts changed its own name to Caesar's Entertainment.
(04:45):
But there are other companies that are lumped in there.
As well, like Hera's Entertainment is part of that. Anyway.
In twenty fifteen, Caesar's went into bankruptcy, and as part
of the effort to get out of bankruptcy, the company
split into two entities. One would be a company that
would actually operate the various resorts and casinos. The other
would be what is called a real estate investment trust
(05:06):
or REIT, which would actually own all the properties. To
get into riits is beyond the scope of the show,
but y'all, they can be monsters anyway. The spin off
OREIT took the name VICH after Vinnie vid Vic. You know,
I came, I saw I conquered, So VICH technically owns
(05:27):
many nineteen in fact of Caesar's properties. Here's the wild thing.
Last year VICH acquired ownership of thirteen MGM properties. So
both Caesar's Entertainment and MGM Resorts International pay rent to
VICE in order to operate their respective casinos. So you
want to know what the power behind the throne is,
(05:47):
look to vch. Anyway, while all those dealings are worthy
of a deep and engrossing podcast series, this is a
hint somebody make a podcast series about these real estate
companies and their involvement in Las Vegas because it is fascinating,
but our focus should really be on the hacker attacks. Now.
(06:07):
It is important that I mentioned Caesar's because while the
attack on MGM's properties was the major attack that's been
in the news for a couple of weeks, now, those
same hackers, or at least some of them, first targeted
Caesar's Entertainment a little earlier. Two of the biggest gambling
companies in the world have fallen prey to hackers, and
it appears that the foothold the hackers established came courtesy
(06:30):
of a third party security firm and also involves a
very important company in tech, namely Octa. Now, y'all, the
hacker attack is bad news for MGM, there's no way
around it. But I would actually argue it could be
way worse for Octa, at least as far as reputations go.
And that's because Octa is an identity and access management company.
(06:54):
This is the company that markets the user authentication system
that tons of other companies rely upon. With Octa, a
company can hand over the trickier elements of user authentication.
So as companies grow more complex, they might add more
systems that employees rely upon, and it can be a
hassle if you need a different log in for every
(07:15):
single service you use. A service like single sign on
really simplifies things. You have a username and password and
that gives you access to a suite of different services
all with just one log in, So you can see
where the value of that is right well, with Octa,
a company can hand over all of this and Octa
(07:37):
handles it, and you pretty much have to just trust
Octa to be a good steward of this process now.
Todd McKinnon and Frederick Krist co founded Octa back in
two thousand and nine. The company has been the focus
of a couple of security incidences since it's founding. In
twenty twenty one, a hacker group secured limited access to
(07:58):
octasystems by compromising a camera network inside the Octa offices,
specifically a system designed by Verkaida, a company that I
should probably talk about in a future episode. In early
twenty twenty two, a different hacker group known as Lapsus
accessed OCTA's systems. This time, the attack vector was a
third party support engineer. Lapsus shared information suggesting that the
(08:23):
data breach was far greater than what Octa was telling
the public. But Octa executives really held their ground. They
said that are only around two point five percent of
OCTA's customers were potentially impacted by this data breach, and
that the hackers had limited access to customer data. Octa
said the data breach lasted for less than half an
hour and it only hit two customers, whereas Lapses claimed
(08:45):
and maintained a presence in OCTA's systems or this client
of OCTA's systems for the better part of a week. Now,
that attack was bad, but it could have been worse,
And to be totally fair to Octa, it was really
the third party security person who was at fault for
the breach. Though I never really saw details on exactly
what happened with that one, I imagine it was something
(09:08):
fairly similar to what we are talking about today. So
let's set the scene. We're not going to go strictly
chronologically because some information we wouldn't know about until later,
so we're going to be jumping around a little bit
for the purposes of our story. Will begin on September tenth,
twenty twenty three. That day, some folks who were staying
(09:30):
at MGM Resort International properties began to encounter errors while
they were trying to interface with various systems connected to
those properties. The following day, September eleventh, twenty twenty three,
things got much worse. Players who were members of MGM
Resort's loyalty program saw that their loyalty features weren't working.
(09:52):
The websites went down. People staying at MGM properties found
that their digital keys that they depended on on their smartphones,
they they weren't working anymore. They couldn't get into their
rooms using their digital keys. They these effects got worse.
You know, a lot of video slot machines went offline.
That was a huge indicator that something really bad had happened.
(10:13):
Sports betting features were interrupted even ATMs on casino floors
went out of service. At eleven twenty seven am Eastern Time,
MGM Resorts posted on x you know, the platform formerly
known as Twitter, a little message and it read quote
MGM Resorts recently identified a cybersecurity issue affecting some of
(10:36):
the company's systems. Promptly after detecting the issue, we quickly
began an investigation with assistance from leading external cybersecurity experts.
We also notified law enforcement and took prompt action to
protect our systems and data, including shutting down certain systems.
Our investigation is ongoing and we are working diligently to
(10:56):
determine the nature and scope of the matter. You know
it's serious when they say that they responded promptly and quickly.
When you get both of those back to back, you
know it's a bad, bad time. And what exactly happened, Well,
i'll tell you after we come back from this quick break.
(11:28):
All right, we're back. You are listening to tech stuff
live at the iHeart Podcast Studio powered by Bows at
the House of Music at the iHeartRadio Music Festival, in
the house that John built. This is a pretty incredible experience.
Whenever I look up, I'm just seeing tons of people
in various trendy outfits wandering around getting ready for the
(11:50):
festival and hanging out the House of Music. It's pretty cool. Again,
I feel like I'm totally out of place here, but
they invited me, so I guess I should just embrace it.
So we're going to jump back into this cybersecurity incident
that hit a couple of major gaming and hotel companies
and dozens of properties so as you might expect, speculation
(12:12):
ran rampant regarding the nature of the cybersecurity issue that
MGM Resorts International mentioned. Some thought that it could just
be a massive systems failure, like you know, maybe some
key system that connects everything went down. Some people figured
it had to be a ransomware attack. Lots of folks
assumed that the issue would receive a ton of coverage
(12:34):
on certain podcasts. No one mentioned me, which just hurts
my feelings, and folks were complaining right away about the
issues they encountered. One x user posted quote, we are
at one of your resorts. It's pretty widespread. We can't
check in, pay with card, use comps, receive our gifts,
(12:55):
get tickets out of machines. End quote. Others claimed they
had unexplained charges on their bills. Some of these incidents
happened before September eleventh, so whether they are accurate, or
maybe they reflect some other issue that's unrelated to this,
or maybe they're the attempt of cashing in on a
bigger problem, I can't say. I don't know. I just
(13:18):
know people reported it. The websites for various MGM resorts,
as well as the sites for restaurants on MGM properties
all went down. MGM replaced its website with kind of
a landing page that directed people to call resorts directly,
so it just listed each resort and its phone number,
so you would have to call them on the phone,
(13:38):
you know, like a caveman. That's a joke. I'm old
I still call places on occasion. The following day, MGM
Resorts gave an update saying that much of its services
were operational, including entertainment, dining, and gaming, but people were
still encountering issues. There were still problems with slot machines.
Hand pay became the method to cash out. This is
(13:59):
when you have to signal for a casino employee to
come over and count out by hand your winnings rather
than getting the machine to print out a ticket, and
you take that ticket to a payout machine feeded in
and then you get your cash that way. The ATMs
were still having issues. People still couldn't check in online,
They could not make a card payment to book a room.
(14:20):
At that point, lines were forming at the desks of
various MGM resort properties because you couldn't use your digital
keys at all, so you couldn't just check in with
your phone and then use your phone to get into
your room. You had to go and get a physical
key card. It was still like an RFID chip key card,
so you could hold it up to the door and
it would open, but you had to have one. You
couldn't just use your phone to do it. So that
(14:42):
meant everybody had to go and wait in line to
get a key. On September twelfth, we heard that a
hacker group called Alpha ALPHV. Actually that's the way they
style their name. Sometimes they're also called black Cat. We
heard that they could have been behind the attack. Now,
the black Cat name actually comes from malware that this
(15:04):
group has created, you know, some malicious software, ransomware to
be precise, and Alpha introduced that in late twenty twenty one.
And here's how an Alpha attack would typically work out.
So the group would end up collaborating with someone to
inject the malware into a targeted system. That person might
be a disgruntled employee of the target. Maybe they're not
(15:27):
even disgruntled, maybe they're just very greedy. Because Alpha would
offer up to ninety percent of a ransom to the
quote unquote affiliate. The affiliate could also be some other
hacker group that its job is just to gain access
to a system through some means, and Alpha would provide
the malware while the other group actually would get access
(15:48):
to the target. It would become this, you know, this
collaborative effort. Now, this means the business model for Alpha
is r a as that stands for ransomware as a serve.
That as a service trend has gotten out of control, y'all.
So these hackers, who primarily communicate on Russian language platforms,
(16:10):
build the tools, but they don't necessarily carry out the
attacks themselves. They're facilitators. The black cat and malware encrypts
a target computer system, so it makes it inaccessible to
the system's rightful owner. So imagine you log into your computer,
but you find out you can't access anything. All the
files are encrypted, all the methodologies are encrypted. You can't
(16:34):
decrypt it, so it's just a brick without the key.
The data on your machine stays out of your reach.
And then you see a message, and the message tells
you that the hackers will give you access back to
your data. They will give you the decryption key, but
only if you pay them a ransom. Usually this is
in the realm of millions of dollars. Typically they ask
(16:59):
for it in the form of cryptocurrency to avoid being
traced back to the people responsible. And if you don't
pay up, the hackers will say either you will not
get access to your data again, it's just gone, or
they'll delete it. Sometimes they'll say, all right, we won't
delete it. Instead, what we're going to do is we're
going to release all that data on a public platform
(17:21):
so that anyone and everyone can see what it is. Typically,
ransomware hackers want to target organizations that have a lot
of money and a lot of incentive to protect data. Now,
pretty much every organization has an incentive to protect its
data at least to some extent. Information is the currency
of the modern era, after all, and while you can't
(17:43):
spend information, you can sure affect the value of a
company by stealing their information. But ransomware hackers typically want
to target organizations that have access to buckets of cash.
So prime targets for these hackers ideally fall into a
(18:04):
couple of categories. If it's a really big company and
its business depends upon the safe keeping of information, particularly
really personal information, that ends up being a big target.
So hospitals and other healthcare companies fall into that category.
By law, these companies are meant to keep patient data secure.
(18:26):
There in big trouble if they don't, And obviously any
healthcare company that fails to live up to that would
have a massive problem, not just from the government or
from law enforcement, but you know, they would lose the
confidence of patients, and patients could have their lives really
upturned if their personal health information gets shared everywhere. So
(18:49):
the thinking goes that those companies are more likely to
pay a ransom in order to make the problem go away.
That's why ransomware hackers target healthcare companies so frequently. They
have a very high incentive to get the problem fixed
as quickly as possible. Well, casinos and resorts definitely fall
into a similar category. Right first, you've probably heard the
(19:13):
phrase the house always wins. Well, that phrase references the
fact that the odds are ever in the favor of
the house. You might have a good night at the tables,
and you might leave with more money than you brought
with you, but lots of other people will end the
night down with less money than what they started with.
(19:34):
Or maybe you'll also be down a little bit, and
other folks will also be down a bit, and some
of them might be down a lot. All casino games
favor the house, and that makes sense because if they
didn't favor the house, then casinos would soon be out
of business, right So instead, collectively the casinos in Nevada
can make at least a billion dollars every month. That's
(19:57):
across all the casinos in Nevada. Some games will give
you better shot at winning that other games. Blackjack is
a game that has fairly decent odds, somewhere in the
neighborhood of forty percent to win. Dealers have about a
forty nine percent chance to win. And you might think, oh,
forty nine plus forty's that's not one hundred. Well, that's
because the rest of the odds kind of cover the
(20:19):
case where you could have a draw or a push
where you go to the next hand. Meanwhile, games like
kino or the Wheel of Fortune, they have some of
the worst odds in gambling. So that doesn't mean you're
destined to lose if you play, but the chances are
pretty darn high. So anyway, this means that casinos make
(20:43):
a lot of money. If I might elaborate, they make
a crap ton of money and that puts them firmly
in one of the categories that ransomware hackers love to target,
companies that are flush with cash. On top of that,
these casinos deal with a lot of customer data, whether
it's someone staying at a resort or a gambler who
(21:03):
has signed up to participate in a loyalty program, which
is a pretty frequent thing, because the casinos here have
lots of incentives to get people to sign up to
their loyalty programs. You can get gifts, you can redeem credits,
you can get a free room if you're a frequent
gambler and you're part of the loyalty program. There are
a lot of reasons for that. In return, one, the
(21:25):
casino has a repeat customer, which is very valuable, and two,
the casino can gather data about the people who visit
their resorts and learn more about them and thus cater
to them more and make even more money. So this
information has value not just because of how it can
be used to advertise to individuals, that's often what we
talk about when we talk about data in the modern world,
(21:48):
but it has value because the customers are trusting the
casinos with this information. Even if they aren't aware of
the implications, and so when there is a data breach,
suddenly customers get very much concerned about that data. It
affects them directly. If there's the possibility that the customer's
own finances could be compromised, that's a huge problem for
(22:09):
both the customer and the casino. So this means casinos
and resorts are in that sweet spot for ransomware hackers.
So how did we find out about Alpha's alleged involvement
with the MGM Resorts International hack. Well, one early statement
came from the x account, the Twitter account of a
(22:32):
group called VX Underground. Vx Underground bills itself as the
largest collection of malware source code, samples and papers on
the Internet, and they work with lots of researchers, They
work with hackers, They work with tons of people largely
to educate about malware. They are rather cheeky, I would
say they kind of have that cheeky sense of hackers.
(22:56):
They do not necessarily come across as being buttoned down,
let's say. So. On September twelfth, VX Underground posted all
Alpha ransomware group did to compromise MGM Resorts was hop
on LinkedIn, find an employee, then call the help desk.
(23:16):
A company valued at thirty three billion, nine hundred million
dollars was defeated by a ten minute conversation end quote. Now,
MGM did not comment on this, and as far as
I'm aware, has never actually referenced their cybersecurity incident as
an attack, but lots of other folks have not been
(23:37):
in the mood to mince words, and the information that
would come out later seem to align with what VX
Underground was claiming. The attack happened through social engineering. So
stage one, you learn about the person you're going to impersonate.
You find someone on LinkedIn who has listed their job
title and where they work. If you can find someone
(24:01):
who has a very high profile job title, something that's
really high up in an organization, that's potentially much better,
or if it's not high up, at least someone who
works within the IT department, because that typically means you're
going to find someone who has a lot of access
to the systems if you're able to compromise their account. Now,
I've talked about social engineering a ton on this show,
(24:24):
how it is a huge part of hacking. See if
you've got a system that is at least in theory,
really well secured. Your best bet of infiltrating the system
is to target a vulnerability. And sometimes you find out
about technical vulnerability, right. You might find out that there's
a vulnerability in some software that a company is dependent upon,
and by targeting that software vulnerability, you can penetrate the system.
(24:48):
You can gain access to it, you can get a
foothold there, and if you're really good, or really quick
and or really lucky, you can exploit that vulnerability and
then you're in. Obviously, there's way more to it than that.
I mean, just because you get access doesn't mean that
you can do anything, and even if you can do something,
you might get found out before you're able to really
do a lot of damage. But you get the idea.
(25:10):
That's one method of penetrating a secure system, as you
target a vulnerability in some software. But another way is
not to worry about the tech side that much at all.
You target people. You look at people who have access
to the system you want to infiltrate. People are frequently,
in fact almost always, I would say, the weakest point
(25:34):
of a security system. If you can convince someone who
has access to hand that access over you're in. Maybe
you outright trick the person, Maybe you pose as someone
in authority, or maybe someone who needs help, and you
convince them to do something they absolutely shouldn't do. As
(25:54):
it turns out most of us anyway, if we are
presented with someone who who is saying that they really
need help, they're in desperate need of some assistance, we
want to try and be the person to give them
that assistance. It's not universally true, but it's true often
enough that this approach works a lot. Or maybe instead
(26:15):
you actually are promising this person a cut of the money.
Maybe you're counting on their greed to push them into
granting you access. If you target someone who has a
lot of administrative access to a system but they are
not in a high paying job, sometimes just promising them that,
you know, sweet cold hard cash is enough to let
(26:37):
them be kind of a conspirator on your side. Now,
in this case, it seemed that someone talked to a
third party IT staffer, and as part of that conversation,
they convinced the IT staffer to reset some multi factor
authentication settings so that the hackers could gain access to
a single sign on system. You know, the kind of
(26:57):
stuff that ACTA provides out. I'm guessing a lot of
you know that there are different levels of access with
computer systems, whether we're talking about a network or even
just a single computer. So, for example, a user typically
has limited access to a computer or a system. They
might be able to do stuff like open specific programs
(27:19):
and call up files and that kind of thing, but
to make actual changes to the computer, the user might
need administrator access, while other levels of access come with
specific permissions, and administrator level access has no such restrictions.
And so the attackers wanted two target accounts that would
have the highest administrator access to systems to have as
(27:42):
much opportunity to do whatever they wanted as they could.
So on September fourteenth, news broke that Caesar's Entertainment had
also been the target of a ransomware attack. The company
had filed a report with the SEC on September seventh.
In that report, the company leads with Caesar's Entertainment Incorporated.
(28:05):
The company we or are because it's a unofficial filing,
recently identified suspicious activity in its information technology network resulting
from a social engineering attack on an outsourced IT support
vendor used by the company. Our customer facing operations, including
(28:26):
our physical properties and our online and mobile gaming applications,
have not been impacted by this incident and continue without
disruption end quote. So that's a big difference between the
Caesar's attack and what happened at MGM. The report goes
on to say that an investigation determined that the hackers
were able to access information in Caesar's Entertainment's loyalty program interface. Obviously,
(28:50):
that includes customer information, including stuff like driver's license numbers
and or social security numbers. If you enroll in these,
you typically have to allow them to make a copy
of things like your driver's license in order to get
the benefits of the loyalty program. Now that's clearly a
risk for things like identity theft. They said there was
(29:11):
no evidence that the hackers were able to access things
like passwords, bank account information, or payment card information, so
that's good, but the identity theft issue is still a
big concern. They did say they would offer credit monitoring
to all members of the loyalty program and that it
had already taken steps quote to ensure that the stolen
(29:32):
data is deleted by the unauthorized actor end quote. So
how do they make sure that this data gets deleted
by a party they have no control over. Most folks
interpreted that to mean that Caesar's had paid the ransom. Now,
the rumor mill said that the hackers were asking for
thirty million dollars and in return they would pinky swear
(29:55):
that they would delete the stolen data. Caesar's ultimately agreed
to pay fifty fifteen million dollars to delete information yaoza.
By the way, fifteen million dollars means that technically this
would have been the second most successful casino heist that
(30:18):
I have ever encountered. And granted, it's not quite the
same as a casino heist, but then number one really
isn't either. I'll talk more about that toward the end
of this episode. In fact, we'll talk a lot more
about the hackers and what they did. But we're going
to take another quick break. Okay, we're back. You're listening
(30:46):
to Tech Stuff live at the iHeart Podcast Studio powered
by Bose at the House of Music at the iHeartRadio
Music Festival. All right, Moving forward a little bit more.
Around September fifteenth, a different hacker group called Scattered Spider
claimed responsibility for the MGM attack but not the Caesars attack.
(31:08):
VX Underground referred to Scattered Spider as a subgroup. According
to numerous sources, this group mostly consists of young hackers
think like seventeen to twenty two who live in places
like the United States and the United Kingdom. They appear
to be native English speakers or extremely fluent English speakers,
and they have a reputation for being very very good
(31:32):
at social engineering. Scattered Spider is suspected of using tools
like phishing websites in addition to social engineering, so they
typically will direct someone to a login page that looks
like it's a legit page, but in fact it allows
the hackers to fish for credentials. As for multi factor authentication,
(31:52):
calling an it helped us to reset MFA is an
effective way to get around that. There's also SIM cards
swapping that they've done, where they've convinced phone companies to
swap a digital SIM card to a different device. They
pose as a customer and then they talk the telecommunications
wrap on the other end of the line to change
(32:13):
a SIM card setting, which then gives them the ability
to access things like multi factor authentication when the code
gets sent Instead of going to the valid person, it
goes to their phone number, which has now been switched
to a different phones simcard very nefarious. Now, you might
wonder about resetting multi factor authentication why anyone would even
(32:35):
agree to do that in the first place. I mean,
the whole point of multi factor authentication is to have
multiple ways of authenticating a person's identity. But with just
a little thinking it becomes clear. So let's say that
you call into an IT help desk and you claim
that you can no longer access your work account because
you recently changed phone numbers. So that means that when
(32:58):
you try to log in, you get a text message
sent to your old phone number and you can't receive it.
So you are talking with them saying, I need you
to switch this because I still have my username, I
still have my password, but I can't get access because
I no longer have that phone and I need to
be able to access my work, So you ask for
(33:19):
a reset. Maybe you have a lot of information about
the person that you're posing as so as you can
convince the person on the other end of the phone
call that you're legitimate. Again, that's what you do with
the investigation. When you're using LinkedIn to learn a little
bit about your kind of patsy if you will, Maybe
(33:41):
you just sound really clueless and stressed and you just
trigger the I person's desire to help you get out
of the tight spot. Like I said, most of us
typically want to help someone when they are really struggling.
They reset the MFA on the account, They put a
new phone number in that phone that you happen to control,
and now you don't have to worry about that multi
factor authentication process anymore. So I want to be clear,
(34:05):
Scattered Spider, these are not script kiddies, right. These are
not people who just download some code and then they
make use of it. They have an understanding of how
computer and cloud systems work. They have an understanding how
the underlying businesses work. They do their homework. By knowing
how these businesses work, they know how to target and
(34:27):
make their social engineering efforts have the best chance for success.
So I want to be clear, like they are good
at what they do. They're not just fast talkers. They
know their stuff. So it's possible that they were involved
in one or maybe even both of the attacks, though
again they weren't claiming that. However, Alpha has also claimed
responsibility for the MGM attack, and they argued that any
(34:49):
reports stating it was teenagers were inaccurate and based on rumors.
There was another rumor that Alpha was very quick to
deny that was reported in at least some outlets that
had to do with slot machines. So, according to this rumor,
and I love this rumor, but according to this rumor,
Scattered Spider originally wanted to essentially reprogram slot machines so
(35:11):
that they just started to pay out cash, kind of
like a scene that's in you know, The Ocean's Eleven movies,
Except this would mean that the slot machines would sort
of spit out tickets, kind of like receipts with winnings
on them. The rumor goes that the hackers found this
wasn't really possible. In fact, one of the rumors said
that the person who was making this suggestion hadn't even
seen The Ocean's Eleven movies, So they were just talking
(35:34):
about something they had heard of and wanted to try.
And when they found out that it wasn't going to
be as easy as they thought, they moved on to
just steal data from the computer systems. Now, Alpha categorically
says this story is totally false, it's completely fiction, and
that it somehow got you know, circulated among news outlets.
(35:54):
What's the truth, dawn't know. Back to OCTO, So, David Bradbury,
the CEO of OCTA, has said that social engineering attacks
are at the root of five OCTA clients who have
recently found themselves compromised by ransomware attacks, and that Caesar's
Entertainment and MGM Resorts are two of those five, but
(36:16):
he hasn't named the other three. He also referenced Scattered
Spider and Alpha as business associates or affiliates, suggesting that
at least some of the hacks of OCTA clients are
the product of cooperation between these two groups. So this
story is still unfolding as a record here in Las
Vegas right now. Currently, MGM Resorts International says that all
(36:38):
operations are back to normal, that's how everything's being reported,
and that it's continuing to investigate the quote unquote cybersecurity issue,
that the FBI is involved, and that they're taking this
very seriously. There are concerns that these attacks will have
a hefty impact on the value of both MGM and
Caesar's Entertainment. It's certainly had an impact on MGM's ability
(37:01):
to generate revenue while all this was going on. Loyalty
program members should probably sign up for credit monitoring because
a lot of their personal information is stored in those systems,
and it sounds like hackers got access to all of
that stuff. So credit monitoring is not a bad idea
if you want to make sure that your information hasn't
(37:22):
just started been trading around on the dark web and
people start like taking out credit cards under your name,
that kind of thing. So probably a good idea at
least to keep an eye on your credit. It's easier
if you do sign up for credit monitoring, but you
can do it on your own if you're really diligent
about it. But yeah, scary stuff. I'll also say this,
(37:46):
So I've been staying at the Aria, like I said,
which is an MGM Resorts property, and have encountered some
technical glitches which may or may not have any connection
to the hackers. According to the people I spoke with,
they recently used a new computer system and brought it
online and that the issues they're running into may very
(38:09):
well just be working the bugs out of a new
system and have nothing to do with the hackers at all.
But what I will say is that they have connected
essentially all room controls through an Internet interface, and you
can use a tablet or I assume an app to
be able to access those things. But when I got
(38:31):
to my room, what I found was that I could
not close the curtain on the window. I could not
turn off the lights in my room, none of the
buttons worked. The tablet that was part of the room
would not connect. I did not want to use the
app for reasons that I think should be pretty obvious.
(38:52):
And so again I don't want to say that that's
part of the hacker attack, but it was unfortunate to
have that's of experience right on the tail end of
this hacker issue. It's it's concerning, and it's one of
those things that will continuously come up. Another thing I
will say this again not directly connected to the hacker attack,
(39:14):
but just something that I observed. The Wi Fi in
that hotel is an open Wi Fi connection, like you
can just connect to it and you you know, you
do a little sign on on a web landing page,
but then you're connected. There's no password security on the
Wi Fi network at all, And I gotta tell you,
(39:37):
if you are a major hotel that has just been
the target of a massive ransomware attack, maybe you should
start offering a password protected Wi Fi network. I'll tell
you this, I won't connect to it unless I'm using
a VPN. I just refuse to do it. They may
be perfectly safe, but it might not be with an
(39:59):
open network like that. And a recent attack in not
even a week old at this point, there were still
issues unfolding this past week. Don't do it, so yeah,
interesting observations. As for moving forward, I think these attacks
are the most recent reminders that organizations have to make
some really big decisions about cybersecurity now. Part of that
(40:22):
really involves an ongoing educational approach that reinforces how to
spot social engineering and phishing schemes and why it's important
not to share credentials or to act on suspicious emails
or phone calls. This is particularly true for people who
are working in positions that have administrative level access to
(40:42):
certain computer systems within an organization. If we count the
ransom that Caesar is allegedly paid to have sensitive customer
data deleted as a heist. Like I said, it would
be the second biggest casino heist in history from what
I can tell, at least from a monetary standpoint. If
you're wondering what is the number one well that goes
to a kiwi? A New Zealander named James Manning, who
(41:03):
would the help of a casino services manager, managed to
cheat his way to thirty three million dollars by cheating
at blackjack. So supposedly he and this casino employee were
able to breach the security camera system and they used
things like hand signals and stuff in order to cheat
(41:26):
on eight successive hands of blackjack that ultimately resulted in
thirty three million dollars of winnings. Manning was confronted and
then by casino security, and then he was banned from
the Crown Casino in Melbourne, Australia after they picked up
on the scam, and fortunately before the casino had actually
(41:48):
credited him most of his winnings so he didn't walk
away with thirty three million dollars. The casino chose to
keep this matter quiet rather than suffer embarrassment by admitting
that they got taken for thirty million. This was made
a little more complicated because Manning was supposed to participate
in a PR stunt later in that week. He was
(42:09):
supposed to order an outrageously expensive cocktail called the Winston.
The Winston was priced at twelve thousand, five hundred dollars
for a single cocktail. The casino had even promoted that
this was going to happen, so this was going to
be like an event type of thing, and that it
(42:30):
would establish a Guinness World record for the most expensive
cocktail ever purchased. But with Manning's scam uncovered and then
him banned from the casino, they had to scramble to
come up with an alternative customer, and then they had
to arrange to pay the guy back. So really it
wasn't a purchase at all. Like money changed hands, but
(42:51):
it changed hands back, so there was no real purchase here.
By the way, that story also has its own share
of drama and scandal that goes beyond what I just said.
But I think we've had enough for one episode if
you ask me. So that means that we're reaching the
point where it's time for me to sign off from
the iHeart Podcast studio powered by Bows. Here at the
(43:12):
iHeartRadio Music Festival in Las Vegas, Nevada, and maybe in
light of these recent hacker attacks, we should actually change
that saying to say the house almost always wins. I
hope you are all well, and I'll talk to you
again really soon. Tech Stuff is an iHeartRadio production. For
(43:41):
more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts,
or wherever you listen to your favorite shows.
Welcome to tech Stuff, a production from iHeartRadio. Hey there,
and welcome to tech Stuff. I am your host, Jonathan Strickland.
I am an executive producer with iHeartRadio. And how the
tech are you? I am recording live here from the
iHeart Podcast studio powered by Bose at the House of
(00:26):
Music at the iHeartRadio Music Festival. I'm sure you're gonna
be able to hear some of the ambience, let's call
it here at the festival. And that's just proof that
I'm actually here. I don't know how that happened. I
am nowhere near cool enough to have been invited here.
I guess they didn't listen to the show first. That's
(00:48):
fine with me, though. There's some pretty incredible musical acts
that are going to be rocking out in the arena
that's right in front of me, and I will sit
here and talk about geeky tech stuff. So the question
is then, what topic should I cover for this episode?
And I asked myself that several times. I had a
lot of possible answers. Maybe I could talk about the
tech of running a concert, for example, there's a lot
(01:08):
of tech involved in that. Maybe I could just talk
about the tech needed to make sure a band's equipment's
all working properly. I could talk about sound systems, or lasers,
or pyrotechnics or all sorts of stuff, but I'm in Vegas, baby,
And what's more, I'm staying at a hotel that's owned
by MGM Resorts. So I think the topic to tackle
(01:30):
is the recent hacker attack on that company. So what
exactly happened, who is responsible or who do we think
is responsible, how did it unfold, and what are the
ongoing consequences. So sit back, folks, it's time to do
a casino heist podcast episode tech stuff style. Now, Originally
I thought I do a quick history of MGM Resorts International,
(01:53):
you know, the company that became the target of the hackers.
Speaker 2 (01:57):
But as it turns out, that company's history is, let's say,
it's super complicated, and it overlaps the history of MGM Studios,
the film company, as well as numerous other companies both
within the gambling world and beyond.
Speaker 1 (02:11):
So rather than go through all of that, which would
be confusing in an entire episode by itself, I'm just
gonna kind of give you a summary. So, since the
mid nineteen eighties, the company that we now call MGM
Resorts International has had some major ups and downs. It
has also over time swallowed up other companies that operated
(02:32):
resorts and casinos in Vegas and in other places. Today,
MGM Resorts International operates but does not own, numerous resorts
in Vegas and beyond. Among the Vegas properties are the
MGM Grand and assorted MGM properties like Park MGM, the Blagio,
the Aria, the Cosmopolitan New York, New York, Excalibur, the Luxor,
(02:56):
Mandalay Bay, and some more. And it also has a
more than forty ownership of the T Mobile Arena, the
building that is directly in front of me, just the building. However,
they do not own the land. The company made somewhere
in the neighborhood of thirteen billion dollars in revenue last year.
That was an increase from nearly nine point seven billion
(03:17):
from the year before, and it seems that twenty twenty
two saw the highest revenues in the company's history so far.
Of course, revenue is not the same as income. That's
more to the tune of one point four billion dollars
for twenty twenty two. That's a lot of money, princely
sum as I might say they own more than thirty
(03:38):
billion dollars worth of assets. So, in other words, to
enterprising thieves, MGM Resorts International is a tempting target. Heck,
that's the stuff of heist movies, right, except a heist
is typically a high risk endeavor and it's almost bound
to fail. Successful heists have happened in the past, even
in Vegas, but more often not, the house comes out
(04:01):
on top. Moving the heist into the realm of computer
systems becomes a different matter. However, it's more likely that
you can find a way to pull off your crimes
while you protect yourself. Now, before we move on to
the actual hacking attack, I also need to mention the
company Caesar's Entertainment. Like MGM, Caesar's has a really, really
(04:24):
complicated history. It's filled with mergers and acquisitions and sales
and even bankruptcies. It gets bonkers. The most recent move
of that company was in twenty twenty. That's when another
company called El Dorado Resorts Incorporated acquired Caesar's Entertainment Corporation.
Then El Dorado Resorts changed its own name to Caesar's Entertainment.
(04:45):
But there are other companies that are lumped in there.
As well, like Hera's Entertainment is part of that. Anyway.
In twenty fifteen, Caesar's went into bankruptcy, and as part
of the effort to get out of bankruptcy, the company
split into two entities. One would be a company that
would actually operate the various resorts and casinos. The other
would be what is called a real estate investment trust
(05:06):
or REIT, which would actually own all the properties. To
get into riits is beyond the scope of the show,
but y'all, they can be monsters anyway. The spin off
OREIT took the name VICH after Vinnie vid Vic. You know,
I came, I saw I conquered, So VICH technically owns
(05:27):
many nineteen in fact of Caesar's properties. Here's the wild thing.
Last year VICH acquired ownership of thirteen MGM properties. So
both Caesar's Entertainment and MGM Resorts International pay rent to
VICE in order to operate their respective casinos. So you
want to know what the power behind the throne is,
(05:47):
look to vch. Anyway, while all those dealings are worthy
of a deep and engrossing podcast series, this is a
hint somebody make a podcast series about these real estate
companies and their involvement in Las Vegas because it is fascinating,
but our focus should really be on the hacker attacks. Now.
(06:07):
It is important that I mentioned Caesar's because while the
attack on MGM's properties was the major attack that's been
in the news for a couple of weeks, now, those
same hackers, or at least some of them, first targeted
Caesar's Entertainment a little earlier. Two of the biggest gambling
companies in the world have fallen prey to hackers, and
it appears that the foothold the hackers established came courtesy
(06:30):
of a third party security firm and also involves a
very important company in tech, namely Octa. Now, y'all, the
hacker attack is bad news for MGM, there's no way
around it. But I would actually argue it could be
way worse for Octa, at least as far as reputations go.
And that's because Octa is an identity and access management company.
(06:54):
This is the company that markets the user authentication system
that tons of other companies rely upon. With Octa, a
company can hand over the trickier elements of user authentication.
So as companies grow more complex, they might add more
systems that employees rely upon, and it can be a
hassle if you need a different log in for every
(07:15):
single service you use. A service like single sign on
really simplifies things. You have a username and password and
that gives you access to a suite of different services
all with just one log in, So you can see
where the value of that is right well, with Octa,
a company can hand over all of this and Octa
(07:37):
handles it, and you pretty much have to just trust
Octa to be a good steward of this process now.
Todd McKinnon and Frederick Krist co founded Octa back in
two thousand and nine. The company has been the focus
of a couple of security incidences since it's founding. In
twenty twenty one, a hacker group secured limited access to
(07:58):
octasystems by compromising a camera network inside the Octa offices,
specifically a system designed by Verkaida, a company that I
should probably talk about in a future episode. In early
twenty twenty two, a different hacker group known as Lapsus
accessed OCTA's systems. This time, the attack vector was a
third party support engineer. Lapsus shared information suggesting that the
(08:23):
data breach was far greater than what Octa was telling
the public. But Octa executives really held their ground. They
said that are only around two point five percent of
OCTA's customers were potentially impacted by this data breach, and
that the hackers had limited access to customer data. Octa
said the data breach lasted for less than half an
hour and it only hit two customers, whereas Lapses claimed
(08:45):
and maintained a presence in OCTA's systems or this client
of OCTA's systems for the better part of a week. Now,
that attack was bad, but it could have been worse,
And to be totally fair to Octa, it was really
the third party security person who was at fault for
the breach. Though I never really saw details on exactly
what happened with that one, I imagine it was something
(09:08):
fairly similar to what we are talking about today. So
let's set the scene. We're not going to go strictly
chronologically because some information we wouldn't know about until later,
so we're going to be jumping around a little bit
for the purposes of our story. Will begin on September tenth,
twenty twenty three. That day, some folks who were staying
(09:30):
at MGM Resort International properties began to encounter errors while
they were trying to interface with various systems connected to
those properties. The following day, September eleventh, twenty twenty three,
things got much worse. Players who were members of MGM
Resort's loyalty program saw that their loyalty features weren't working.
(09:52):
The websites went down. People staying at MGM properties found
that their digital keys that they depended on on their smartphones,
they they weren't working anymore. They couldn't get into their
rooms using their digital keys. They these effects got worse.
You know, a lot of video slot machines went offline.
That was a huge indicator that something really bad had happened.
(10:13):
Sports betting features were interrupted even ATMs on casino floors
went out of service. At eleven twenty seven am Eastern Time,
MGM Resorts posted on x you know, the platform formerly
known as Twitter, a little message and it read quote
MGM Resorts recently identified a cybersecurity issue affecting some of
(10:36):
the company's systems. Promptly after detecting the issue, we quickly
began an investigation with assistance from leading external cybersecurity experts.
We also notified law enforcement and took prompt action to
protect our systems and data, including shutting down certain systems.
Our investigation is ongoing and we are working diligently to
(10:56):
determine the nature and scope of the matter. You know
it's serious when they say that they responded promptly and quickly.
When you get both of those back to back, you
know it's a bad, bad time. And what exactly happened, Well,
i'll tell you after we come back from this quick break.
(11:28):
All right, we're back. You are listening to tech stuff
live at the iHeart Podcast Studio powered by Bows at
the House of Music at the iHeartRadio Music Festival, in
the house that John built. This is a pretty incredible experience.
Whenever I look up, I'm just seeing tons of people
in various trendy outfits wandering around getting ready for the
(11:50):
festival and hanging out the House of Music. It's pretty cool. Again,
I feel like I'm totally out of place here, but
they invited me, so I guess I should just embrace it.
So we're going to jump back into this cybersecurity incident
that hit a couple of major gaming and hotel companies
and dozens of properties so as you might expect, speculation
(12:12):
ran rampant regarding the nature of the cybersecurity issue that
MGM Resorts International mentioned. Some thought that it could just
be a massive systems failure, like you know, maybe some
key system that connects everything went down. Some people figured
it had to be a ransomware attack. Lots of folks
assumed that the issue would receive a ton of coverage
(12:34):
on certain podcasts. No one mentioned me, which just hurts
my feelings, and folks were complaining right away about the
issues they encountered. One x user posted quote, we are
at one of your resorts. It's pretty widespread. We can't
check in, pay with card, use comps, receive our gifts,
(12:55):
get tickets out of machines. End quote. Others claimed they
had unexplained charges on their bills. Some of these incidents
happened before September eleventh, so whether they are accurate, or
maybe they reflect some other issue that's unrelated to this,
or maybe they're the attempt of cashing in on a
bigger problem, I can't say. I don't know. I just
(13:18):
know people reported it. The websites for various MGM resorts,
as well as the sites for restaurants on MGM properties
all went down. MGM replaced its website with kind of
a landing page that directed people to call resorts directly,
so it just listed each resort and its phone number,
so you would have to call them on the phone,
(13:38):
you know, like a caveman. That's a joke. I'm old
I still call places on occasion. The following day, MGM
Resorts gave an update saying that much of its services
were operational, including entertainment, dining, and gaming, but people were
still encountering issues. There were still problems with slot machines.
Hand pay became the method to cash out. This is
(13:59):
when you have to signal for a casino employee to
come over and count out by hand your winnings rather
than getting the machine to print out a ticket, and
you take that ticket to a payout machine feeded in
and then you get your cash that way. The ATMs
were still having issues. People still couldn't check in online,
They could not make a card payment to book a room.
(14:20):
At that point, lines were forming at the desks of
various MGM resort properties because you couldn't use your digital
keys at all, so you couldn't just check in with
your phone and then use your phone to get into
your room. You had to go and get a physical
key card. It was still like an RFID chip key card,
so you could hold it up to the door and
it would open, but you had to have one. You
couldn't just use your phone to do it. So that
(14:42):
meant everybody had to go and wait in line to
get a key. On September twelfth, we heard that a
hacker group called Alpha ALPHV. Actually that's the way they
style their name. Sometimes they're also called black Cat. We
heard that they could have been behind the attack. Now,
the black Cat name actually comes from malware that this
(15:04):
group has created, you know, some malicious software, ransomware to
be precise, and Alpha introduced that in late twenty twenty one.
And here's how an Alpha attack would typically work out.
So the group would end up collaborating with someone to
inject the malware into a targeted system. That person might
be a disgruntled employee of the target. Maybe they're not
(15:27):
even disgruntled, maybe they're just very greedy. Because Alpha would
offer up to ninety percent of a ransom to the
quote unquote affiliate. The affiliate could also be some other
hacker group that its job is just to gain access
to a system through some means, and Alpha would provide
the malware while the other group actually would get access
(15:48):
to the target. It would become this, you know, this
collaborative effort. Now, this means the business model for Alpha
is r a as that stands for ransomware as a serve.
That as a service trend has gotten out of control, y'all.
So these hackers, who primarily communicate on Russian language platforms,
(16:10):
build the tools, but they don't necessarily carry out the
attacks themselves. They're facilitators. The black cat and malware encrypts
a target computer system, so it makes it inaccessible to
the system's rightful owner. So imagine you log into your computer,
but you find out you can't access anything. All the
files are encrypted, all the methodologies are encrypted. You can't
(16:34):
decrypt it, so it's just a brick without the key.
The data on your machine stays out of your reach.
And then you see a message, and the message tells
you that the hackers will give you access back to
your data. They will give you the decryption key, but
only if you pay them a ransom. Usually this is
in the realm of millions of dollars. Typically they ask
(16:59):
for it in the form of cryptocurrency to avoid being
traced back to the people responsible. And if you don't
pay up, the hackers will say either you will not
get access to your data again, it's just gone, or
they'll delete it. Sometimes they'll say, all right, we won't
delete it. Instead, what we're going to do is we're
going to release all that data on a public platform
(17:21):
so that anyone and everyone can see what it is. Typically,
ransomware hackers want to target organizations that have a lot
of money and a lot of incentive to protect data. Now,
pretty much every organization has an incentive to protect its
data at least to some extent. Information is the currency
of the modern era, after all, and while you can't
(17:43):
spend information, you can sure affect the value of a
company by stealing their information. But ransomware hackers typically want
to target organizations that have access to buckets of cash.
So prime targets for these hackers ideally fall into a
(18:04):
couple of categories. If it's a really big company and
its business depends upon the safe keeping of information, particularly
really personal information, that ends up being a big target.
So hospitals and other healthcare companies fall into that category.
By law, these companies are meant to keep patient data secure.
(18:26):
There in big trouble if they don't, And obviously any
healthcare company that fails to live up to that would
have a massive problem, not just from the government or
from law enforcement, but you know, they would lose the
confidence of patients, and patients could have their lives really
upturned if their personal health information gets shared everywhere. So
(18:49):
the thinking goes that those companies are more likely to
pay a ransom in order to make the problem go away.
That's why ransomware hackers target healthcare companies so frequently. They
have a very high incentive to get the problem fixed
as quickly as possible. Well, casinos and resorts definitely fall
into a similar category. Right first, you've probably heard the
(19:13):
phrase the house always wins. Well, that phrase references the
fact that the odds are ever in the favor of
the house. You might have a good night at the tables,
and you might leave with more money than you brought
with you, but lots of other people will end the
night down with less money than what they started with.
(19:34):
Or maybe you'll also be down a little bit, and
other folks will also be down a bit, and some
of them might be down a lot. All casino games
favor the house, and that makes sense because if they
didn't favor the house, then casinos would soon be out
of business, right So instead, collectively the casinos in Nevada
can make at least a billion dollars every month. That's
(19:57):
across all the casinos in Nevada. Some games will give
you better shot at winning that other games. Blackjack is
a game that has fairly decent odds, somewhere in the
neighborhood of forty percent to win. Dealers have about a
forty nine percent chance to win. And you might think, oh,
forty nine plus forty's that's not one hundred. Well, that's
because the rest of the odds kind of cover the
(20:19):
case where you could have a draw or a push
where you go to the next hand. Meanwhile, games like
kino or the Wheel of Fortune, they have some of
the worst odds in gambling. So that doesn't mean you're
destined to lose if you play, but the chances are
pretty darn high. So anyway, this means that casinos make
(20:43):
a lot of money. If I might elaborate, they make
a crap ton of money and that puts them firmly
in one of the categories that ransomware hackers love to target,
companies that are flush with cash. On top of that,
these casinos deal with a lot of customer data, whether
it's someone staying at a resort or a gambler who
(21:03):
has signed up to participate in a loyalty program, which
is a pretty frequent thing, because the casinos here have
lots of incentives to get people to sign up to
their loyalty programs. You can get gifts, you can redeem credits,
you can get a free room if you're a frequent
gambler and you're part of the loyalty program. There are
a lot of reasons for that. In return, one, the
(21:25):
casino has a repeat customer, which is very valuable, and two,
the casino can gather data about the people who visit
their resorts and learn more about them and thus cater
to them more and make even more money. So this
information has value not just because of how it can
be used to advertise to individuals, that's often what we
talk about when we talk about data in the modern world,
(21:48):
but it has value because the customers are trusting the
casinos with this information. Even if they aren't aware of
the implications, and so when there is a data breach,
suddenly customers get very much concerned about that data. It
affects them directly. If there's the possibility that the customer's
own finances could be compromised, that's a huge problem for
(22:09):
both the customer and the casino. So this means casinos
and resorts are in that sweet spot for ransomware hackers.
So how did we find out about Alpha's alleged involvement
with the MGM Resorts International hack. Well, one early statement
came from the x account, the Twitter account of a
(22:32):
group called VX Underground. Vx Underground bills itself as the
largest collection of malware source code, samples and papers on
the Internet, and they work with lots of researchers, They
work with hackers, They work with tons of people largely
to educate about malware. They are rather cheeky, I would
say they kind of have that cheeky sense of hackers.
(22:56):
They do not necessarily come across as being buttoned down,
let's say. So. On September twelfth, VX Underground posted all
Alpha ransomware group did to compromise MGM Resorts was hop
on LinkedIn, find an employee, then call the help desk.
(23:16):
A company valued at thirty three billion, nine hundred million
dollars was defeated by a ten minute conversation end quote. Now,
MGM did not comment on this, and as far as
I'm aware, has never actually referenced their cybersecurity incident as
an attack, but lots of other folks have not been
(23:37):
in the mood to mince words, and the information that
would come out later seem to align with what VX
Underground was claiming. The attack happened through social engineering. So
stage one, you learn about the person you're going to impersonate.
You find someone on LinkedIn who has listed their job
title and where they work. If you can find someone
(24:01):
who has a very high profile job title, something that's
really high up in an organization, that's potentially much better,
or if it's not high up, at least someone who
works within the IT department, because that typically means you're
going to find someone who has a lot of access
to the systems if you're able to compromise their account. Now,
I've talked about social engineering a ton on this show,
(24:24):
how it is a huge part of hacking. See if
you've got a system that is at least in theory,
really well secured. Your best bet of infiltrating the system
is to target a vulnerability. And sometimes you find out
about technical vulnerability, right. You might find out that there's
a vulnerability in some software that a company is dependent upon,
and by targeting that software vulnerability, you can penetrate the system.
(24:48):
You can gain access to it, you can get a
foothold there, and if you're really good, or really quick
and or really lucky, you can exploit that vulnerability and
then you're in. Obviously, there's way more to it than that.
I mean, just because you get access doesn't mean that
you can do anything, and even if you can do something,
you might get found out before you're able to really
do a lot of damage. But you get the idea.
(25:10):
That's one method of penetrating a secure system, as you
target a vulnerability in some software. But another way is
not to worry about the tech side that much at all.
You target people. You look at people who have access
to the system you want to infiltrate. People are frequently,
in fact almost always, I would say, the weakest point
(25:34):
of a security system. If you can convince someone who
has access to hand that access over you're in. Maybe
you outright trick the person, Maybe you pose as someone
in authority, or maybe someone who needs help, and you
convince them to do something they absolutely shouldn't do. As
(25:54):
it turns out most of us anyway, if we are
presented with someone who who is saying that they really
need help, they're in desperate need of some assistance, we
want to try and be the person to give them
that assistance. It's not universally true, but it's true often
enough that this approach works a lot. Or maybe instead
(26:15):
you actually are promising this person a cut of the money.
Maybe you're counting on their greed to push them into
granting you access. If you target someone who has a
lot of administrative access to a system but they are
not in a high paying job, sometimes just promising them that,
you know, sweet cold hard cash is enough to let
(26:37):
them be kind of a conspirator on your side. Now,
in this case, it seemed that someone talked to a
third party IT staffer, and as part of that conversation,
they convinced the IT staffer to reset some multi factor
authentication settings so that the hackers could gain access to
a single sign on system. You know, the kind of
(26:57):
stuff that ACTA provides out. I'm guessing a lot of
you know that there are different levels of access with
computer systems, whether we're talking about a network or even
just a single computer. So, for example, a user typically
has limited access to a computer or a system. They
might be able to do stuff like open specific programs
(27:19):
and call up files and that kind of thing, but
to make actual changes to the computer, the user might
need administrator access, while other levels of access come with
specific permissions, and administrator level access has no such restrictions.
And so the attackers wanted two target accounts that would
have the highest administrator access to systems to have as
(27:42):
much opportunity to do whatever they wanted as they could.
So on September fourteenth, news broke that Caesar's Entertainment had
also been the target of a ransomware attack. The company
had filed a report with the SEC on September seventh.
In that report, the company leads with Caesar's Entertainment Incorporated.
(28:05):
The company we or are because it's a unofficial filing,
recently identified suspicious activity in its information technology network resulting
from a social engineering attack on an outsourced IT support
vendor used by the company. Our customer facing operations, including
(28:26):
our physical properties and our online and mobile gaming applications,
have not been impacted by this incident and continue without
disruption end quote. So that's a big difference between the
Caesar's attack and what happened at MGM. The report goes
on to say that an investigation determined that the hackers
were able to access information in Caesar's Entertainment's loyalty program interface. Obviously,
(28:50):
that includes customer information, including stuff like driver's license numbers
and or social security numbers. If you enroll in these,
you typically have to allow them to make a copy
of things like your driver's license in order to get
the benefits of the loyalty program. Now that's clearly a
risk for things like identity theft. They said there was
(29:11):
no evidence that the hackers were able to access things
like passwords, bank account information, or payment card information, so
that's good, but the identity theft issue is still a
big concern. They did say they would offer credit monitoring
to all members of the loyalty program and that it
had already taken steps quote to ensure that the stolen
(29:32):
data is deleted by the unauthorized actor end quote. So
how do they make sure that this data gets deleted
by a party they have no control over. Most folks
interpreted that to mean that Caesar's had paid the ransom. Now,
the rumor mill said that the hackers were asking for
thirty million dollars and in return they would pinky swear
(29:55):
that they would delete the stolen data. Caesar's ultimately agreed
to pay fifty fifteen million dollars to delete information yaoza.
By the way, fifteen million dollars means that technically this
would have been the second most successful casino heist that
(30:18):
I have ever encountered. And granted, it's not quite the
same as a casino heist, but then number one really
isn't either. I'll talk more about that toward the end
of this episode. In fact, we'll talk a lot more
about the hackers and what they did. But we're going
to take another quick break. Okay, we're back. You're listening
(30:46):
to Tech Stuff live at the iHeart Podcast Studio powered
by Bose at the House of Music at the iHeartRadio
Music Festival. All right, Moving forward a little bit more.
Around September fifteenth, a different hacker group called Scattered Spider
claimed responsibility for the MGM attack but not the Caesars attack.
(31:08):
VX Underground referred to Scattered Spider as a subgroup. According
to numerous sources, this group mostly consists of young hackers
think like seventeen to twenty two who live in places
like the United States and the United Kingdom. They appear
to be native English speakers or extremely fluent English speakers,
and they have a reputation for being very very good
(31:32):
at social engineering. Scattered Spider is suspected of using tools
like phishing websites in addition to social engineering, so they
typically will direct someone to a login page that looks
like it's a legit page, but in fact it allows
the hackers to fish for credentials. As for multi factor authentication,
(31:52):
calling an it helped us to reset MFA is an
effective way to get around that. There's also SIM cards
swapping that they've done, where they've convinced phone companies to
swap a digital SIM card to a different device. They
pose as a customer and then they talk the telecommunications
wrap on the other end of the line to change
(32:13):
a SIM card setting, which then gives them the ability
to access things like multi factor authentication when the code
gets sent Instead of going to the valid person, it
goes to their phone number, which has now been switched
to a different phones simcard very nefarious. Now, you might
wonder about resetting multi factor authentication why anyone would even
(32:35):
agree to do that in the first place. I mean,
the whole point of multi factor authentication is to have
multiple ways of authenticating a person's identity. But with just
a little thinking it becomes clear. So let's say that
you call into an IT help desk and you claim
that you can no longer access your work account because
you recently changed phone numbers. So that means that when
(32:58):
you try to log in, you get a text message
sent to your old phone number and you can't receive it.
So you are talking with them saying, I need you
to switch this because I still have my username, I
still have my password, but I can't get access because
I no longer have that phone and I need to
be able to access my work, So you ask for
(33:19):
a reset. Maybe you have a lot of information about
the person that you're posing as so as you can
convince the person on the other end of the phone
call that you're legitimate. Again, that's what you do with
the investigation. When you're using LinkedIn to learn a little
bit about your kind of patsy if you will, Maybe
(33:41):
you just sound really clueless and stressed and you just
trigger the I person's desire to help you get out
of the tight spot. Like I said, most of us
typically want to help someone when they are really struggling.
They reset the MFA on the account, They put a
new phone number in that phone that you happen to control,
and now you don't have to worry about that multi
factor authentication process anymore. So I want to be clear,
(34:05):
Scattered Spider, these are not script kiddies, right. These are
not people who just download some code and then they
make use of it. They have an understanding of how
computer and cloud systems work. They have an understanding how
the underlying businesses work. They do their homework. By knowing
how these businesses work, they know how to target and
(34:27):
make their social engineering efforts have the best chance for success.
So I want to be clear, like they are good
at what they do. They're not just fast talkers. They
know their stuff. So it's possible that they were involved
in one or maybe even both of the attacks, though
again they weren't claiming that. However, Alpha has also claimed
responsibility for the MGM attack, and they argued that any
(34:49):
reports stating it was teenagers were inaccurate and based on rumors.
There was another rumor that Alpha was very quick to
deny that was reported in at least some outlets that
had to do with slot machines. So, according to this rumor,
and I love this rumor, but according to this rumor,
Scattered Spider originally wanted to essentially reprogram slot machines so
(35:11):
that they just started to pay out cash, kind of
like a scene that's in you know, The Ocean's Eleven movies,
Except this would mean that the slot machines would sort
of spit out tickets, kind of like receipts with winnings
on them. The rumor goes that the hackers found this
wasn't really possible. In fact, one of the rumors said
that the person who was making this suggestion hadn't even
seen The Ocean's Eleven movies, So they were just talking
(35:34):
about something they had heard of and wanted to try.
And when they found out that it wasn't going to
be as easy as they thought, they moved on to
just steal data from the computer systems. Now, Alpha categorically
says this story is totally false, it's completely fiction, and
that it somehow got you know, circulated among news outlets.
(35:54):
What's the truth, dawn't know. Back to OCTO, So, David Bradbury,
the CEO of OCTA, has said that social engineering attacks
are at the root of five OCTA clients who have
recently found themselves compromised by ransomware attacks, and that Caesar's
Entertainment and MGM Resorts are two of those five, but
(36:16):
he hasn't named the other three. He also referenced Scattered
Spider and Alpha as business associates or affiliates, suggesting that
at least some of the hacks of OCTA clients are
the product of cooperation between these two groups. So this
story is still unfolding as a record here in Las
Vegas right now. Currently, MGM Resorts International says that all
(36:38):
operations are back to normal, that's how everything's being reported,
and that it's continuing to investigate the quote unquote cybersecurity issue,
that the FBI is involved, and that they're taking this
very seriously. There are concerns that these attacks will have
a hefty impact on the value of both MGM and
Caesar's Entertainment. It's certainly had an impact on MGM's ability
(37:01):
to generate revenue while all this was going on. Loyalty
program members should probably sign up for credit monitoring because
a lot of their personal information is stored in those systems,
and it sounds like hackers got access to all of
that stuff. So credit monitoring is not a bad idea
if you want to make sure that your information hasn't
(37:22):
just started been trading around on the dark web and
people start like taking out credit cards under your name,
that kind of thing. So probably a good idea at
least to keep an eye on your credit. It's easier
if you do sign up for credit monitoring, but you
can do it on your own if you're really diligent
about it. But yeah, scary stuff. I'll also say this,
(37:46):
So I've been staying at the Aria, like I said,
which is an MGM Resorts property, and have encountered some
technical glitches which may or may not have any connection
to the hackers. According to the people I spoke with,
they recently used a new computer system and brought it
online and that the issues they're running into may very
(38:09):
well just be working the bugs out of a new
system and have nothing to do with the hackers at all.
But what I will say is that they have connected
essentially all room controls through an Internet interface, and you
can use a tablet or I assume an app to
be able to access those things. But when I got
(38:31):
to my room, what I found was that I could
not close the curtain on the window. I could not
turn off the lights in my room, none of the
buttons worked. The tablet that was part of the room
would not connect. I did not want to use the
app for reasons that I think should be pretty obvious.
(38:52):
And so again I don't want to say that that's
part of the hacker attack, but it was unfortunate to
have that's of experience right on the tail end of
this hacker issue. It's it's concerning, and it's one of
those things that will continuously come up. Another thing I
will say this again not directly connected to the hacker attack,
(39:14):
but just something that I observed. The Wi Fi in
that hotel is an open Wi Fi connection, like you
can just connect to it and you you know, you
do a little sign on on a web landing page,
but then you're connected. There's no password security on the
Wi Fi network at all, And I gotta tell you,
(39:37):
if you are a major hotel that has just been
the target of a massive ransomware attack, maybe you should
start offering a password protected Wi Fi network. I'll tell
you this, I won't connect to it unless I'm using
a VPN. I just refuse to do it. They may
be perfectly safe, but it might not be with an
(39:59):
open network like that. And a recent attack in not
even a week old at this point, there were still
issues unfolding this past week. Don't do it, so yeah,
interesting observations. As for moving forward, I think these attacks
are the most recent reminders that organizations have to make
some really big decisions about cybersecurity now. Part of that
(40:22):
really involves an ongoing educational approach that reinforces how to
spot social engineering and phishing schemes and why it's important
not to share credentials or to act on suspicious emails
or phone calls. This is particularly true for people who
are working in positions that have administrative level access to
(40:42):
certain computer systems within an organization. If we count the
ransom that Caesar is allegedly paid to have sensitive customer
data deleted as a heist. Like I said, it would
be the second biggest casino heist in history from what
I can tell, at least from a monetary standpoint. If
you're wondering what is the number one well that goes
to a kiwi? A New Zealander named James Manning, who
(41:03):
would the help of a casino services manager, managed to
cheat his way to thirty three million dollars by cheating
at blackjack. So supposedly he and this casino employee were
able to breach the security camera system and they used
things like hand signals and stuff in order to cheat
(41:26):
on eight successive hands of blackjack that ultimately resulted in
thirty three million dollars of winnings. Manning was confronted and
then by casino security, and then he was banned from
the Crown Casino in Melbourne, Australia after they picked up
on the scam, and fortunately before the casino had actually
(41:48):
credited him most of his winnings so he didn't walk
away with thirty three million dollars. The casino chose to
keep this matter quiet rather than suffer embarrassment by admitting
that they got taken for thirty million. This was made
a little more complicated because Manning was supposed to participate
in a PR stunt later in that week. He was
(42:09):
supposed to order an outrageously expensive cocktail called the Winston.
The Winston was priced at twelve thousand, five hundred dollars
for a single cocktail. The casino had even promoted that
this was going to happen, so this was going to
be like an event type of thing, and that it
(42:30):
would establish a Guinness World record for the most expensive
cocktail ever purchased. But with Manning's scam uncovered and then
him banned from the casino, they had to scramble to
come up with an alternative customer, and then they had
to arrange to pay the guy back. So really it
wasn't a purchase at all. Like money changed hands, but
(42:51):
it changed hands back, so there was no real purchase here.
By the way, that story also has its own share
of drama and scandal that goes beyond what I just said.
But I think we've had enough for one episode if
you ask me. So that means that we're reaching the
point where it's time for me to sign off from
the iHeart Podcast studio powered by Bows. Here at the
(43:12):
iHeartRadio Music Festival in Las Vegas, Nevada, and maybe in
light of these recent hacker attacks, we should actually change
that saying to say the house almost always wins. I
hope you are all well, and I'll talk to you
again really soon. Tech Stuff is an iHeartRadio production. For
(43:41):
more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts,
or wherever you listen to your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!