Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday September 19 2023, @06:17AM   Printer-friendly
from the weakest-link dept.

https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/

A cyber criminal gang proficient in impersonation and malware has been identified as the likely culprit for an attack that paralized networks at US casino operator MGM Resorts International.

The group, which security researchers call "Scattered Spider," uses fraudulent phone calls to employees and help desks to "phish" for login credentials. It has targeted MGM and dozens of other Western companies with the aim of extracting ransom payments, according to two people familiar with the situation.

The operator of hotel casinos on the Las Vegas Strip, including the Bellagio, Aria, Cosmopolitan, and Excalibur, preemptively shut down large parts of its internal networks after discovering the breach on Sunday, one of the people said.

The effort to contain the hackers caused chaos. Slot machines stopped working, electronic transfers of winnings slowed down, and key cards for thousands of hotel rooms no longer functioned. MGM did not respond to a request for comment.


Original Submission

Related Stories

Feds Charge Five Hackers Linked to Scattered Spider Cybercrime Group

U.S. prosecutors have filed charges against five individuals allegedly linked to Scattered Spider, a hacking group known for stealing confidential data and cryptocurrency from major companies:

The suspects, all in their twenties, are accused of running phishing schemes, sending fake warnings to employees' phones, tricking them into revealing login credentials, reported the New York Post.

The hackers targeted at least 12 companies across gaming, telecommunications, outsourcing, and cryptocurrency sectors, impacting hundreds of thousands of individuals. Authorities say the group's activities resulted in significant financial losses, including millions in stolen cryptocurrency.

The defendants, identified as Tyler Buchanan, Ahmed Elbadawy, Joel Evans, Evans Osiebo, and Noah Urban, face charges including conspiracy, identity theft, and fraud. Buchanan is additionally accused of wire fraud. Investigators traced the group's activities back to 2021 using domain registration records tied to Buchanan.

Known for their aggressive tactics, Scattered Spider has been blamed for notable attacks, including a 2023 breach of casino giants Caesars Entertainment and MGM Resorts, where they locked up networks and demanded ransoms. However, whether these five were involved in the casino attacks remains unclear.

Also at Ars Technica, Krebs on Security and Bloomberg.

Previously: A Phone Call to Helpdesk was Likely all it Took to Hack MGM


Original Submission

This discussion was created by martyb (76) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Informative) by ledow on Tuesday September 19 2023, @07:24AM (11 children)

    by ledow (5567) on Tuesday September 19 2023, @07:24AM (#1325244) Homepage

    The fact that key cards stopped working in what should an entirely unrelated and isolated system from the actual gambling side tells you that there's more wrong with their network DESIGN (not even implementation, but design) than a bit of social engineering.

    Literally, there shouldn't be a machine in common between the two except - I would possibly allow - a VLANned switch, which shouldn't allow you to break out of the VLAN without a very specific switch compromise (which in itself would be news if it were possible).

    • (Score: 4, Informative) by PiMuNu on Tuesday September 19 2023, @10:14AM

      by PiMuNu (3823) on Tuesday September 19 2023, @10:14AM (#1325250)

      Probably they pulled the plug on the switch until they could figure out what was happening.

    • (Score: 2) by looorg on Tuesday September 19 2023, @11:20AM (5 children)

      by looorg (578) on Tuesday September 19 2023, @11:20AM (#1325253)

      I would have assumed that they had probed the hell out of that network, slowly so not to raise suspicion or there is so much probing and scanning going on around the clock that they won't even notice if there is another one. But they came to the conclusion that the system was sufficiently hardened so they proceeded with the easiest solution. Hacking the weakest link -- humans. After all networks get patched, hardened and upgraded. But humans continue to be as "stupid" as ever decade after decade. After all have social-engineering really changed all that much in the last couple of decades? What worked 40-50-x years ago apparently still work. You just exchange some of the word soup you tell the person on the other end. Humans are apparently still quite gullible.

      I don't know about their system. But I could find a reason for keycards (ie customers, guests) being connected to the gambling system. They want to know without having two systems how much the punters are spending and on what. Which machines are used, for how long, how much does it payout. Should the punter be rewarded or comped and how much so they'll keep spending more time gambling and not go and do other things. So you connect the two systems. Not to say that you connect the actual machine or game mechanics (rules and randomization) but the sum or reward output program with the system that also opens their hotel room door. Cause opening the door to a room is the customer?

      That or, when panic set in, at the control room someone did something stupid and bridged the gap between systems, moving a file or so between airgaps and then the payload was in two systems etc.

      • (Score: 2) by PiMuNu on Tuesday September 19 2023, @02:19PM (3 children)

        by PiMuNu (3823) on Tuesday September 19 2023, @02:19PM (#1325265)

        I have an image in my mind of some IT support desk guy who realises he is being pwned and goes to his manager to explain he just handed out the Master Control Program's root password to some guy with a dodgy Russian accent. At which point said manager makes a panic call to the network people to tell them to pull the plug.

        • (Score: 0) by Anonymous Coward on Tuesday September 19 2023, @03:01PM (1 child)

          by Anonymous Coward on Tuesday September 19 2023, @03:01PM (#1325266)

          Isn't this followed by an offer to go on a beautiful scenic tour of the desert at night ...

          • (Score: 2) by Freeman on Tuesday September 19 2023, @03:04PM

            by Freeman (732) on Tuesday September 19 2023, @03:04PM (#1325268) Journal

            In your typical Hollywood Vegas film, perhaps. Though, even then, most plots don't involve killing the support staff, unless they were in on X scam.

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
        • (Score: 2) by krishnoid on Tuesday September 19 2023, @03:56PM

          by krishnoid (1156) on Tuesday September 19 2023, @03:56PM (#1325271)

          Hold on, I got this: "Mischa, very important, call immediately to network tovarisch, tell them to pull plug."

      • (Score: 2) by Joe Desertrat on Tuesday September 19 2023, @11:16PM

        by Joe Desertrat (2454) on Tuesday September 19 2023, @11:16PM (#1325326)

        But I could find a reason for keycards (ie customers, guests) being connected to the gambling system.

        All of these casinos have what is called a "player's club" or something similar, essentially a gambling account. Almost invariably it is connected to the guest accounts, to which the key cards also happen to be connected for any given stay. Pretty much anything you do in a casino now they try to link to some sort of account (for tracking and data collection I'm sure), so there is probably a whole web of vulnerabilities once one part gets compromised.

    • (Score: 3, Interesting) by inertnet on Tuesday September 19 2023, @11:51AM (2 children)

      by inertnet (4071) on Tuesday September 19 2023, @11:51AM (#1325256) Journal

      Maybe they were afraid that the scammers had the ability to create master keys. Not only for hotel rooms, but also management keys that can enable payouts in a casino.

      • (Score: 2) by ledow on Tuesday September 19 2023, @01:03PM (1 child)

        by ledow (5567) on Tuesday September 19 2023, @01:03PM (#1325261) Homepage

        Again - why would the two ever be related, linked or even similar?

        Poor system *design* from the outset.

        • (Score: 3, Touché) by epitaxial on Tuesday September 19 2023, @05:54PM

          by epitaxial (3165) on Tuesday September 19 2023, @05:54PM (#1325293)

          The network engineers probably had a decent system drawn up but the managers and exes balked at the price. Here we are.

    • (Score: 2) by krishnoid on Tuesday September 19 2023, @03:59PM

      by krishnoid (1156) on Tuesday September 19 2023, @03:59PM (#1325272)

      The effort to contain the hackers caused chaos. Slot machines stopped working, electronic transfers of winnings slowed down, and key cards for thousands of hotel rooms no longer functioned. MGM did not respond to a request for comment.

      I count three (four if you include email/VOIP) networks or VLANs that should have been multi-hop firewalled from each other. Any other recommendations?

  • (Score: 5, Touché) by Opportunist on Tuesday September 19 2023, @12:48PM (1 child)

    by Opportunist (5545) on Tuesday September 19 2023, @12:48PM (#1325258)

    Probably the hapless support goon who handed out the password via telephone.

    Probably the same hapless support goon who was written up for insubordination a few weeks ago when he refused to tell a bigwig his new password through the phone.

    • (Score: 2) by sjames on Sunday September 24 2023, @03:10AM

      by sjames (2882) on Sunday September 24 2023, @03:10AM (#1325663) Journal

      Very much this, especially the second part. For every reasonable security measure there is a bigwig who thinks they should be above all that and has the power to fire anyone who might disagree.

  • (Score: 1, Offtopic) by Gaaark on Tuesday September 19 2023, @01:15PM

    by Gaaark (41) on Tuesday September 19 2023, @01:15PM (#1325262) Journal

    Spend all your money on ads and celebs, nothing for security. Priorities, priorities, priorities.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(1)