A 10-minute phone call to a help desk. That’s all it reportedly took for cybercriminals to get the access they needed to cripple MGM Resorts.
So, what can a lightning-fast voice phishing, or vishing, attack that idled slot machines on the Las Vegas Strip teach manufacturers?
A lot, according to the cyber experts at MxD.
In our new annual “Cyberattack of the Year,” the MxD team explores what manufacturers can take away from this high-profile social-engineering breach and outlines steps to help mitigate the ever-growing cyber threat.
As in most major cyberattacks, the target is not sharing many specifics. MGM Resorts reported a “cybersecurity issue” in a now-deleted Sept. 11 post on X (formerly Twitter) and said all was back to normal on Sept. 20.
What is known is largely coming from media reports and VX-Underground, described as a malware research group. According to VX-Underground, the ransomware-as-a-service gang ALPHV, also known as BlackCat, claimed responsibility for the attack.
Gang members scoured LinkedIn to identify an MGM employee and then impersonated that worker in a call to the company-wide help desk.
Identity management company Okta told Reuters that five of its clients, including MGM, Caesars, and a manufacturer it did not name had been attacked by the same group. The company also reported that clients in the U.S. had reported persistent cases involving attackers who called IT service desks and persuaded them to reset a user’s authentication factors, such as a password.
“Astonishingly,” Forbes reported, “the attack took about 10 minutes to execute.”
The social network search that the cybercriminals are believed to have used is a common passive reconnaissance tactic.
“Attackers spend a lot of time on what is called the pre-attack or reconnaissance phase,” said Allan Kamp, MxD’s Lead Cybersecurity Engineer.
During passive reconnaissance, attackers don’t engage with their target’s systems. They lurk, possibly looking online for clues about a company or its workers that can help them craft a successful phishing scam. Or they may watch or surveil a building, like a factory, to learn about shift changes, entry patterns, or the presence of physical security features.
Active reconnaissance, on the other hand, involves some kind of interaction, maybe port scanning to find a vulnerability. Manufacturers, Kamp said, must be on guard against both types of threats. Assume, he said, that someone is always trying to break in.
What can manufacturers do to repel a similar vishing attack? Here are strategies from MxD:
- Training. Companies should teach workers to always have their antennae up. Workers need regular training on how to detect any kind of phishing threat — whether via email or a phone call. More than 90% of all cyberattacks begin with phishing, according to the national Cybersecurity and Infrastructure Security Agency (CISA).
- Zero trust. Based on the principle of “never trust, always verify,” a zero-rust strategy means no one should be giving out login information over the telephone to anyone unless measures are in place to remotely verify the identity of the caller. That could be through an automated process or through a required callback.
- Multi-factor authentication. Employees should always be required to verify their identity with more than a password. Reports about the MGM Resorts breach say it’s unclear whether attackers turned off or bypassed multi-factor authentication.
- Segmentation. A segmented network means that even if an attacker gets loose in the system, physical or virtual barriers that segment the network into subnetworks limit their access and the damage they can do.
“We have to acknowledge that on the cyber battlefield we are dealing with cybercriminals at many different levels,” Kamp said. “And they are always looking for vulnerable spots.”
Visit the MxD Cyber Marketplace to find resources to help prevent phishing — and vishing — attacks. Marketplace vendors offer solutions and services aimed at securing a company’s cyber infrastructure.