14 BILLION dollars. That's what MGM Resorts international is worth, 14 BILLION Dollars. Out of that 14 billion dollars, what kind of security program do you think they have? My guess is it's pretty decent, having worked with casinos before, they typically spend a good amount of money on security in general.
I've written article after article about the "other" aspects of a red team, the often very overlooked aspects, namely physical entry and social engineering. It's the exact reason why the newsletter was named "The Other Red Team".
Prior to the MGM hack, Caesars was hit by a similar attack, except they paid the ransom and MGM didn't. How much is Caesars worth? 11 Billion dollars, give or take a few hundred million. How much is your company worth? How much do they allocate to security? You have two megaliths, which take security MUCH more serious than just about any other business in the world due to the cash on hand.
Your typical bank branch has about $350,000 on hand in cash at any given time. To give you an example, there are roughly 375 banks in the Las Vegas Area. At $350,000 x 375 you have, if you were to somehow steal all that money in one night, you'd wind up with roughly $131 million dollars. We as a society see our banks as "secure", if we didn't, we wouldn't all keep our money in them, right? The money in your average casino, cash on hand is between 60 and 90 million dollars. Point being here, Casinos carry significantly more risk than a bank does simply due to cash on hand and therefore security typically will match that risk.
So, the 14 billion dollar question here is how did they get hacked? Both Casinos were socially engineered through a telephone call, and got the target to download malware. The person that was socially engineered was actually a third party IT support, as many companies use third parties for everything under the sun. The typical "Social Engineering defense" of over 90% of the companies in the world right now stops at computer based phishing training. Financial institutions are required to have yearly phishing and vishing (when an attacker calls you, just like the attack above with the casinos) exercises as part of their compliance, however, there is a significant difference between testing, and teaching defense.
My high school drivers Ed teacher used to use the term, beating a dead horse to death. Many times I feel that way as I write article after article about Social Engineering being the #1 way a company is compromised. Yet time and time again, companies come to us, only wanting an external pentest, or an application test. I watch companies spend millions of dollars in security to make sure their websites or external footprint is secure, but spend pennies on phishing training that doesn't even explain the basics of the psychology behind it, and why it works and most importantly, how to truly spot and defend against it. How many companies have had a security consultant, that has years of Social Engineering experience, that can explain and teach in detail to the psychological level required for them to be able to truly give their employees a chance at defending against these attacks, and more importantly WHY they work? Has yours?
Social Engineering or "Human Hacking" works, it is the easy button, the low hanging fruit. It's the equivalent to an open window, an unlocked door, RFID key card simply laying on the ground. I promise you, your company, your contacts and colleagues companies, if you spin a bottle, whatever company it points to, THAT company's biggest weakness is their defense (or lack of it) against Social Engineering and corporate espionage. It seems like every hacker in the world KNOWS this, but not one company seems to understand it.
MGM September 2023 - Vishing
Caesars 2023 - Vishing
Yum Brands 2023 - Phishing
MOVEit 2023 - zero day
T-Mobile 2023 - open web portal
Chat GPT 2023 - Application misconfiguration
Chick-fil-A 2023 - password cracking
Activision 2023 - SMS Phishing or (Smishing, getting you to click a link in an SMS)
MailChimp 2023- Phishing
Norton Life lock 2023 - Stuffing (reusing passwords and taking advantage of that)
The top 10 hacks, at least that have been reported, of the year and HALF of them were straight social engineering attacks, while 2 more had social engineering elements (passwords are VERY much tied to social engineering, does your provider explain that when going over password policies?). That gives us 70% of the major hacks this year, against companies that spend millions on security, all were tied to social engineering. Here are some statistics that come from Dataport:
Phishing emails account for about 91% of cyber attacks against enterprise-class corporations.
87% of senior managers upload business files to a personal email account or cloud-based storage.
54% of phishing emails contain malware or redirect to infected links and cybersecurity vulnerabilities.
Nearly one-third (36%) of all data breaches in 2022 involved phishing.
46% of data breach victims were from companies with fewer than 1,000 employees.
Email fraud was also the primary tool in 78% of cyber-espionage incidents.
The last point is important. We're not talking about teenagers in their parents basement here anymore. Or college students that are pulling a prank, this is true organized crime, corporate and nation state level espionage. Have you noticed, larger and larger companies are getting "knocked over" seemly at will? How many attacks have you seen on your local infrastructure lately? The Department of Energy has reported over 94 computerized and physical attacks in the first six months of this this year alone. I'm not sure, without writing another article, how to express the amount of constant attacks are going on at any given time.
Comments