Ransomware threat groups are exploiting vulnerabilities in vendor-controlled remote access systems to intrude casino servers and initiate attacks, the FBI said Tuesday in a private industry notification.
The warning follows a pair of high-profile ransomware attacks on casino and hotel giants MGM Resorts and Caesars Entertainment in September and an attack against Marina Bay Sands in Singapore last month. The attacks exposed personal information and, in some cases, disrupted casino and hotel operations.
Casinos are an opportunistic target because they have money and the public outcry is less pronounced when they are attacked, according to Katell Thielemann, distinguished VP analyst at Gartner. Entry points abound, too.
The casino gaming industry contributes almost $329 billion in economic activity to the U.S. annually, according to an October study by the American Gaming Association.
“The gaming industry is heavily regulated and therefore is full of technologies to monitor the movement of clients, croupiers, service workers and funds alike. Every one of these systems is a possible entry point,” Thielemann said via email.
The FBI observed a trend of ransomware actors compromising third-party gaming vendors, resulting in frequent attacks against small and tribal casinos starting last year.
Threat actors have used phishing attacks, social engineering campaigns and exploited vulnerabilities in third-party vendor remote access tools to encrypt casino servers, compromise and steal sensitive data and extort the victim organizations, according to the FBI.
Multiple groups including the Silent Ransom Group, or Luna Moth, and ALPHV ransomware affiliate Oktapus, also known as Scattered Spider or Octo Tempest, have been linked to some of these attacks. The FBI pointed to multiple phishing, data theft and extortion attacks by Silent Ransom Group, which has been active since mid 2022, as recently as June.
The FBI shared mitigation steps organizations should take, including third-party vendor use policies and security reviews, compliance with identity and access management standards, network monitoring and vulnerability and configuration management.
Yet, “the mitigations are generic to any industry and say absolutely nothing specific about concerns with third-party gaming vendor remote access technologies,” Thielemann said.
The publication of the warning by the American Hospital Association indicates the FBI is warning about ransomware activity via third parties and legitimate system tools broadly.
“Many times, industries are targeted because bad actors have developed unique knowledge of third-party vendors who specialize in specific industry verticals and know enough about the industry lingo to be credible when phishing,” Thielemann said.
“The notice is missing a big opportunity to highlight these industry-specific idiosyncrasies,” Thielemann said. While the notice is a good reminder of cybersecurity best practices, “there is some dissonance between the generic industry-agnostic advice provided and the very industry-specific incidents that triggered it.”
