MGM is down, cybersecurity attack ongoing
casino.orgTitle should be "MGM Resorts Suffers Cybersecurity Attack, System Outage" (following HN norms), or at least include "Resorts." MGM Resorts was spun out of the movie studio in like the 70s.
MGM is basically a defunct rights holding company. It’s made 5 movies in the last decade, including 2 Addams Family, 2 Max (dog movies), and a GI Joe, and the Addams Family movies were really Made by Universal. It’s also a name slapped on some other streaming app.
If I heard the name referring to a current company, I would think hotels/casinos/sportsbooks first. That said, the title could still be better.
I don't really know where you're getting this number. By my count they've made about three dozen films this decade, including a James Bond film and Creed III.
Youre right that my list is wrong.
Downside to HN not having editing and deleting, is I cant retract my misinformation. And I earned 7 votes for that nonsense. :/
Further proof: They have StarGate and aren't doing jack with that at all.
While Star Trek releasing new series every year including cartoons, Stargate didn't release anything. It has so much potential and large fanbase (myself included).
There's a new Stargate series in development. There's promotional stuff happening at /r/stargate
Amazon literally just bought them for $8bn
https://variety.com/2022/tv/news/amazon-mgm-merger-close-123...
Did not Amazon at some point buy or thought about buying up some of their business?
Yep. Amazon bought MGM Holdings in March, 2022. The studio is the only meaningful portion of that.
They’re no longer considered a major U.S. studio but they release 8-10 films a year.
Yes, because I remember thinking that we would eventually be getting a bloated James Bond extended universe of shows (like Star Wars and Marvel) because of it.
Agreed, I thought it had something to do with the on going actors and writers guilds strike.
I thought maybe it was hacking to get content. So at least the title instilled a bit of curiosity even if it wasn't the story I had imagined from just the headline
Ocean's 0x11? I wonder if it's just an attack against their email servers or a bigger one, how networked are their operations? If we believe the urban legends about how casinos operate, there's probably interesting conversations a cyber-attacker could find.
I was disturbed to hear from people first hand in Vegas saying it was making the ATMs inoperable. No details on how inoperable, like if it is just certain banking features or everything. The ATMs should not be effected in the same kind of attack that would take down the website and booking systems. Those should all be separate.
Casino floor ATMs aren't just ATMs. They are also ticket redemption machines and therefore have to connect to the MGM network to redeem. I'd imagine the whole machine shutdown for security reasons if network connection is lost.
Yes, I think that MGM has actively shut everything down, rather than some massive hack that has effected all these separate systems.
Best guess is that with the F1 races coming soon with what is expected to be the largest cashflow through Vegas ever, that MGM Resorts IT found issues in an audit in preparation for that massive event, found anomalies, and pulled the rip cord to shut everything down till they could sort out what systems were actually hit.
That is materially different than a massive hack effecting all these various systems though.
MGM has acknowledged it's an attack [1] and certain vegas gossip sites have stated that Caesars was hit last hit last week but was able to keep it better under wraps.
1. https://www.reviewjournal.com/business/casinos-gaming/mgm-re...
Right, they say almost exactly what I said above.
"MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cybersecurity experts,”
"We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems."
The systems are down due to MGM shutting them down, not the active attack shutting things down.
While there's something to be said for ransomware targeting casinos, "because that's where the money is," that might also attract the wrong attention, and not all from the government. They might wish it was only from the government.
https://www.politico.com/news/2022/01/14/russia-colonial-pip...
Casino-based attacks aren't really because the casino has a lot of money around. 1) they have large, very detailed databases with extensive customer records (photos of drivers licenses, for example) that can are desirable on black markets 2) easy attack vector -- heavily dependent on a variety of vendor software and systems that are way out of date, run by weak, underpaid and often uninformed IT staffs unaware of some basic security vulnerabilities 3) being customer-facing and highly-regulated, casino companies are typically heavily incented to simply pay the ransom rather than face regulatory scrutiny and consumer distrust (and to restore cash flow, and because the soft IT teams probably didnt make comprehensive backups...)
I can imagine the galaxy-brain planning session where our perps are coming up with their next target. They rule out robbing international drug cartels and black-market arms dealers, because while those orgs do have a lot of cash on hand, they don't want to get on the wrong side of violent organised crime gangs.
...so they decide to hit casinos instead!
expanding-brain-starfield.gif
> Best guess is that with the F1 races coming soon with what is expected to be the largest cashflow through Vegas ever, that MGM Resorts IT found issues in an audit in preparation for that massive event, found anomalies, and pulled the rip cord to shut everything down till they could sort out what systems were actually hit.
That is quite a guess!
Possibly the ATMs get network connectivity via a path that has either been affected by the attack directly or shut down as a precaution.
I don't believe these are typical bank ATMs but specific to MGM that manage all the casino games (ex: pay-outs, loyalty, etc) as well, so would be tied into any MGM systems.
It’s entirely possible that these systems were hacked separately.
I think you meant 0x0B.
beat me to it, unless I've missed a few movies since!
Actually it would be 0x0E, 0x0B, 0x0C, and 0x0D already happened.
Very networked - but their email servers are now likely cloud-based SaaS.
;; ANSWER SECTION: mgmresorts.com. 300 IN MX 10 mgmresorts-com.mail.protection.outlook.com.
Outlook handles their email.
almost certainly just a random/typical ransomware attack, not a specific target at them because they're a casino
Take w/ requisite salt, but per Daily Mail [1]:
> Thousands of guests at MGM Resorts in the Las Vegas strip have been locked out of their hotel rooms after the company was hit with a cyber attack, according to reports.
> MGM Resorts International has about 48,000 rooms on The Strip. The company's properties include Mandalay Bay, the Bellagio, Luxor and MGM Grand, among others.
> The outage, first detected on Sunday night, has affected company emails, reservations, booking, room keys and casino slot machines.
[1]: https://www.dailymail.co.uk/news/article-12505921/MGM-Resort...
How do those hotel door locks work? When I had an apartment with a tap keyfob, it was battery-operated and the fob seemed to be programmed for that specific lock, so I thought they could work offline.
These days the locks are online so that you can block a lost keycard from the front desk. Previously you had to open the lock with a never keycard than the lost one to make the lost one inoperable. That works kinda fine in a small hotel but not when you 48000 rooms with millionaires in them.
Fwiw you could probably build this in a way that it continues to operate without internet. This creates a new attack vector (disable the internet and you can't revoke access) but that's probably acceptable given the physical attacks possible.
Each key gets a revision number. When the first set of keys are created, they get revision number 0. The lock records a high water mark of the revision numbers it has seen. Only keys matching the water mark get to unlock the door.
When you want to revoke a key, you re-issue a new set with a higher revision number. When the guest checks out, you issue the next revision number to the next guest, effectively disabling the previous set.
You do all this as a fallback when the network fails. This way, you can still disable keys in real-time when people checkout of their room.
Does this use something like asymmetric keys so door can verify a key came from the issuing system or is there still some online/network portion?
Assuming it does use asymmetric keys to prevent someone from creating counterfeit access cards, there would still be a window (if the network is unavailable) where the old key would continue to work until a new key is scanned the first time on the door lock?
I think this is similar to how most hotel locks work.
Currently at a reasonably-priced hotel in the boonies. Extended my stay the other day and they had to re-issue the keys. The keys must be aware of the reservation period, and the locks must be aware of the current wall-clock time. Finding a way to tamper with the RTC in the lock could blow up the whole system. Or, you know, a crowbar.
I don't think a crowbar attack will work in this case, I doubt you'll be able to get the lock to talk. /s
I've extended stays without needing new keys. There could be wireless updates, or resetting the lock is done when housekeeping preps the room.
There are definitely multiple solutions that don't depend on a server to authenticate every unlock.
I'd imagine the locks in most hotels don't require an internet connection. Frankly I'd be horrified if my hotel room's locks depended on this horrendous WiFi.
Same tech they use for staff in mental health hospitals and wards, but strangely noone hacks the mental health hospitals.
MGM hotel rooms can be unlocked with smartphone NFC tap. You don't even need to visit the front desk to check in, just log in to the app. But if you can't open the app you can't get in your room. I'm guessing the front desk can issue keys to a guest in the event they lost their phone or something, but if the network is down for the front desk too then they might not be able to issue keys.
We often make fun of IOT and unnecessary app stuff, but these features 1000% make sense.
The problem is it works badly. You have to open the app which has to load and then you can get access to your key. But if you’re on an elevator then you might not have service and the app won’t load and then you can’t get to your key to use the elevator. Or worse if you don’t have great service in the corridor.
It needs to work in a way where the key is saved to your phone so it can be accessed quickly and offline.
Afaik the HID Global app saves a key in the OS key store (at least on Android) and uses the locally stored key with NFC so you just need network access to enroll a key. Not sure what vendor/app these things use (maybe it's all in house)
I would have thought apple/google wallet already have an API for this.
Some hotel chains like Hyatt support nfc keys in Apple Wallet. Because whatever microcontroller runs that is low-power, it can continue working after your phone battery is (nearly) dead too.
I know other locks use Bluetooth from an app which isn’t supported by Apple Wallet.
I did a project several years ago for mgm that involved BT, player cards, key systems, wifi, etc and I can confirm they hotel locks are controlled centrally for various reasons.
I would've thought it would get sent messages like:
<Grant access to KEY_ID>
<Revoke access from KEY_ID>
And it would keep track internally so that if the central system went down it could still function with already issued keys until it is fixed.
Such a system seems like it would be incredibly fragile to local attack - and this is one case where you can't just assume "physical access means you've already lost".
> physical access means you've already lost
I agree, thats why I figured if you can get away with fooling around with a lock, some wires and a laptop in the hallway, you can probably pick the backup key more discreetly.
I was wondering the same. It would be an extreme fire hazard if a power or computer outage made the doors unopenable - especially because a fire could and likely would cause an outage.
I once was stuck in my hotel room due to a malfunction in the inside door handle, which was an annoying way to discover that the latch wasn't even mechanical on that side.
I work in "access control" and that could probably get that hotel in a loooot of trouble with the fire marshal.
What country was that in?
You can get from your room to the parking lot without a key at the MGM Grand. I’m sure it’s the same for all others per I assume the fire code.
The doors can always open out they just lock to not allow in. In a fire nobody needs a key to leave, but they might need a key to get back in.
What if the fire is in the hallway, or your kids are in the room?
I know in my office building and legal jurisdiction an official fire alarm signal must override the electronic door locks so they fail to unlocked.
presumably you can still open them from the inside
Yours is probably meant to work indefinitely. I guess hotels look at the card id and see if you have access at that moment.
Apartment? I assume your home? The upkeep of locks in a hotel is a bit more involved, as customers lose keys and they need to be reset for the next room guest (for larger hotels, at least)
In a modern hotel with tap cards, all the locks are wired to a central system.
Over the years, MGM has bought up hotel-casinos on the Strip, and now they own most of ‘em. If you’re staying on the Strip, odds are it’s an MGM hotel.
If it's not MGM it's Caesar's. And both MGM and Caesar's are owned by VICI Properties.
The companies themselves are not owned by VICI, the land and properties are, and Caesars and MGM (and other casino operators) pay VICI rent.
The margins are amazing:
https://www.macrotrends.net/stocks/charts/VICI/vici-properti...
https://www.macrotrends.net/stocks/charts/VICI/vici-properti...
https://www.macrotrends.net/stocks/charts/VICI/vici-properti...
Wonder if VICI assets are protected from having underfunded pensions of casino employee unions.
https://en.wikipedia.org/wiki/Vici_Properties#Properties
Insane. Who is competing with them on the Las Vegas Strip? Just Blackstone with Bellagio, Cosmo, and Aria? Those investors have the power to have practically all properties on the strip not compete with each other.
MGM operates all 3 of those
Wynn is still independent (I think). That's the only one I can think of, though.
Or Caesar's.
Good god, 48 THOUSAND rooms??
So it would be the perfect time to assemble a team of misfits and attempt madcap heist?
That story literally copied/pasted from 8NewsNow [0]
[0]: https://www.8newsnow.com/news/local-news/mgm-resorts-release...
They almost certainly got the story from the same wire service rather than copying from each other.
I was at the Park MGM is Las Vegas yesterday and was unable to use the app or the automated checkout kiosks, though aside from the front desk being more busy than usual during checkin and checkout, nothing in particular seemed amiss.
Related discussion https://www.reddit.com/r/vegas/comments/16fz1d3/mgm_has_been...
I'm currently rewatching the Las Vegas (2003) NBC TV series (the one with James Caan, Josh Duhamel, James Lesure, Molly Sims, Nikki Cox, Vanessa Marcil etc). Feels on-brand; like every second ep is about some fantastic heist.
It's worth rewatching as a guilty pleasure, IMO. Feels quite alien compared to current fare. It's dumb but well-crafted, fun and glitzy and never takes itself too seriously. I miss that kind of show.
Surprisingly high production values for the time. It's available in 1080p with decent quality, somehow.
HDTV (ATSC) was available in 1998 in the US[1]; consumer uptake wasn't much until close to the shutdown of analog broadcasting, but it was out there. NBC broadcasts in 1080i, so it's not terribly surprising that they recorded it in a way that would look good on 1080p. I can't find anything saying exactly how it was recorded, but it wasn't uncommon to film in 1080p/24 and broadcast with 3:2 pulldown. That kind of content will look great as 1080p obviously; but if it was recorded at 1080i, a professional deinterlacing will look pretty good too.
[1] https://web.archive.org/web/20140924040947/http://www.highbe...
HDTV (ATSC) is a technology that has influenced my life in pretty serious ways. My first tuner was a Sony SAT-HD100[0] in 2001. Witnessing the transition into digital TV through my VGA port, in retrospect, taught me tons about how technology adoption, development, and standardization actually works in the real world.
[0] https://www.crutchfield.com/S-9Pd3SuUnpX0/p_158STHD100/Sony-...
I think I started watching that show because it was in HD
I don't know anything about this particular show, but lots of programs were shot on film, and could just be scanned at higher resolution once HD video standards existed.
> just
Unfortunately there's a lot of post-production steps that take place between the original film and the finished show. Since the 90s/noughties many of those steps take place in digital systems after the film has been scanned at the chosen resolution. Here's some detail specific to Babylon 5 and HD conversion, for example:
https://www.engadget.com/2018-06-22-babylon-5-digital-video-...
Oh, yeah, I'm sure it's more complicated than I made it sound, especially if you had early CGI added later like Babylon 5. What I wanted to convey was that the source material for many programs had much higher resolution than the original NTSC broadcast or VHS versions, and that's what makes it possible to produce an HD version of a show that was filmed before HD was invented.
Ed Deline would never allow such as thing. Mike would most certainly be on it.
Maybe most of the LED displays are run by the same IT department. So if I were an evil genius, this latest attack would be only the first salvo of bewildering hijinks perpetrated in the service of a multistep heist. The ultimate goal: rickroll the entire city after hijacking The Sphere ( https://www.youtube.com/watch?v=sLCeYV0SV8k&ab_channel=Billi... )
How many people would you need for such an elaborate, multi-step heist? Especially wondering because, given your reputation, I’m assuming you would need a to be more of a puppet master than an active participant.
Does somebody have a magnetron?
The linked article is down, here's an archive https://web.archive.org/web/20230911174437/https://www.casin...
Though the article itself says details are scant, so it's just going to be speculation. I'd love to know what happened though.
Almost all news available is an echo of the press release. Not much real info.
lots of igaming hacks of late.
other notables: Australia's crown resorts was hacked a while back (March 2023) https://gamblingindustrynews.com/news/australia/crown-potent...
Last week stake.com was hacked https://gamblingindustrynews.com/news/technology/stake-com-4... (apparently by Lazarus group according to FBI https://www.fbi.gov/news/press-releases/fbi-identifies-lazar... )
Makes me think of the Sony hack by the Lazarus Group.
Allegedly due to the release of a movie. I'd assume this MGM resort is extortion/DOS.
...which doesn't eliminate them. Recent visits and timing would be impeccable.
Every day they are down is $$$$$$
Rumors that Ceasars was hit last week...
https://www.casino.org/vitalvegas/mgm-resorts-receives-colos...
This is the same group that brought in face recognition, and needlessly detailed data keeping on every customer and we're expected to trust them .. right?
If they're going to shut something down, better a casino than anywhere else.
Was just coming here to say it: And nothing of value was lost.
Your opinion is valid, however I'm currently on a plane heading there, likely a third of the passengers won't be able to check into their hotel. Same with dozens of planes. Kinda sucks for them.
I live in Vegas and it also sucks for all the local MGM employees that are getting called in to have to deal it. That said, I hope things get figured out and your trip goes well!
I'll be fine, thanks. The context from allenrb is that casinos have no value to society, so that eliminating them (and therefore all the related jobs) is not a loss to anyone. That includes the employees you are referring to in your comment, and without much regard for the people heading there for a vacation.
That will suck for sure. Hopefully they’ll be handing out some form of compensatory goodies to make up for it a bit.