Password Reuse Dealt Sands Casino a Bad Hand
Bloomberg Businessweek broke a big story on December 11th, when it wrote about a sophisticated and persistent attack on the Sands Casino earlier this year.
The article, by Ben Elgin and Michael Riley, paints a detailed picture of an APT-style attack against the casino that wiped hard drives clean and shut down everything from corporate e-mail to the systems that monitor the performance and payouts of slot machines and table games.
It all started when attackers exploited a ‘weak link’ in the corporate chain: a slot machine casino in Bethlehem, Pennsylvania. The hacking crew tried to break down the front door; launching brute-force password-guessing attacks on the company’s virtual private network (VPN) server. The Sands’ IT staff responded by adding two-factor authentication to the accounts of VPN users. Alas, the attackers were eventually able to find a way around the VPN - exploiting a vulnerable server used to stage web page updates. From there, they used an open-source toolkit, MimiKatz, to harvest credentials from systems on the Bethlehem Casino’s network.
Fortunately for the Sands, the Bethlehem site was something of an IT island, with no direct connection back to Sands’ main corporate network in Las Vegas. Unfortunately, a live connection turned out to be unnecessary. That’s because contained within the credentials the crew discovered on the Bethlehem site was a username and password for a senior Sands Administrator who had visited the Bethlehem site and logged in using his credentials during a recent visit. Those same credentials gave the hackers access to the Sands corporate network in Las Vegas, also. From there, they moved quickly to expand their foothold on the main corporate network before launching their attack on February 10th. The attack eventually affected thousands of servers, desktop PCs and laptops.
The article also suggests that the attack might have possible ties to state-sponsored hackers in Iran, noting that Sands owner Sheldon Adelson offended the government of Iran when he said that Israel should consider detonating a nuclear bomb over Tehran to keep Iran from developing its own weapon.
The attack, in fact, had similarities to the so-called “Shamoon” attack against the oil giant Saudi Aramco - an attack that also was attributed to state-sponsored hackers in Iran. But, of course, attribution is speculation.
What’s the moral of the story? It’s hard to decide on just one. But a salient point is that weak authentication is the gift that keeps on giving for cybercriminals, state-sponsored hackers as well as hacktivists. The Sands IT group took the threat of brute-force attacks seriously enough to enable second factor authentication for their Bethlehem, PA site. But they failed to imagine how the failure to use two factor in a uniform fashion throughout their organization left them exposed - even after they battened down their VPN server.
It's understandable that IT groups are reluctant to dive into a wholesale shift to two factor when there’s not the imminent threat of attack or havoc. Sticking with the authentication you have may seem like a balanced decision, given the risks. But the Sands hack - let alone that of Sony - remind us that the cost of miscalculating your risk can be very high, indeed.