This article was originally published, with slight edits, in the December 2020 issue of Global Gaming Business magazine.
Cache Creek Casino Resort, a beautiful property located just east of Napa County, California, shut itself down on September 20, 2020 and remained closed for three full weeks, re-opening on October 12. This was not a coronavirus or health-related shutdown, nor was it due to wildfires. Cache Creek closed down due to a “major computer systems disruption,” according to their press releases. COVID-19 has adjusted everyone’s idea of “unthinkable,” but prior to 2020, a self-imposed, multi-week casino shutdown would certainly have fit that description.
Cache Creek is not an amateur organization, it’s a 2700-slot, 120-table facility with hotel, golf course, spa and showroom, and presumably, a capable and talented IT department. Although CCCR’s public communication lacked specifics, the length of the shutdown along with reporting from the Sacramento Bee1 that the FBI is investigating, strongly indicates that they were a victim of a “ransomware” attack.
Ransomware attackers are rarely interested in stealing data per se, their goal is to prevent you from accessing your own data and systems by encrypting everything, then selling back the decryption key. Ransomware attackers migrated from locking up personal computers to corporate networks because they can extort far larger prices from large companies, municipal governments, and health systems than from individual users. Ransomware attacks have accelerated greatly, according to a Bitdefender report2 claiming a 7x increase between 2019 and 2020.
This latest attack (actually it may not be the latest, as Clearwater River Casino and It’se Ye-Ye Casino were closed Oct 12 to 19 due to “technical difficulties,” according to their Twitter feed) can be added to a list that is getting worrisomely long: Four Queens & Binion’s in Las Vegas (suspected ransomware)3, sportsbook vendor SBTech (forced to set aside $30 million)4, Hard Rock Casino Las Vegas (twice)5, Eastern Band of Cherokee Indians (confirmed it paid a ransom)6, MGM Resorts (10+ million customer records exposed)7, Las Vegas Sands8 (potential $40 million total cost9), Affinity Gaming (also twice)10, multiple national hotel chains, and possibly other casino properties, partners, and vendors whose attacks remain undisclosed.
Unfortunately, one thing all of these victims have in common is a lack of transparency into what exactly happened. The most powerful action a hacking victim can take in order to weaken cyber-attackers is to share their methods and attack vectors, so similar operators can lock down those vulnerabilities on their own networks. This isn’t sufficient to fully prevent future attacks, because malware authors are constantly getting more sophisticated, but it certainly helps to stop repeats of the same attack at multiple companies within an industry.
Additionally, refusing to reveal details prevents casinos from evaluating the security practices of the system vendors upon which they rely. Casinos integrate CMS, LMS, POS, databases, marketing automation tools, payment processors, kiosks, revenue optimization software, business intelligence platforms, payroll and timekeeping systems, and allow access to internal applications to tons of external service providers, such as Expedia, OpenTable, Ticketmaster, in-room entertainment vendors, wi-fi networks, unlock-via-mobile-app providers, even LED lighting controllers, climate-control monitors, housekeeping pollers, and many more. If any of the cyberattacks can be traced back to a third-party service, or if a specific vendor’s software is a common factor among the compromised networks, it is essential to make that information public so that other operators can avoid that vendor, or the vendor is pressured into securing its software.
Truthfully, major CMS vendors have made life difficult for security and IT teams for a very long time. CMS’es are closed, proprietary systems with extremely wide reach into virtually every area of a casino’s operations – finance, accounting, marketing, operations, tax compliance, complimentaries – and the underlying database contains all player records, including physical addresses and driver license info. Meanwhile vendors employ many anti-security tactics, such as not sharing source code, storing data in plaintext (rather than utilizing encryption-at-rest), slowly investigating or fixing bugs, not fully documenting all aspects of the software, and severely limiting distribution of that documentation. Additionally, inter-system communications (between games, servers and applications) are either entirely proprietary or follow protocols developed by the International Gaming Standards Association, an organization whose lowest membership level costs $11,20011. Of course, not every vendor is guilty of every violation here, but none are fully compliant with modern security standards and recommendations.
Because of the lack of access, it’s impossible for independent security experts to audit the systems or to perform “pen-testing” (simulated hacking on behalf of the customer to find vulnerabilities that actual hackers would try to exploit). Casinos are essentially beholden to vendors to ensure their products are secure, but have no way to verify they are. Nor are regulators and auditors much better. Gaming Laboratories International (GLI) certification is required by many gaming regulators in the United States, but its “Network Security Best Practices” document hasn’t been updated since January 2013, well before the existence of modern ransomware, and its “Client-Server Systems” Standard was last updated in September 2011. Neither document even mentions two-factor authorization in conjunction with software access privileges, it is present only in the Network Security document in regards to server-room access only. The Network Security document recommends SSL encryption (page 33), despite it being found “not sufficiently secure” and deprecated in June 201512 in favor of TLS 1.2, which itself has been updated to 1.3.
To be clear, there is no proof that any CMS, or any specific vendor’s software, has been compromised. The lack of disclosure from any of the victims prevents anyone from knowing. However, when a casino is closed for three weeks, it’s fair to assume that attackers got to the heart of the network and its most valuable data.
The most effective way to thwart a ransomware attack is to have recent, comprehensive backups of all data, stored offline so they aren’t themselves encrypted. This way, you can restore the backups and ignore the ransom demand (not entirely, as attackers will threaten to sell private data, which is why encryption-at-rest is essential). Unfortunately, the secrecy surrounding vendor software makes it extremely difficult for a casino to plan or implement a backup and restoration process that is reliable, repeatable, and which can be continuously performed in the background without interrupting normal service. Simply put, if the casino isn’t fully informed on how each system works, where the most essential data lies, and what the underlying software stacks are, it’s just guessing when it comes to backing up. Although vendor software usually relies on common, commercial databases (SQL Server, Oracle, DB2, etc) underneath, casinos can’t always utilize those DBMS’s built-in backup or security features, or features provided by reliable third-party vendors and consultants, because the casino is never in full control of the data source and is unsure how it interacts with the application. Whichever CMS system Cache Creek runs, that vendor shouldn’t be protected by the casino’s silence. If it has become aware of vulnerabilities that could potentially affect other casinos running the same system, it is obligated to warn its other customers and to quickly create and distribute patched software.
The good news is that the gaming industry has strong trade groups and professional organizations, such as the American Gaming Association, National Indian Gaming Association, and many regional groups. Although casinos are generally in fierce competition with each other, when facing an external threat, like cyberattcks, they tend to unify, in partnership with vendors and regulators, to combat the threat together. If these trade associations choose to take the lead in prioritizing cybersecurity, they have a number of levers to employ. They can pressure attack victims to share details of the attack – how the intrusion started, their full software stack, what vendor systems were compromised, what data was captured, what backups were safe, response from law enforcement, the ransom demands, and the quality of the restoration services (if any), etc. – so that other casinos can hopefully prevent an identical attack and can better deal with one if it does happen. Trade associations can also pressure regulators to insist on full cybersecurity audits, which can only happen when vendors begin to share details on the internals of their codebases, and to only accept certifications from labs with recent, thorough cybersecurity tests, which would force GLI and similar labs to update its mandates, which in turn would require vendors to comply with much stricter security measures. In addition, trade associations can encourage all parties to invite independent security researchers, software developers, and database experts to participate in the review and direction of future system releases and network architectures, with access to common software, tools, and protocols without the need to pay huge fees or denying access to essential components of the systems they are attempting to review, or its documentation.
The alternative to proactively, and collaboratively, defending our industry against cyberattacks, is simply to experience an increase in the frequency and severity of such attacks. A ransomware attacker’s dream victim is one who pays up and who stays silent. Paying the ransom funds additional developers to find more sophisticated exploits, while the silence ensures that the exact same attack can be duplicated on another victim running the same software. Given the long list of attack victims, it would be hard to justify a cyberattack as an unforeseen or non-preventable risk in an insurance dispute, or for a casino to not be held liable in the case of personal data exposure. In the long run, working together to ward off attacks is going to be cheaper than consistently falling victim and paying the price of ransom, emergency data restoration services, and the lost income from closing a casino for weeks, and the potential loss of value from losing the customer database entirely.
- “Northern California casino reopens from 3-week closure due to cyberattack.” Michael McGough, Sacramento Bee, October 13, 2020. https://www.sacbee.com/news/business/article246423090.html↩
- Bitdefender Mid-Year Threat Landscape Report 2020. https://www.bitdefender.com/files/News/CaseStudies/study/366/Bitdefender-Mid-Year-Threat-Landscape-Report-2020.pdf↩
- “Casinos in Las Vegas Hit by Suspected Ransomware Attack.” Claudia Glover, Computer Business Review, Mar 3, 2020. https://www.cbronline.com/news/casino-ransomware-attack↩
- “SBTech ordered to set aside $30m to settle hacking claims.” iGamingBusiness, April 9, 2020. https://igamingbusiness.com/sbtech-ordered-to-set-aside-30m-to-settle-hacking-claims/↩
- “Hard Rock Hotel & Casino Hit By PoS Malware.” Mike Lennon, Security Week, June 27, 2016. https://www.securityweek.com/hard-rock-hotel-casino-hit-pos-malware↩
- “Tribe pays ransom as work continues in rebuilding of the network.” Robert Jumper, Cherokee One Feather, January 10, 2020. https://www.theonefeather.com/2020/01/tribe-pays-ransom-as-work-continues-in-rebuilding-of-the-network/↩
- “MGM Resorts hack affected a reported 10.6M former guests.” Bailey Schulz, Las Vegas Review-Journal, February 19, 2020. https://www.reviewjournal.com/post/1961400/↩
- “Iran hacked an American casino, U.S. says.” Jose Pagliery, CNN Business, February 27, 2015. https://money.cnn.com/2015/02/27/technology/security/iran-hack-casino/index.html↩
- “Now at the Sands Casino: An Iranian Hacker in Every Server.” Ben Elgin and Michael Riley, Bloomberg Business Week, December 12, 2014. https://www.bloomberg.com/news/articles/2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas↩
- “Affinity Gaming reports second data breach.” Howard Stutz, Las Vegas Review-Journal, May 5, 2014. https://www.reviewjournal.com/business/casinos-gaming/affinity-gaming-reports-second-data-breach/↩
- Gaming Standards Association Benefits & Dues. https://www.gamingstandards.com/en/membership/benefits-dues↩
- Internet Engineering Task Force, RFC 7568, June 2015. https://tools.ietf.org/html/rfc7568↩