october 2023

After MGM & Caesars attacks, threat actors seek initial access for casinos

Following heavily publicized breaches of Caesars Entertainment and MGM Resorts International, Cybersixgill observed threat actors seeking initial access to casinos, ostensibly to carry out ransomware attacks. Cybersixgill also detected cybercrime forum members discussing the availability of popular strains of ransomware for threat actors who possess access to target organizations.



In the wake of major cyber attacks on two of the top companies in the casino industry, Caesars Entertainment and MGM Resorts International (MGM), Cybersixgill detected threat actors seeking to attack victims in this sector. With Caesars reportedly forking over $15 million to attackers,[1] and details still emerging related to the resolution of the MGM attack, threat actors may increasingly view casinos as well-capitalized targets that lack the requisite operational security (OPSEC) to thwart ransomware attacks.


Cybersixgill observed threat actors seeking initial access for American and European casinos, in addition to several other specific industries. Entities in the specified industries and locations tend to be well capitalized and are likely viewed as “big game” victims capable of paying significant ransoms. Initial access plays a crucial role in the ransomware-as-a-service[2] (RaaS) economy, with specialized brokers (IABs) selling remote access to compromised organizations’ systems, which attackers then use for network intrusions. Initial access can encompass multiple vectors, permission levels, and network entry points, including Remote Desktop Protocol[3] (RDP) and VPN-based[4] accesses, which are frequently provided via valid login credentials related to Citrix, Fortinet, and other vendors. After leveraging compromised accesses, threat actors move laterally within networks, steal confidential information, execute commands, modify system configurations, and deliver ransomware payloads. Ultimately, initial access represents the first step in identity theft, financial fraud, extortion, and other malicious activities.

Based on references to confidentiality, the threat actors Cybersixgill observed soliciting casino internal access appeared to seek insiders,[5] an umbrella term for employees, contractors, or other trusted individuals with authorized access to sensitive data, systems, or networks. Insider access is particularly valuable to threat actors because it decreases the efforts required for attacks and helps cybercriminals maintain persistence on compromised systems.

In addition to threat actors seeking casino insiders, Cybersixgill also observed cybercrime forum members discussing the MGM attack specifically. One forum member noted that a prominent RaaS is willing to partner with any threat actor who possesses (1) corporate access, or (2) a track record of ransom attacks, providing lower commissions to beginners, but increasing the cut affiliates receive as their experience increases.


Following the Caesars and MGM attacks, threat actors will likely pursue paydays from the casino industry. In light of the risks posed by such attacks, all organizations should instruct employees not to disclose sensitive information (including credentials) without properly verifying recipients’ identities. Employees should also be instructed (1) not to click on links or attachments in suspicious emails, and (2) to double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites.



[1] On September 14, 2023, Caesars alluded to a ransom payment in a Securities and Exchange Commission (SEC) 8-K filing, disclosing that it took “steps to ensure” that “stolen data [was] deleted” by an “unauthorized [and unidentified] actor.” Reports on open source sites claimed Caesars paid approximately $15 million to threat actors.

[2] Ransomware-as-a-Service (RaaS) is a business model for licensing ransomware variants in the same way that legitimate software developers sell SaaS products.

[3] Remote Desktop Protocol (RDP) is a network communications protocol developed by Microsoft, which allows users to connect to another computer from a remote location.

[4] Virtual Private Networks (VPN) create a secure and encrypted connection over less-secure networks.

[5] Insider threats can take various forms, including theft of sensitive data, sabotage of IT systems, or the abuse of unauthorized access to confidential information. The risks associated with insider threats are significant, causing financial losses, reputational damage, and legal consequences.

You may also like

Ransomhub June BTH

June 10, 2024

Stolen Data from US Telecom Company Frontier is Auctioned by RansomHub

Read more
Lockbit June BTH

June 10, 2024

FBI Encourages LockBit Victims to Claim Decryption Keys

Read more
BreachForums June BTH

June 10, 2024

590Million Customers Affected by 2 Major Attacks: Data Released on BreachForums

Read more