Slot machines in two Las Vegas casinos were out of action for almost a week in an incident that bears all the hallmarks of a ransomware attack.
Investigations are currently underway by the Nevada State Game Control Board, which told us it is “actively monitoring the situation”.
Four Queens Hotel and Casino and Binion’s Casino in downtown Las Vegas are open for business but for several days were only able to trade in cash, while startling videos of rows of crippled slot machines on empty casino floors swept across Twitter.
The two casinos’ websites also remained down on Tuesday, after the incident, first reported six days earlier, on February 27
Both casinos are owned by the company TLC Casino Enterprises, Inc, which did not respond to multiple requests for comment.
Gaming forum posters said that the outages had continued early this week.
— Las Vegas Locally 🌴 (@LasVegasLocally) February 28, 2020
At the Four Queens Casino, signs stating “Computer systems are down. Cash only” were posted at the parking garage and the slot machines were posted with messages like “out of order” and OUT OF SERVICE” according to the Las Vegas Review.
The Nevada State Game Control Board have issued a brief statement: “The board is aware of the incident and we are actively monitoring the situation. As this is an ongoing investigation, we have no further comment.”
TLC Casino Enterprises did not respond to several requests for comment.
Suspected Casino Ransomware Attack: Are other venues in Vegas vulnerable?
Venues in Las Vegas have been repeated targets of cyber attacks.
MGM Grand is currently facing court action over a security breach during the summer that exposed the personal details of a reported 10.6 million guests, while casino vendor Golden Entertainment has also admitted falling victim to a phishing campaign.
Security researcher Dylan Wheeler last year called in the FBI over vulnerabilities in the machines of another casino game vendor.
In that incident, he spotted kiosks and their back end server communicating the personal details of their users and sending data like drivers license scans (used for enrollment), user home addresses and contact details, as well as details about user activity, unencrypted over publicly accessible internet.
An unauthenticated reward server, meanwhile, was directly connected to the kiosks on the casino floor.
He told Computer Business Review: “If someone wants to hack a casino, it’s surprisingly just about how easily can you get into their networks. If you are inside their networks, and they don’t segregate their networks properly, you’ll be able to interact with all kinds of machines, from the slot machines to even the card shufflers and camera systems.
“As you can believe, the abuse potential is huge.
He added: “I’ve had the source code to a few brands of slot machines. The test/dev code to others etc. They honestly just communicate (unencrypted) over the network and rely heavily on it, you can trigger almost anything including the developer testing stuff (jackpot etc.) if you know what you’re doing. You can also set a higher £ value to your inventory pretty easily due to test commands.
“If you see some of them booting up/downloading new content, they’ll even show they’re downloading their updates via a public IP… [It’ll probably take a] huge theft to make the vendors tighten their machines and games.”
Nearly 1,000 US government agencies, educational establishments and healthcare providers were by ransomware attacks in 2019 alone.
A report released by the Mississippi Office of the State Auditor in October of last year detailed the negligence of US states in regard to cyber crime:
“Several state agencies, boards, commissions, and universities are failing to adhere to state cyber security laws. According to survey results published in a report from the Office of State Auditor Shad White, many state entities are operating like state and federal cyber security laws do not apply to them”.