Cyber criminals have reportedly stolen six terabytes of data from MGM Resorts and Caesars Entertainment. The attack was carried out by Scattered Spider, an anglophone affiliate of ALPHV, who initially planned to rig slot machines and use money mules to drain them. However, when their plan failed, they resorted to traditional social engineering methods to gain access to the company’s systems in a ransomware operation.
The Financial Times reports that the Spiders were able to evade detection from MGM Resorts’ security team by using common remote login software and accessing the company’s corporate VPN to impersonate an employee’s digital footprint. They ran their malware remotely and claimed to have penetrated the system within five hours of starting the attack, remaining undetected for eight days.
One key factor contributing to the success of the gang’s social engineering tactics was their native proficiency in English, which made their approach more plausible than the typical phishing emails used by non-native-speaking groups.
While some MGM Entertainment systems remain down following the attack, it has been revealed that the attackers also encrypted over 100 ESXi hypervisors. ALPHV, also known as BlackCat, stated that they successfully launched ransomware attacks against the hypervisors on September 11th, after previous attempts to contact MGM failed. The attack on the hypervisors suggests a possible overlap between Scattered Spider and the Lapsu$ Group, as both groups use similar tactics and are primarily composed of English-speaking teenagers and young adults.
Ariel Parnes, co-founder and COO of Mitiga, points out that there are still many unanswered questions regarding the incident. Despite the lack of clarity, Parnes warns against taking the information released by MGM’s attackers at face value, as it could be part of a calculated psychological campaign to exert pressure on the company. Parnes emphasizes the complexity of hybrid environments with on-premises data centers, cloud, and software-as-a-service (SaaS) and how attackers can leverage this complexity to their advantage.
Caesars Entertainment has also been affected by the attack and has filed its 8-K with the SEC. While the company states that its customer-facing operations, including physical properties and online gaming applications, were unaffected, the loyalty program database was compromised. The unauthorized actor acquired driver’s license numbers and/or social security numbers of a significant number of members in the database. The company is currently investigating the incident but has found no signs of exposed member credentials, bank account information, or paycard data. Caesars will be extending credit monitoring and identity theft protection to affected customers.
The Wall Street Journal reported that Caesars paid a $15 million ransom to the criminals who took its data. The company stated that it has implemented corrective measures to protect against future attacks and expects the incident to have no material impact on its financial condition and results of operations.
Experts have commented on the success of social engineering tactics used in the attacks. They emphasize the need for ongoing security awareness training and defense-in-depth strategies to mitigate the risk of breaches. Dave Ratner, CEO of HYAS, highlights the importance of detecting the initial signs of a breach to prevent its expansion and impact on operational resiliency.
The incident also highlights the risk posed by third-party providers. James McQuiggan, security awareness advocate at KnowBe4, emphasizes the need for organizations to be vigilant in protecting their infrastructure and data from cybercriminals, including third-party providers.
In conclusion, the cyber attack on MGM Resorts and Caesars Entertainment carried out by Scattered Spider highlights the ongoing threat of cybercriminals and the need for robust security measures to mitigate the risk. The success of social engineering tactics and the involvement of third-party providers emphasize the importance of security awareness training and defense-in-depth strategies. Organizations must remain vigilant and proactive in their efforts to protect their systems and data from cyber threats.