Cyberattacks against MGM Resorts International and Caesars Entertainment EN
Hello readers!
In today's article we bring you an analysis of the incident that occurred on 10 September due to a large-scale cyberattack against MGM Resorts International, a US-based business group dedicated to the hospitality and entertainment industry and responsible for the management of casinos, hotels and shows worldwide. The cybercriminal group claiming responsibility is the notorious Russian state-linked ransomware group BlackCat, although all indications point to a hypothesis that the intrusion was carried out by one of its alleged affiliates, Scattered Spider.
To gain initial access to the targeted systems, this time the attackers would have carried out a vishing campaign in which they would have impersonated employees of the organization, whom they had previously investigated through the LinkedIn social network, to subsequently contact the technical support services in order to obtain the reset of passwords and multifactor codes.
After gaining this initial access, the attackers acquired super administrator privileges in MGM's Okta environment and administrator privileges in Azure, after which they attempted to contact the affected organization for the purpose of financial extortion. Upon failing in this initial contact attempt, they decided to execute ransomware cyberattacks against more than 100 ESXi hypervisors in their environment, thus causing the unavailability of essential services for the entity, including its main website, MGM Rewards application, online reservations and casino services, affecting its digital infrastructure in more than its 30 hotels; additionally, it is worth noting that numerous users reported experiencing incidences with room access cards, a problem that seems to persist days later. Finally, the actors responsible for the incident threatened to use triple extortion tactics by assuring that they had the ability to extract relevant information and expose it publicly, as well as to develop additional actions against the infrastructure by taking advantage of their current access.
A few days earlier, on September 7, another cyber-attack was reportedly carried out against what is considered MGM Resorts International's main business competitor, Caesars Entertainment, a group also located in the United States and which, like MGM Resorts, is also dedicated to the hotel and entertainment sector, managing casinos, hotels and golf courses worldwide. As in the case previously mentioned, this cyber-attack has been attributed by researchers to the ransomware group BlackCat and its affiliate, Scattered Spider, although at the moment neither of them has claimed responsibility for it.
On this occasion, the initial access to the systems would have been achieved through the compromise of one of its information technology (IT) suppliers, which in cybersecurity is commonly known as an Island Hopping attack, where cybercriminals take advantage of the generally inferior security of supply chain-related suppliers to gain access to the target company's systems. In addition, cyber-attacks against the supply chain usually cause a domino effect, affecting a large number of companies with which the supplier has some kind of contractual agreement and to which it therefore provides different types of services.
After gaining initial access, the threat actors gained access to a database of the entity's membership program, where they collected sensitive information including driver's licenses and social security IDs, for which they initially requested a payment amounting to $30 million. After negotiating with Caesars Entertainment, investigations have shown that the victim decided to pay the attackers $15 million in exchange for the ransomware group not making the compromised information public.
Specifically, it should be noted that the IT company that was breached and from which the Island Hopping attack was carried out, in which credentials linked to its customers were collected, was Okta, a US entity based in San Francisco. According to the investigations carried out, there could be more than 500 companies affected in this attack thanks to the use of social engineering techniques used against the organization's clients, although, for the moment, the identity of only five of them has been confirmed, two of them being MGM Resorts International and Caesars Entertainment.
ACTORS INVOLVED
BlackCat, also known as ALPHV or Noberus, is a Russian state-linked ransomware actor whose payload is written in the Rust programming language and whose initial activity dates back to November 2021. It is one of multiple ransomware groups operating under the Ransomware as a Service (RaaS) business model, offering other attackers access to its infrastructure and code in exchange for obtaining a portion of the ransom demanded from the victims of the cyberattacks perpetrated.
On this occasion, BlackCat is the only organization that, for the moment, has claimed responsibility for the cyberattack against MGM Resort International by making it public through its website hosted on the Deep Web; although, according to investigators, the Scattered Spider group, an affiliate of BlackCat, could have been responsible for the intrusion. In any case, this second actor is not mentioned by BlackCat in the statement, according to the following image.
It should also be noted that, during its history, BlackCat has targeted multiple and diverse targets, including critical infrastructures, such as oil and gas companies, construction and mining companies, and organizations belonging to the financial, legal or telecommunications sectors, among others. Regarding the initial attack vector they usually use, it should be noted that BlackCat members usually make use of vulnerabilities present in the target systems through which they gain initial access and establish persistence in the devices. Similarly, on some occasions spearphishing campaigns have also been identified that have managed to breach victims' systems.
As for Scattered Spider, also known as Oktapus, UNC3944, Muddled Libra or Scatter Swine, it is a well-known cybercriminal group, allegedly affiliated with BlackCat as a result of its RaaS business model, whose first attacks date back to May 2022. One of its best known campaigns was the one developed in January 2023 against telecommunications companies in which it used the SIM card swapping technique or SIM Swapping to gain access to the networks of the targeted entities.
Specifically, it should be noted that during its history it has targeted targets in the financial, transportation, communications and service provider sectors, among others. In all their attacks, they have been attributed with a primarily financial motivation. It should be noted that this group of cybercriminals usually gains initial access to target systems through credentials previously obtained in phishing campaigns distributed via SMS messages. Likewise, they have also been identified using Azure Serial Control to gain access to the administrative console of virtual machines. Regarding the most commonly used malicious codes during their campaigns, STONESTOP, BURNTCIGAR and POORTRY stand out. Finally, it should be noted that several researchers have come to associate them with other known ransomware groups such as Cuba, which is distributed through fraudulent email campaigns or through the Hancitor malware.
In this case, although there are multiple hypotheses that point to Scattered Spider as the group responsible for the attacks perpetrated against MGM Resorts International and Caesars Entertainment using the infrastructure and resources of BlackCat, for the time being, it has not made any kind of claim of authorship.
CONCLUSIONS
According to the above information, although for the moment only the BlackCat group has claimed responsibility for the cyberattack against MGM Resorts International, due to its Ransomware as a Service business model, there is a high probability that a second affiliated group, known as Scattered Spider, was directly responsible for the compromise.
It is also likely that, although only two of the affected entities have been made public so far following the attack against Okta, the number of affected organizations whose sensitive information may have been compromised is likely to increase as the investigation by the authorities and the IT service provider's own related companies progresses. In addition, the incidents described in this research show that social engineering continues to be successful today, which means that the weakest link in the security chain continues to be the user. It is for this reason that it is feasible to consider that this tactic will continue to be the main driver of all kinds of cyberthreats in the future. It is also plausible to consider that the supply chain may continue to be a favorite target for these actors in the near future, given its generally lower level of securitization, the possibility of affecting a large number of other companies due to the domino effect, and the fact that the supply chain will continue to be the main target of cyberthreats in the near future, given that the supply chain will continue to be the main target of cyberthreats in the future. It is also plausible to consider that the supply chain may continue to be a favorite target for these actors in the near future, given its generally lower level of securitization, the possibility of affecting a large number of other companies thanks to the domino effect and the possibility of island hopping to other targets of greater interest to them.
Finally, it should be noted that paying the payment demanded by cybercriminals after a ransomware attack, as has allegedly happened in the cyberattack against Caesars Entertainment, does not guarantee in any case that the sensitive information that may have been compromised during the alleged intrusion will not be published in the same way by those responsible for the incident or used by the actor or third parties linked to it for malicious purposes. In turn, taking into account that the cyberattack on MGM Resorts International has already been claimed, there is a possibility that the actors linked to the action will increase the pressure on the attacked entity to opt for the payment of the ransom, given that they have already hinted at the possibility of deepening the compromise through double (data leakage) and triple extortion (DDoS campaign).
RECOMMENDATIONS
The following are a series of recommendations aimed at preventing and minimizing the impact of a cyberattack of this type:
- Taking into account that a large part of ransomware cyberattacks begin by employing as an initial attack vector various tactics related to social engineering, it is recommended that organizations schedule information campaigns related to ransomware cyberattacks, with the aim of making users aware of the risk of downloading or executing files linked to suspicious links or attached to mail messages from unknown and untrusted sources.
- Considering that another of the most common access vectors for ransomware actors is the exploitation of vulnerabilities, it is advisable to have a list of the software used by the organizations and to review daily the vulnerabilities that affect each of the systems, tools and applications used by the entity, in order to install early the security updates that are developed or to apply the corresponding mitigation measures. A correct bastioning of the organization's systems, all its servers, network elements or any other devices drilled in the internal or external network of the entity must be carried out, configuring the services and applications (web applications, active directories, etc.) used correctly, so that they do not expose unintentionally information that could be susceptible to interception by potential cyberattackers.
- Likewise, employees are advised not to share sensitive personal or corporate data on their social networks that could link them in any way to the organization, as they could be used to design customized cyberattack campaigns.
- In addition, segmenting and encrypting corporate systems are good cybersecurity practices to prevent cyberattacks of this type, since they reduce the compromise capacity of business organizations.
- Finally, in order to increase the security of access to corporate systems by the organization's employees, it is highly advisable to implement multifactor authentication (MFA) mechanisms, especially in those forms of access to the organization's assets that are considered critical or of high impact. In this regard, it is also recommended to implement public key and private key encryption protocols for the exchange of sensitive information. It is also advisable to set up strong credentials (with eight or more characters, upper and lower case letters, numbers and special characters, not associated with personal data) and modify them from time to time, being advisable to do so in periods of between one and three months. In relation to this point, it is also advisable to always change the credentials configured by default following the standard indicated in this paragraph.
And this is the end of today's post. We hope it has been useful and that you liked it, see you next time!
Raquel Puebla González e Itxaso Reboleiro Torca, Analistas de Ciberinteligencia en Entelgy Innotec Security