This Cybersecurity Threat Advisory highlights cyberattacks on MGM Resorts, a $33 billion hospitality and entertainment company operating out of Las Vegas. On Monday, September 11th, 2023, MGM Resorts experienced a ransomware attack that encrypted over 100 ESXi hypervisors and exfiltrated an unknown quantity of data. The group claiming responsibility for the attack is an advanced persistent threat (APT) group named “Scattered Spider”, an affiliate of the ALPHV/Blackcat ransomware-as-a-service operation. MGM was one of many targeted entities on the Las Vegas Strip, with Caesars paying an estimated $30 million ransom earlier this month.
What is the threat?
On Friday, September 8th, Scattered Spider reportedly gained access to the MGM network through social engineering. Within a 10-minute call, the threat actor was able to establish initial access to MGM’s environment. After gaining entry, the threat actor escalated their privileges to achieve administrator privileges in OKTA and even global administrator privileges to MGM’s Azure tenant, collecting and dumping passwords along the way.
In response to the breach, the company attempted (unsuccessfully) to shut down network access to sensitive devices. After electing to not pay the ransom, on Sunday, September 10th, Scattered Spider deployed BlackCat ransomware and encrypted over 100 ESXi hypervisors, causing even more destruction and disruption. Scattered Spider claims that they hacked MGM in response to their alleged insider trading behavior.
Why is it noteworthy?
This event highlights the importance of cybersecurity awareness training for all employees. A small mistake by a single user was all it took to incur extensive financial and reputation damages. To prevent similar events, businesses should implement MFA and, more importantly, stringent authentication and authorization monitoring. In addition, MGM failed to recognize the scope of the compromise when conducting their incident response. This resulted in an incomplete eradication of the threat. To improve incident response, businesses should develop a comprehensive incident response plan, infrastructure documentation, and conduct table-top exercises.
What are the recommendations?
Barracuda MSP recommends the following actions to improve general security posture and preparedness:
- Employ proactive monitoring for all common attack surfaces, especially cloud and internal services for signs of compromise,
- Implement MFA for all users, privileged or not,
- Conduct security awareness training, especially for employees who are expected to receive calls such as help desk personnel.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.reddit.com/r/cybersecurity/comments/16iubsc/alphv_blackcat_just_released_an_annoucement_about/
- https://www.bleepingcomputer.com/news/security/mgm-casinos-esxi-servers-allegedly-encrypted-in-ransomware-attack/
- https://www.darkreading.com/attacks-breaches/-scattered-spider-mgm-cyberattack-casinos
If you have any questions, please contact our Security Operations Center.
What awareness training tool does Baracuda recommend?