THE GRAND ATTACK (MGM)

THE GRAND ATTACK (MGM)


In September 2023, MGM Resorts, the world famous hotel and casino chain, faced a cyber attack launched by hacker groups ALPHV and Scattered Spider. The hacker groups used social engineering tactics to enter MGM’s systems, which resulted in a huge ransomware attack. 


This attack led to critical operational disruptions, such as disabling online reservation systems, digital room keys, slot machines, and websites. The impact of this attack extended for ten days, causing significant losses for MGM Resorts.

Also, concerns arose of a potential data breach that could have involved personally identifiable information (PII) of MGM customers, employees, and vendors.


ALPHV, one of the hacker groups, released a statement, “Setting the record straight” on September 14, 2023. In the statement, ALPHV provided details on their strategies and involvement in the cyberattack, shedding light on the events surrounding this breach. The incident showcases the significance of organizations investing in robust cybersecurity measures to protect themselves from evolving cyber threats.


The cyber threat group Scattered Spider who are known for their expertise in social engineering, launched an impersonation and vishing scheme to enter MGM’s systems. Thier precise route they took in was via LinkedIn to identify a current MGM Resorts employee, assumed their identity, and called the MGM IT help desk requesting assistance logging into their accounts. The phone call lasted ten minutes, and the attackers were able to gain administrator privileges to MGM’s Okta and Azure tenant environments. 


The following day, MGM’s security team discovered unusual activity and traffic, to which ALPHV admitted to sniffing passwords on their Okta servers. MGM hastily deactivated their Okta Sync servers and essential infrastructure components to prevent an escalation of the attack, causing the interruption of reservation systems, digital room keys, slot machines, and more. ALPHV, still having access to the system, deployed ransomware to more than 100 ESXi hypervisors within MGM’s network. The attackers claimed to have exfiltrated data from MGM systems but did not confirm whether it included personally identifiable information (PII) of MGM customers, employees, and vendors. Furthermore, they threatened to notify Troy Hunt of HaveIBeenPwned.com if they could not come to an agreement with MGM. MGM’s hotels and casinos have since resumed normal operations, although there may still be some “intermittent issues”.


As for the outcome, multiple class action lawsuits were made against MGM Resorts, alleging that they failed to protect PII data after being advised by Okta about targeted social engineering tactics against the company. MGM also suffered a financial loss of roughly 8.4 million dollars a day in revenue due to this cyber attack.

Comments

Post a Comment

Popular posts from this blog

UNDERSTANDING THE CYBER KILL CHAIN BY BRADLEY MILBURN

Image
    Understanding the Cyber Kill Chain By Bradley Milburn   The cyber kill chain is a framework developed by Lockheed Martin to describe the stages of a cyber attack. It breaks down the process into distinct phases, which helps organizations understand how attacks unfold and how they can be detected and mitigated at each stage. The traditional cyber kill chain consists of seven stages:   1 . Reconnaissance  - The attacker gathers information about the target, such as identifying potential vulnerabilities, gathering email addresses, and understanding the network architecture. Passive Examples: -     Whois -     Google -     Job listings -     Company website Active Examples: -     Nmap -     Port scanning -     Banner grabbing -     Vulnerability scanners (APT’s tend to do this over a long period of time to better avoid detection)   Ways to protect to a business network: -     Network Security - Firewall Configuration, Intrusion Detection Systems (IDS), Disa...
Read more

MORALLY INDEFENSIBLE BY BRADLEY MILBURN

  MORALLY INDEFENSIBLE  Microsoft, On January 12th detected an uninvited & dangerous guest in its IT systems. Within a few days it attributed the raid on emails of its “senior leadership” and cybersecurity team to Russia’s Foreign Intelligence Service.  The group has been attacking IT service providers in both Europe and the US. On 25 January, Microsoft published a quick analysis of how Russia's Foregin Intelligence Service hit its systems and said it was notifying other victims. Below is an understanding of what has happened, some informed speculation about the attackers’ lateral movement that may be useful for network defenders. 1. Russia's Foregin Intelligence Service  breached a Microsoft “test tenant” account. It was left sitting with no MFA and without a robust password. They tailored their “password spray” attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid blocks based on the volume of failures. They atta...
Read more