The MGM Cyberattack Should be a Wakeup Call for Corporate Boards: Will they hit the snooze alarm again?

Our research and tracking of the global information war and the dramatic increase in ransomware attacks over the last three years have been indicating, for some time, that more attacks were coming and that corporate boards and their directors should prepare. The MGM ransomware attack make this point well. Details here.

While this attack is a massive “one off” tied to a pattern of ransomware attacks with social engineering techniques as a core competency of the hacking groups responsible for the attack, there does not seem to be a gepolitical angle here. Of keen interest to us, and something we continue to track, is a major attack which maps to a clear geopolitical, strategic agenda by China, Russia, North Korea, Iran, etc.  Our research question remains: Is such an attack – with definitive attribution to a nation-state – in the “not if but when” column?  And while there is no nation-state affiliation or geopolitical motive to this attack, this collaborative efforts by these hacking group  – at the level of Las Vegas spectacle – is an alpha test of large scale cyberattack capabilities (along with premium, global unpaid media exposure and marketing) that can now be shopped around in the dark economy.  And we know there are well resourced buyers for such services.

Background

As an early warning system for our readership, we recently provided the following interelated analyses of the ominpresent threat vectors in a global information war and the growing attack surfaces in an epidemic of large scale ransomware attacks:

Ransomware Attacks in U.S. and Cyberattacks in Pacific Islands are Battlefields in Global Cyber War – These pattern recognition and sensemaking efforts are a  follow up to our recent spotlight on The City of Dallas, Over a Month After A Ransomware Attack, Still not at Full Functionality and the U.S. Turning its Strategic Focus Towards Cyber Threat Vectors in Guam, Albania, and Costa Rica  – further validating the broader cyber battles that the U.S. is fighting on a daily basis (in what is a broader, global cyber war in which we are already engaged against nation-state and non-state actors alike).

Lessons Learned from the MGM Attack Timeline

September 14th

MGM still responding to wide-ranging cyberattack as rumors run rampant

MGM Resorts is still struggling to recover from a cyberattack that has hampered significant parts of its business.

Ar reported by The Record:

“Since Monday [September 11th] — when the company confirmed that it shut down some systems after identifying a cybersecurity issue — its website has been down and customers have reported widespread issues with everything from slot machines to room keys.  Customers have shared photos and videos of temporary measures the casinos are taking to continue operations while systems are down, including providing visitors with radios to communicate with staff and tallying slot machine losses or wins by hand. Rumors have run rampant as customers and employees search for answers about the situation.  The company owns several high-profile Las Vegas properties, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria.  Employees are now fearful that they will not be paid on Friday and due to the company’s size, several ancillary businesses are warning their employees to be wary of “emails, files and electronic communications.”  MGM Resorts reported that it brought in about $25 million per day in the third quarter of 2022, meaning the hotel is likely losing millions each day with the outages affecting dozens of slot machines and other resort functions.

Scattered Spider, 0ktapus and Caesars

While MGM has refused to specify the nature of the cyberattack, Bloomberg reported on Wednesday that it was a ransomware incident, backing up claims relayed to the malware research platform vx-underground that an affiliate of the Black Cat/AlphV ransomware gang was behind the attack.  A notable affiliate of the gang — known by researchers as Scattered Spider or 0ktapus — reportedly told vx-underground directly that they gained access to MGM’s systems by searching for employees on LinkedIn and spoofing the IT help desk. Reuters spoke to two sources that confirmed Scattered Spider was behind the incident.  Scattered Spider has made a name for itself with several high-profile attacks, including one on Coinbase in February. The group — which is allegedly made up of U.S. and U.K.-based hackers — has shown skill with social-engineering techniques.  The casino reportedly paid a $15 million ransom after being asked for $30 million.

Inside The Ransomware Attack That Shut Down MGM Resorts

“Imagine you save up all year to go to Vegas, and then you have this experience. It’s going to leave a bad taste in your mouth.”

As reported at Forbes:  “More than 60 hours after a brazen cyberattack targeted the computer systems at one of the world’s largest casino-hotel chains, patrons trying to access the MGM Resorts website are still met by a splash page that apologizes for the inconvenience.  Prominent among MGM’s stable of 19 U.S. properties are a dozen of the most iconic casino hotels in Las Vegas—including the Bellagio, Mandalay Bay and the Cosmopolitan.  Since the attack was discovered…it has wreaked havoc on MGM’s operations, forcing guests to wait hours to check in and crippling electronic payments, digital key cards, slot machines, ATMs and paid parking systems…VX-Underground, a malware research group with nearly 229,000 followers on X, posted that ransomware-as-a-service group ALPHV, also known as BlackCat, claimed responsibility for executing the attack by using social engineering to identify on LinkedIn an MGM employee who worked in IT support. The next step was simply to call the MGM help desk. Astonishingly, the attack took about 10 minutes to execute.”

September 15th

Okta Agent Involved in MGM Resorts Breach, Attackers Claim

ALPHV/BlackCat ransomware operators have used their leak site to “set the record straight” about the MGM Resorts cyberattack. Meanwhile, more attacks abusing Okta could be likely.

Dark Reading reports:  “The threat actors believed to be behind last week’s MGM Resorts and Caesars Entertainment cyberattacks now say they were able breach MGM’s systems by somehow cracking into the company’s Okta platform, specifically the Okta Agent, which is the lightweight client that connects to an organization’s Active Directory.  Okta is a popular identity and access management (IAM) provider for the cloud.  “MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps,” ALPHV wrote on its leak site, in a statement that Emsisoft researcher Brett Callow tweeted out. “This resulted in their Okta being completely out.” The ALPHV statement added that after lurking around Okta for a day and scooping up passwords, the threat group then launched ransomware cyberattacks against more than 1,000 ESXi hypervisors on Sept. 11, “… after trying to get in touch [with MGM] but failing,” the statement said.”

MGM Resorts Hackers Broke In After Tricking IT Service Desk

  • Okta warned about hackers using similar techniques in August
  • Group suspected of attack is well known for social engineering

From Bloomberg:  “The online attack that disrupted MGM Resorts International resorts and casinos across the country began with a social engineering breach of the company’s information technology help desk, according to a cybersecurity executive familiar with the investigation.  David Bradbury, chief security officer at the identity and access management company Okta, said his company issued a threat advisory in August about similar attacks against some of its customers, in which hackers used a low-tech social engineering tactics to gain entry and then more advanced methods that allow them to impersonate users on the networks.   A former MGM employee who was familiar with the company’s cybersecurity policies pointed to the help desk as vulnerable to attack. The person said that to obtain a password reset, employees would only have to disclose basic information about themselves – their name, employee identification number and date of birth – details that would be trivial to obtain for a criminal hacking gang. The employee, who requested anonymity to discuss sensitive matters, said details were too easy to obtain and were the root cause of what ‘caught MGM up here.’”

READ MORE HERE

By Published On: September 20, 2023Categories: UncategorizedComments Off on The MGM Cyberattack Should be a Wakeup Call for Corporate Boards: Will they hit the snooze alarm again?

Share This Story, Choose Your Platform!

About the Author: Patriotman

Patriotman currently ekes out a survivalist lifestyle in a suburban northeastern state as best as he can. He has varied experience in political science, public policy, biological sciences, and higher education. Proudly Catholic and an Eagle Scout, he has no military experience and thus offers a relatable perspective for the average suburban prepper who is preparing for troubled times on the horizon with less than ideal teams and in less than ideal locations. Brushbeater Store Page: http://bit.ly/BrushbeaterStore

Related Posts

Primitive Technology: Water Bellows smelt

September 6, 2024

Poland’s Official Story About An Alleged Airspace Violation Doesn’t Add Up

September 6, 2024

2 Virginia Guardsmen Are Running a Rural Anti-Government Militia

September 6, 2024

John Wilder: Distractions, Pascal, And Postman

September 6, 2024

GUNS N GEAR

Categories

Archives