In a recent cyber security incident that sent shockwaves through the industry, MGM Resorts International's resorts and casinos across the U.S. were plunged into chaos by a sophisticated cyber attack. Initially believed to be the work of the notorious group known as Scattered Spider, this operation showcased an expertise in impersonation and malware deployment.
As we dive into the details, it becomes clear that this attack began with a clever social engineering breach of the company's IT help desk—a stark reminder of the ever-evolving tactics employed by threat actors. In this report, we explore the details of the attack, as well as which threat group may have been responsible for the attack on MGM.
On September 10, 2023, a cyberattack led the Las Vegas-based company, MGM Resorts International, to shut down certain systems, resulting in the disruption of digital room keys, requiring manual payouts for slot machines, and causing outages in websites and online reservation systems.
On September 11, 2023, according to reports, one of the company's properties, the Bellagio Las Vegas, confirmed that computer systems at all resorts were experiencing downtime, leading to a manual operation of computer-based tasks. Staff at the resort also mentioned that the interruption had an impact on credit card machines throughout their properties. When attempting to access mgmresorts.com, a message appeared, stating, "The MGM Resorts website is presently unavailable."
Across their social media platforms, MGM issued a statement addressing the technical challenges they were confronting.
Image 1: MGM's Statement About Their Breach on X (formerly known as Twitter)
By September 13, 2023, reports surfaced that things were becoming dire for the company, as it was projecting to lose up to $8.4 million in revenue per day as the cybersecurity issues were being resolved. The casino has 19 casino hotels (with more than 40,000 rooms), one of which is in the casino capital of the world, Las Vegas.
A study conducted by David Katz, a gaming industry analyst at Jeffries, indicated that MGM Resorts International was projected to experience a short-term decline in both revenue and cash flow, ranging from 10% to 20%, "as long as the existing conditions persist." Furthermore, Jefferies analysts disclosed that the corporation generates a daily revenue of $42 million and a daily cash flow of $8 million across its entire enterprise.
According to the Financial Times, initial reports stated threat actors tried to manipulate MGM’s slot machines but resorted to a ransomware attack when their initial plan failed. The attempt to manipulate MGM's slot machines likely failed due to the attackers' lack of familiarity with the underlying code, as noted by Lior Frenkel, CEO of Israel-based cybersecurity provider Waterfall. This difficulty arose because the threat actors employ a generic toolkit designed to target a broad range of companies, regardless of their specific industry.
When reports initially surfaced, the breach was attributed to Scattered Spider, which uses ransomware from ALPHV, also known as BlackCat, a ransomware-as-a-service (RaaS) operation. Scattered Spider excels in social engineering, a tactic involving the manipulation of victims by impersonating individuals or entities with whom the victim has a connection. Their expertise lies in "vishing," the art of accessing systems through persuasive phone calls.
Members of Scattered Spider, believed to be in their late teens and early 20s, are presumed to be located in Europe, with a possibility of some being in the US. They are fluent in English, which enhances the credibility of their vishing endeavors.
It was later revealed by BlackCat (ALPHV) that one of their affiliates was in fact responsible for the MGM attack, but they did not specifically name Scattered Spider. They did however, report to Bleeping Computer that the affiliate responsible was not the same threat actor that attacked Western Digital in March 2023.
Following MGM’s internal infrastructure shutdown, the threat actors encrypted over 100 ESXi hypervisors. The group stated that they had exfiltrated data from MGM's network and still maintained access to parts of the company's infrastructure. Additionally, the threat actors encrypted MGM's data and demanded cryptocurrency for its release. They issued a threat of launching additional attacks unless an agreement to pay a ransom was reached.
According to sources well-versed in the matter, online reports later identified the threat actor behind the MGM Resorts breach as Scattered Spider (Crowdstrike), although various cybersecurity firms have adopted different names to track this same threat actor, such as "0ktapus" (Group-IB), "UNC3944" (Mandiant), and "Scatter Swine" (Okta).
The attribution of the MGM breach is somewhat complex, with BlackCat, a Ransomware-as-a-Service (RaaS) operation, making public claims of responsibility, while Scattered Spider, known to utilize BlackCat's malware, is also linked to the incident, leading to potential confusion in assigning blame. While the claims by Scattered Spider or BlackCat can't be independently verified, security researchers noted similarities with attacks by Scattered Spider on over 100 other victims in the past two years.
In MGM’s case, the threat actors discovered an employee's details on LinkedIn and then proceeded to impersonate that individual when contacting MGM's IT help desk – the help desk call lasted 10 minutes. Their objective was to secure the necessary credentials for gaining access to and infecting the company’s systems. A follow-up report from Bloomberg, noted that Okta, a service provider for MGM, had been actively supporting MGM in the aftermath of the incident.
Image 2: A Post (formerly known as a Tweet) from VX-Underground
Despite MGM's efforts to shut down the Okta servers for synchronization, the threat actors stayed within the network, as stated in BlackCat's announcement. They maintained that they still possessed super administrator privileges within MGM's Okta environment and held Global Administrator permissions for the company's Azure tenant.
Observing MGM's response, which involved showing no inclination to engage in negotiations through the provided chat, the threat actors proceeded to launch the ransomware attack. During this time, the threat actors admitted they were uncertain about the specific nature of the data they acquired from MGM. However, they did threaten to extract sensitive information and make it public unless negations were made.
Image 3: BlackCat Releases Statement Regarding MGM Attack on Tor Site
Additionally, Bloomberg reporters disclosed that Scattered Spider also infiltrated Caesars Entertainment's network. Caesars Entertainment hinted at the possibility of paying the threat actor to prevent the release of customer data stolen during the attack, with the ransom demand reportedly set at $30 million. By September 19, 2023, Caesars ended up paying the threat actors $15 million in ransom.
In a recent statement, BlackCat noted that MGM Resorts had not responded through the provided communication channel, indicating a reluctance to negotiate a ransom payment. The hackers highlighted that MGM's only response to the breach had been to disconnect "each and every one of their Okta Sync servers" after discovering the intrusion, as they were attempting to capture any passwords that had not been retrieved from the domain controller hash dumps.
Now, after more than 10 days, MGM’s systems are back online and hotel reservations are available through the company’s mobile app and website. However, there are still gaming machines at some properties that are still down. The attack is still under investigation by law enforcement, and there is no further information regarding when or if a ransom was paid by the company.
Image 4: MGM's Most Recent Update on X (formerly Twitter)
Scattered Spider, a threat group, was previously known to target the telecom and business process outsourcing sectors with a focus on infiltrating mobile carrier networks. Recently, their activities escalated significantly, primarily impacting the United States, the United Kingdom, Germany, France, Italy, Canada, Australia, and Japan.
Between June 2022 and the winter months, security researchers observed five intrusions by Scattered Spider. In December 2022, their campaign aimed to breach telecom systems, access subscriber data, and conduct SIM swapping. They exploited a vulnerability in ForgeRock AM server to elevate their privileges on an AWS instance, often using compromised AWS tokens.
Scattered Spider often initiates access through social engineering, employing phone calls, SMS, or Telegram messages to impersonate IT staff. Victims are led to fake websites or prompted to download Remote Monitoring and Management tools, granting remote control to the threat actor. Even when Multi-Factor Authentication (MFA) is active, Scattered Spider uses various techniques to compromise victims.
The threat actors target a broad range of environments across industries, using tools such as AnyDesk, TeamViewer, and SSH RevShell. Scattered Spider downloads additional tools from various sources and accesses SharePoint and OneDrive for sensitive information. They even exploited an old kernel vulnerability for privilege escalation and evading detection by security systems. Scattered Spider's tactics emphasize the evolving and persistent nature of cyber threats in today's digital landscape.
MGM Resorts and Caesars Entertainment have both submitted mandatory disclosures to the Securities and Exchange Commission (SEC) following ransomware attacks on their casino operations. In March of last year, the SEC enacted new regulations requiring publicly traded companies to report significant cybersecurity incidents to the regulatory body within a four-day window.
Caesars' SEC filing, dated September 14, acknowledges an unauthorized entity accessed and copied the company's loyalty program database on September 7. This database contained sensitive information, including Social Security and driver's license numbers, for a "significant" number of members.
MGM Resorts’ SEC report (dated September 13, 2023) is limited in detail. The hospitality company reiterates its earlier press release from September 12, 2023 indicating the presence of a "cybersecurity issue" and an ongoing investigation. Caesars informed the SEC that, "Our customer-facing operations, including our physical properties and our online and mobile gaming applications, have not been impacted by this incident and continue without disruption."
“We have incurred, and may continue to incur, certain expenses related to this attack, including expenses to respond to, remediate, and investigate this matter. The full extent of the costs and associated consequences of this incident, including potential coverage by our cybersecurity insurance or potential indemnification claims against third parties, remains undetermined." – Caesars
The SEC has chosen not to comment on the disclosure filings.
The breaches targeting MGM and Caesars Entertainment highlight the persistent nature of modern cyber threats. Scattered Spider seems to target vulnerabilities indiscriminately across various industries, rather than focusing on a specific sector. They exploit any vulnerability they come across.
Their adaptable tactics, including social engineering, demonstrate their ability to infiltrate high-profile organizations. Their fluency in English is what distinguishes them from other ransomware groups, enabling them to evade detection and execute successful social engineering attacks. Let these incidents serve as a reminder of the importance of remaining vigilant and adhering to robust cybersecurity best practices.
Please Note: The subsequent guidelines are based on CrowdStrike's comprehensive list of security controls for Scattered Spider, and we strongly advise their implementation.
AWS Token Pivoting
Enforce Azure Conditional Access Policies (CAP):
Other BlackCat IoCs
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.