Both MGM Resorts and Caesars Entertainment work to recover from ransom attacks.
Ransomware in the casinos.
Cyber criminals appear to have stolen six terabytes of data from MGM Resorts and Caesars Entertainment, Reuters reports. Scattered Spider, an anglophone affiliate of ALPHV, has been talking up its attack against MGM Resorts in particular. Members of the group have been boasting in their Telegram channels that their original plan was to rig slot machines and use money mules to drain them, but, when that didn't work out, they fell back on traditional social engineering to gain access to the company's systems in a ransomware operation. The Financial Times writes that the Spiders "evaded detection from the company’s security team by using common remote login software, and access to MGM’s corporate VPN to impersonate an employee’s digital footprint. They ran their malware remotely and claim to have penetrated the system within five hours of starting the attack, and evaded detection for eight days." A principal key to the gang's social engineering success is native proficiency in English and good idiomatic control, which rendered their approach more plausible that the usual "Hello Dear One" phishing emails so many non-native-speaking gangs use.
Some MGM Entertainment systems remain down.
The AP reports that some MGM Entertainment systems remain unavailable in the aftermath of the attack. According to BleepingComputer, there was more to the attack than data theft. The attackers claim they also encrypted more than 100 ESXi hypervisors. A statement by ALPHV (also known as BlackCat) said, “After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.” BleepingComputer also cites researchers at Mandiant who see a possible overlap between Scattered Spider and the Lapsu$ Group. In addition to overlapping tactics, there's an unusual demographic similarity that circumstantially suggests a connection: both groups are largely composed of English-speaking teenagers and young adults.
(Added, 5:30 PM ET, September 15th, 2023.) Ariel Parnes, co-founder and COO of Mitiga, points out that aspects of the incident remain unclear. “While MGM’s official statement provided a broad overview of the incident, there are still many questions unanswered. The specifics of the breach, the extent of the data accessed, and the potential ramifications remained unclear, which is to be expected given its ongoing nature. However, this lack of clarity inevitably paves the way for a plethora of rumors and speculations," Parnes wrote. In particular, there's little reason to take what those claiming the attack say at face value. "The veracity of the information released by MGM’s attacker remains uncertain. It is entirely possible that this disclosure is part of a calculated psychological campaign aimed at exerting added pressure on MGM. Such tactics can be employed to sow doubt, create internal discord and further the attacker’s agenda, making it imperative to approach such claims with caution and skepticism. Even if the statement does not describe the true story, it sheds some light on how attackers can leverage the inherent complexity of hybrid environments with on-premises data centers, Cloud and SaaS (Software as a Service).”
Caesars Entertainment files its 8-K.
As expected, Caesars Entertainment filed its 8-K with the SEC on Thursday, at roughly noon Eastern Time. The company said that its "customer-facing operations, including our physical properties and our online and mobile gaming applications," were unaffected. But "customer-facing operations" don't extend to all customer data. In particular, Caesar's loyalty program database was compromised. The information acquired by "an unauthorized actor" includes "driver’s license numbers and/or social security numbers for a significant number of members in the database." The company is continuing to investigate, but so far has found no signs that member credentials, bank account information, or paycard data were exposed. Despite that preliminary finding, Caesars, which says it determined the outlines of the attack on September 7th, is extending credit monitoring and identity theft protection to affected customers, whom it will be notifying over coming weeks.
Caesars said, "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." This has been widely interpreted as an acknowledgement that the company negotiated a ransom payment with the criminals who took its data. The Wall Street Journal put the amount of ransom paid at $15 million, half the $30 million the attackers demanded. In addition to hardening its own systems, the company said it had "taken steps to ensure that the specific outsourced IT support vendor involved in this matter has implemented corrective measures to protect against future attacks that could pose a threat to our systems." Caesars said it had incurred some expenses due to the attack, and might incur others as investigation and remediation proceed. It also acknowledged the difficulty of predicting the incident's effect on guest behavior. Nonetheless, "we currently do not expect that [the incident] will have a material effect on the Company’s financial condition and results of operations." So Caesars has made its assessment of materiality and decided that, for now, the incident is unlikely to have a material impact.
Social engineering and Willie-Suttonesque attraction of casinos.
It seems likely that both ALPHV and Scattered Spider were involved in the attacks, although Scattered Spider in a conversation with CyberScoop is claiming only the MGM Resorts attack, and not the Caesars ransomware operation. Most observers, however, think that Scattered Spider is an affiliate of ALPHV, and that it was involved in both incidents.
A number of experts have commented on the apparent ease with which the social engineering succeeded. Aviral Verma, Lead Security Analyst, Securin, wrote: “The attack vector used by the Scattered Spider aka UNC3944 group to infiltrate MGM was basic social engineering, a mere 10-minute conversation pretending to be an employee. And look at the havoc this small action caused. This is consistent with the group’s activity spanning across two years. In a previous incident, UNC3944 employed social engineering techniques to manipulate the IT help desk into resetting the MFA token. In their campaigns spanning late 2021 to mid-2022, they used a phishing kit called EIGHTBAIT to forward stolen credentials to a Telegram channel controlled by them. By mid 2023, they had started phishing campaigns with web pages copied from a targeted organization (often MFA vendors) to steal credentials. Post-initial compromise, the group has exploited CVE-2015-2291, a vulnerability in the Intel Ethernet diagnostics driver for Windows to evade defenses with what’s known as a Bring Your Own Vulnerable Driver (BYOVD) technique. The group was also behind the attack on Caesars, resulting in a reportedly $15 Million ransom payment, and the Twilio MFA passcodes breach last year. Their choice of weaponry in ransomware deployment was the BlackCat/ALPHV Ransomware.
Emily Phelps, Director at Cyware, hopes that organizations learn lessons about the risk the human factor always presents. “If organizations take away anything from the Caesar’s ransomware attack, let it be a reminder that human behavior is one of the most common vulnerabilities threat actors exploit. Technologies change rapidly. Human behavior doesn't. Improving security awareness must be an ongoing effort, and it is only the beginning," she wrote. “To minimize social engineering risks, it's important to also ensure you require multifactor authentication, ideally using different types of authentication such as a passphrase and an authenticator app. Threat intelligence is critical to recognizing potential risks before they can cause harm. Organizations must not only have access to reliable intel; they must also be able to operationalize intelligence quickly. If you aren't taking action, you aren't reducing risk. This is why security collaboration and trusted intelligence sharing are critical to enabling enterprises to rapidly act on context-rich insights, moving from a reactive to a proactive security posture.”
Social engineering continues because it works. Dave Ratner, CEO of HYAS, commented, "Social engineering is one of the most successful ways bad actors breach an environment, and one of the hardest gaps to close. Continued user training is needed, but this must be complemented with defense-in-depth strategies that assume breaches will occur and detect the initial telltale signs of a breach, the digital exhaust indicating anomalous activity, so that the attack can be stopped before it expands and impacts operational resiliency."
The risk extends, as it did in at least one of these cases, to third-party providers. James McQuiggan, security awareness advocate at KnowBe4, commented, “Organizations work tirelessly to protect their infrastructure and data from cybercriminals. The challenge lies with the third-party service providers who can also access the network. If they have a different security culture and mindset, it can only be a matter of time before your organization succumbs to an attack. While cybersecurity occurs daily, a Third Party Risk Management program is crucial to assess vendors, security practices, controls, past breaches, and financial stability. Utilizing a least privilege and Zero Trust access program where organizations can limit vendor access permissions to only essential systems and data is crucial. Provide cybersecurity training for vendor management teams on risks, regulations, and contract best practices if needed. If a third-party organization does not have a strong security training program, it should be reviewed to consider if the risk is acceptable to work with them. Proactively managing third-party cyber risk is crucial for resilience. A robust TPRM program can pay significant dividends in the long run and will only lead to a data breach without one.”
Darren Williams, CEO and Founder at BlackFog, thinks these won't be last attacks on casinos. (They're certainly not the first.) “The fact that this attack comes a year after MGM’s online sports betting company suffered a data breach shows that they have no control over data exfiltration within the organization. The gambling industry has become a firm favorite for cybergangs, with a 167% increase in attacks on the industry in 2022. Casinos are a lucrative target with high revenues and a plethora of sensitive data. Considering the size of MGM Resorts and its multibillion-dollar value, it’s a goldmine for cybercriminals. This won’t be the last threat MGM faces. This data-rich environment is an ideal target for cyber gangs and emphasizes the need for anti data exfiltration to prevent unauthorized data loss and ultimately prevent extortion by ransomware.”
Nick Tausek, Lead Security Automation Architect at Swimlane, focused on the reputational damage such attacks wreak. "These attacks are a stark reminder of how quickly a security breach can damage an organization's reputation," he wrote in emailed comments. "They also suggest that the Scattered Spider hacking group is targeting the gaming and hospitality industry. It is important to note that paying a ransom does not guarantee that the hackers will keep their word and delete the stolen data. Threat actors are not beholden to act in good faith after receiving a ransom payment, and it is common for hackers to extort victims further or sell their data on the dark web, even after being paid. Understanding the types of cyberattacks your organization is vulnerable to and finding an automation solution to mitigate them is paramount to preventing the exposure or breach of sensitive data.Casinos must put in place the right policies to identify and stop cyber threats if they want employees and consumers to feel confident that their sensitive and valuable data is safe and secure. Complete data protection can be made possible by all-encompassing cybersecurity systems that consolidate detection, response and investigation activities into a single platform."
(Added, 3:30 PM ET, September 15th, 2023.) Christopher Budd, Director of Sophos X-Ops, remembers Ocean's Eleven, which also had a social engineering plot. "This is the Ocean’s Eleven of the cyber age. The situation is unusual because there have been competing and contradictory claims as to who's responsible, with the Scattered Spider and ALPHV/BlackCat groups each staking their claim. There appears to be a turf war between these cybercriminal groups," he said. "This isn’t surprising – criminals and terrorists have made false claims of responsibility in other arenas in the past, and our research shows that criminals will scam and go after each other. Cybercriminals are now extending their game into the information warfare space, no longer just attacking companies but also attempting to control the overall narrative."
Budd also cautioned against too much focus on the attackers, which can be a futile distraction, as opposed to their methods, which is always useful. "Attack attribution is difficult – and risky. Staying too focused on the 'who' rather than the 'how' of attackers can actually help the criminals, and can and will distract defenders' focus from what’s truly important, such as setting up detection and response operations and closely monitoring threat activity clusters. At this point, all casinos should be moving to the highest defensive posture possible and taking active measures to verify the integrity of their systems and environment, and reviewing – if not activating – their incident response processes. There’s been attacks against multiple casinos, and it’s possible we’ll see more. As the quote about why rob banks goes, ‘that's where the money is,’ applies here." (It was Willie Sutton who said that, by the way, and he knew something about bank robbery.)
Discerning a shift in ALPHV's approach.
(Added, 2:15 PM ET, September 15th, 2023.) Ferhat Dikbiyik, head of research at Black Kite, thinks that ALPHV's approach is unusual. "ALPHV's calculated approach to this entire affair raises some eye-opening questions. The group's detailed statement on the attack provides an almost surgical breakdown of MGM Resorts' security weaknesses. While social engineering was hinted at as the initial access point, the group itself pointed to a variety of technical vulnerabilities, specifically on ESXi servers. This isn't just a bunch of 'nerds doing things for fun;' ALPHV's statement exudes a sense of professionalism, almost as if they want to be perceived as a 'professional' ransomware group."
There's a curious concern for reputation among cyber grangs. "Ransomware groups...care deeply about how they are perceived. They are financially motivated actors who understand the power of narrative and public opinion. They're not just throwing out insider trading claims against MGM for the sake of hacktivism; they're doing it to paint themselves in a certain light and to potentially draw empathy towards their cause, thereby making their financial demands appear more reasonable. What's even more startling is their claim of continued access to some of MGM's systems, holding them hostage for a ransom payment. They're not just hackers; they're negotiators, waiting for the other side to 'grow a pair and reach out,' as they so eloquently put it." Thus this gang, and it's not alone, is also interested in counting coup. "This attack, and AlphaV's subsequent communication, is a reminder that modern ransomware groups are increasingly savvy, not just technically but also in terms of public relations. And that's something we all need to consider in our defense strategies."