MGM still responding to wide-ranging cyberattack as rumors run rampant
Update (8:10 pm): Ransomware hackers connected to the BlackCat/Alphv gang took credit for the cyberattack Thursday afternoon in a 1,000-word message posted to its website. The hackers claimed they had access to MGM Resorts' Okta and Azure environments starting on Friday and gained administrator privileges, allowing them widespread access to the company's systems. The group's statement could not immediately be verified, and MGM did not respond to a request for comment about the allegations.
MGM Resorts is still struggling to recover from a cyberattack that has hampered significant parts of its business.
The hospitality giant, which controls multiple hotels and casinos across Las Vegas as well as properties across the U.S., has not responded to requests for comment but said on Thursday that it continues to "work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly."
"We couldn't do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers," the company said.
Since Monday — when the company confirmed that it shut down some systems after identifying a cybersecurity issue — its website has been down and customers have reported widespread issues with everything from slot machines to room keys.
Customers have shared photos and videos of temporary measures the casinos are taking to continue operations while systems are down, including providing visitors with radios to communicate with staff and tallying slot machine losses or wins by hand. Rumors have run rampant as customers and employees search for answers about the situation.
The company owns several high-profile Las Vegas properties, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria.
Employees are now fearful that they will not be paid on Friday and due to the company’s size, several ancillary businesses are warning their employees to be wary of “emails, files and electronic communications.”
MGM Resorts reported the issue to the Securities and Exchange Commission (SEC) on Tuesday, noting that law enforcement agencies and cybersecurity experts are now involved in the response.
“Our investigation is ongoing, and we are working diligently to resolve the matter. The Company will continue to implement measures to secure its business operations and take additional steps as appropriate,” it said.
MGM Resorts reported that brought in about $25 million per day in the third quarter of 2022, meaning the hotel is likely losing millions each day with the outages affecting dozens of slot machines and other resort functions.
Scattered Spider, 0ktapus and Caesars
While MGM has refused to specify the nature of the cyberattack, Bloomberg reported on Wednesday that it was a ransomware incident, backing up claims relayed to the malware research platform vx-underground that an affiliate of the Black Cat/AlphV ransomware gang was behind the attack.
A notable affiliate of the gang — known by researchers as Scattered Spider or 0ktapus — reportedly told vx-underground directly that they gained access to MGM’s systems by searching for employees on LinkedIn and spoofing the IT help desk. Reuters spoke to two sources that confirmed Scattered Spider was behind the incident.
Scattered Spider has made a name for itself with several high-profile attacks, including one on Coinbase in February. The group — which is allegedly made up of U.S. and U.K.-based hackers — has shown skill with social-engineering techniques.
A report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in 9,931 accounts from more than 136 organizations being compromised — including Riot Games, Reddit and Twilio. While Scattered Spider was initially identified as involved only in data theft, in recent months they allegedly have coordinated with the Black Cat/AlphV ransomware gang — with several recent victims showing up on the group’s leak site.
Group-IB calls the group “0ktapus” because it targets users of tech company Okta’s identity and access management services. Typically it sends victims to lookalike pages to steal Okta credentials.
“The methods used by this threat actor are not special, but the planning and how it pivoted from one company to another makes the campaign worth looking into,” said Rustam Mirkasymov, head of cyber threat research at Group-IB Europe.
“0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”
Members of the group spoke to the Financial Times and TechCrunch this week, claiming their original goal was to attack MGM’s slot machines only and use paid mules to slowly milk the devices. But when that failed, they turned to their tried-and-true methods of attack, eventually encrypting the company’s systems.
According to Telegram conversations with both outlets, the hackers were able to exploit remote login software and leaked VPN account information from MGM employees to move throughout the company’s system.
Four sources told Bloomberg that the same group used a similar method to attack another casino giant — Caesars Entertainment — just weeks ago. The hackers who spoke to Financial Times and TechCrunch denied being part of the attack on Caesars Entertainment.
Caesars Entertainment reported its attack to the SEC last week, explaining that the hackers gained copies of their loyalty program database, which includes driver’s license numbers and/or social security numbers for a significant number of members in the database.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result. We are monitoring the web and have not seen any evidence that the data has been further shared, published, or otherwise misused,” the company said, tacitly confirming reports that they paid a ransom to the hackers.
The casino reportedly paid a $15 million ransom after being asked for $30 million.
‘Impossible to prevent’
Kory Daniels, CISO of cybersecurity company Trustwave, said that in the gaming and casino industry, the magnitude of transactions and the wealth of personal data make it a prime target. A recent report from the company on the hospitality industry found at least 59 ransomware attacks and that the top attack method involved credential access.
A source from the cybersecurity industry told Recorded Future News that MGM Resorts’ Microsoft Exchange Servers are “highly outdated and vulnerable to probably every vulnerability since 2021.”
“I just got curious and checked their domain in a public scanner called http://LeakIX.net, which is where I found that their Exchange was last patched in 2021,” the source said, requesting anonymity to speak freely about the findings. “Means they had several critical vulns in there. The server is still up at time of writing.”
Other researchers confirmed that a database containing information linked to MGM Resorts was posted on a well-known hacking forum months before the attack was announced.
This is not the first time MGM has dealt with a hacking incident. The company’s online sports betting company BetMGM reported a breach in December that involved the names, Social Security numbers and financial information of an unknown number of customers.
In 2020, the personal information of 10.6 million users who stayed at MGM Resorts was leaked to a hacking forum.
Steve Hahn, executive vice president at cybersecurity firm BullWall, said casinos have some of the largest attack surfaces out there.
“Every IoT device presents the threat actors with another attack vector. I spoke to a casino that was hit recently that had the attack initiate on a temperature sensor in a large aquarium on their property,” he said.
“Ransomware is also nearly impossible to prevent from a focused and dedicated threat actor.”
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.