Ransomware Attack on MGM Resorts International by ALPHV/Blackcat/Scattered Spider

Hey, everyone in the healthcare and cybersecurity world! You folks remember coming across that big news about a cyber attack on MGM Resorts International on September 10th, right? It was a major operation — it dominated the tech news and raised a ton of concern in our industry. To add to that, just three days earlier, another huge player in the resort industry, Caesars Entertainment, experienced a similar situation. Words on the street are, they coughed up $15 to $30 million as a ransom. Pretty wild times, don’t you think?

The attack on MGM, in particular, shook things up seriously. We’re talking about a whopping $80 million loss due to operational disruptions – a real wake up call for businesses to prioritize cybersecurity. Besides the massive financial impact, the attack led to over a day and a half of IT downtime and messed with their customer service quite a bit. What we’ve seen from the crises at MGM and Caesars – two of the world’s largest casino companies – is a reality check on the sophistication of cybercriminals today, and how current defenses aren’t cutting it.

Fast forward to September 19th, just over a week since the MGM debacle hit the news. Finally, MGM Resorts mentioned on social media that they’d gotten their act together and business was up and running again.

Now, ever wondered how these attacks possibly went down? Folks over at Morphisec have pieced together an hypothetical scenario based on their investigation and available data. The brains behind the operation were apparently advanced ransomware groups known as ALPHV/Blackcat/Scattered Spider, with ALPHV/Blackcat taking credit for the hits. According to their blogs, they’d gained super admin access to the network and even planted backdoors (imagine the audacity!). There’s also chatter about data theft, with some whispers suggesting they were sifting through piles of data to find personal information.

The suspected attack flow is quite an interesting read, but a bit technical. It seems attackers used a kind of phishing through text messages directed at an admin. This tricked them into swapping their SIM, consequently allowing the hackers access into their network. Once inside, the attackers presumably moved laterally, establishing persistence and stealing credentials through the domain controllers. All this eventually led to them encrypting around 100 of MGM’s ESXi servers. Makes you want to double-check your network security right now, doesn’t it?

When it comes to these attacks, the MGM folks seemed to be caught off guard, sparking confusion and a lack of preparedness. What was surprising was that the attack continued even after initial detection and measures to respond. For instance, after MGM isolated some of their critical assets, the hackers managed to encrypt about 100 of their ESXi servers just after a day. Not great, since it made the whole IT go offline for dang 36 hours!

Seems like the healthcare and cybersecurity sphere can learn a thing or two from this whole fiasco. We could start by regularly practicing our contingency plans and ensuring our backup and restoration procedures are air-tight. Having a robust defense strategy can indeed come handy. And of course, segmenting our network architecture can be crucial. This situation also sheds light on the need to have incident response practices that align with our operations and are understood by our employees.

Remember, we’re all in this together. Let’s navigate these tech-storms with preparedness and the right strategy in place.

by Morgan Phisher