Ransomware Attack on MGM Resorts International by ALPHV/Blackcat/Scattered Spider

Hey there, have you heard about the wild ride MGM Resorts International and Caesars Entertainment went through recently? Remarkably, both were targeted by ransomware attacks within just a few short days of each other. MGM’s attack knocked them back a whopping $80 million in lost revenue thanks to operational disruptions and over 36 hours of IT downtime. Let me tell you; their customer service took a pretty big hit too.

Hear me out now; these attacks on MGM and Caesar aren’t some kid’s bedroom shenanigans. They underscore the sophistication of the threat landscape we’re dealing with right now and the glaring deficiencies in our defense strategies against cyber-attacks.

And when did MGM announce they were back in business? Nine days after the mess all started. I’m just saying, it’s high time we scrutinize this incident and possibly unravel some nasty chunks of truth about our cybersecurity protocols.

Now, here come the players: researchers have pinned the blame on several ransomware groups, notably ALPHV or Blackcat. These guys were audacious enough even to claim responsibility publicly. And why not? They infiltrated the network, installed backdoors everywhere, and made off with a lot of data. Even warned that if they stumbled upon some personally identifiable information (PII), they would leak it!

Want to take a whack at guessing how the attack unfolded? It started with some good old-fashioned spearphishing, specifically targeting an MGM Resorts Administrator. The attacker would have gained access, dug in their heels, and proceeded to move laterally, all while strategically stealing credentials. It ended in a grand finale with the encryption of numerous servers. Pretty much a Hollywood plot, don’t you think?

So let’s dive a bit deeper: our naughty adversary, determined to take MGM down, chose their entry point carefully. They started off with a simple SMS Phishing strategy followed by a clever stint of social engineering to gain access to the Cloud Environment. Once inside, they tinkered about, stealing important data and implanting backdoors, gaining very high-level access in no time.

But perhaps the most audacious thing they did was confirming their actions to the world. They offered a link to download all the data they had pilfered until the attack day. Now, they’re lying low, waiting to see if PII information was amidst their loot. If so, they’ve threatened to go public.

What’s clear here is how unaware MGM was of the catastrophe unfolding in their networks. They tried to contain the attack and, honestly, it seems like they were caught off guard with their lack of incident preparedness and inadequate contingency procedures.

But here’s the silver lining. All of this can be a lesson for us to boost our defense strategies. We can start by improving our incident response framework to better align with our company’s operations. Let’s also verify our backup and restoration procedures and fine-tune them so we can recover swiftly in the aftermath of a similar debacle.

Another area we should focus on is strengthening our cybersecurity defenses and making sure our network architecture is intelligently segmented. And remember folks, staying connected and informed about our response practices can make all the difference in coordinated response efforts.

Alright, that’s enough from me today, stay safe, cyber warriors!

by Morgan Phisher