Executive Summary
In September 2023, MGM Resorts, a prominent entity in the global hospitality and gaming sector, fell victim to a sophisticated cyberattack orchestrated by the hacking group Scattered Spider, a subgroup of the notorious ALPHV ransomware gang. This attack led to significant operational disruptions across MGM's iconic properties, particularly those on the Las Vegas Strip. The attackers employed advanced social engineering techniques, specifically vishing, to infiltrate MGM's network, resulting in a substantial financial impact and the exposure of sensitive customer data. This report provides a detailed analysis of the attack, the threat actors involved, and the mitigation strategies employed by MGM Resorts.
Technical Information
The cyberattack on MGM Resorts was a meticulously planned operation executed by Scattered Spider, a subgroup of the ALPHV ransomware gang, known for its expertise in social engineering attacks. The group has been active since 2020, targeting large organizations with sophisticated ransomware attacks. In this instance, the attackers utilized vishing, a form of voice phishing, to deceive MGM employees into revealing their login credentials. By impersonating IT staff or trusted vendors, the attackers gained unauthorized access to MGM's network. Once inside, they deployed ransomware, encrypting critical data and demanding a ransom for its release. The attack disrupted various operational systems, including slot machines, ATMs, digital key cards, electronic payment systems, and online reservations. The financial repercussions were significant, with MGM Resorts reporting a $100 million impact on its third-quarter results. The attack also led to the exposure of personal information for some MGM customers, including names, contact information, gender, date of birth, and driver's license numbers. For a limited number of customers, Social Security numbers and passport numbers were also compromised. Despite the breach, MGM Resorts has stated that there is no evidence of identity theft or account fraud resulting from the incident.
Exploitation in the Wild
The exploitation of MGM Resorts' network was primarily achieved through vishing, where attackers posed as legitimate IT staff or partners to extract login credentials from unsuspecting employees. This method allowed Scattered Spider to bypass traditional security measures and gain access to sensitive systems. The attackers then deployed ransomware to encrypt critical data, effectively holding it hostage until a ransom was paid. Indicators of Compromise (IOCs) include unusual login attempts from external IP addresses, unauthorized access to sensitive data, and the presence of ransomware signatures within the network.
APT Groups using this vulnerability
Scattered Spider, a subgroup of the ALPHV ransomware gang, is the primary threat actor responsible for the MGM Resorts cyberattack. This group has a history of targeting large organizations with sophisticated social engineering techniques, particularly vishing. They have also been linked to a recent attack on Caesars Entertainment, where they reportedly demanded a $30 million ransom. The group's activities highlight the growing threat of advanced persistent threats (APTs) in the cybersecurity landscape.
Affected Product Versions
The cyberattack affected various operational systems within MGM Resorts, including slot machines, ATMs, digital key cards, electronic payment systems, and online reservations. The specific product versions impacted by the attack have not been disclosed by MGM Resorts. However, the attack underscores the vulnerability of interconnected systems within large organizations and the need for robust security measures to protect against such threats.
Workaround and Mitigation
In response to the attack, MGM Resorts implemented several mitigation strategies to contain the breach and restore its systems. The company worked closely with law enforcement agencies, including the FBI, to investigate the incident. MGM Resorts has also committed to enhancing its cybersecurity measures, including strengthening its authentication processes, implementing advanced threat detection systems, and conducting regular security audits. Additionally, the company has provided support to affected customers, waiving change and cancellation fees for disrupted bookings and offering identity protection services to those impacted by the data breach.
References
- TechCrunch - Hackers claim MGM cyberattack as outage drags into fourth day (https://techcrunch.com/2023/09/14/hackers-claim-mgm-cyberattack-as-outage-drags-into-fourth-day/)
- Ars Technica - A phone call to helpdesk was likely all it took to hack MGM (https://arstechnica.com/information-technology/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/)
- CNN - The MGM Resorts is operational after cybersecurity issue (https://www.cnn.com/2023/09/15/business/mgm-resorts-cybersecurity-issue/index.html)
- BBC News - MGM Resorts says data breach exposed personal information (https://www.bbc.com/news/technology-66812345)
- MGM Resorts Investor Relations - Press Release Details (https://investors.mgmresorts.com/press-releases/2023/09-18-2023-press-release-details/)
Rescana is here for you
At Rescana, we understand the complexities and challenges posed by sophisticated cyber threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help organizations like yours stay ahead of potential vulnerabilities and mitigate risks effectively. We are committed to providing you with the tools and insights needed to protect your assets and ensure business continuity. Should you have any questions about this report or any other cybersecurity concerns, please do not hesitate to reach out to us at ops@rescana.com. We are here to assist you in navigating the ever-evolving cybersecurity landscape.
Comments