Intrusion Unveiled MGM Resorts Ransomware Saga and the Low-Hanging Fruit Conundrum

the las vegas sign is lit up at night

On September 8, 2023, MGM Resorts International, a colossal casino and hospitality sector force, was trapped in a relentless ransomware assault orchestrated by the notorious hacking conglomerate Scattered Spider.

This audacious breach sent shockwaves through MGM’s intricate web of systems and operations, casting a shroud of disruption that persisted for several harrowing days. The fallout rippled across MGM’s digital domain, wreaking havoc upon its website, mobile application, reservation infrastructure, and even the venerable slot machines gracing its casinos sprawled nationwide.

Scattered Spider, a nefarious organization with an unsettling penchant for manipulating human psychology, employed crafty social engineering strategies to infiltrate MGM’s corporate infrastructure. In a sinister twist, the hackers homed in on an unsuspecting employee prowling the professional network terrain of LinkedIn. This seemingly innocuous low-hanging fruit served as the conduit for their entry.

With this foothold, they brazenly dialed MGM’s help desk, leveraging this employee’s identity to gain unauthorized entry into the company’s sacred digital systems. Once inside, the nefarious hackers traversed the digital labyrinth, securing access to MGM’s most critical systems.

What Does this MGM Breach Mean?

This breach begs a troubling question: What treasures did these cyber hackers obtain from MGM’s digital databases during their malevolent raid? Scattered Spider, renowned for its audacious ransom demands, could hold stolen data as collateral, threatening data leaks as a grim ultimatum should MGM refuse to meet their unreasonable demands.

As the world speculates on MGM’s response to this digital siege, the company remains tight-lipped regarding whether a ransom was paid to Scattered Spider. Instead, they affirm their cooperation with law enforcement agencies in a relentless pursuit of justice and vow to fortify their cybersecurity efforts to foresee such insults in the future.

This MGM breach serves as a stark warning, highlighting the increasing menace of ransomware that casts its shadow indiscriminately upon businesses of all kinds. The evolving sophistication and frequency of ransomware incursions render it an ever more formidable adversary, necessitating vigilant safeguarding measures.

For businesses striving to armor themselves against this growing peril, consider the following strategies:

Educate employees

Illuminate your workforce on the dangerous art of social engineering and arm them with the knowledge to repel such tactics.

Fortify security controls

Implement robust defenses like multi-factor authentication and stringent access controls to ensure formidable digital security.

Data fortification

Regularly shuttle your data to secure repositories, erecting a protective defense against data loss.

Incident response

Prepare a meticulously detailed response plan should the dark threat of ransomware cast its shadow upon your enterprise.

The MGM breach also underscores the paramount importance of data privacy. Businesses must remain unwavering in their commitment to safeguarding their data, providing a resilient shield against the ever-looming specter of cyber attacks.

Now, let’s delve into the timeline of events that unfolded for MGM

 

Friday 9/8 – Saturday 9/9

During this critical timeframe, the threat actor executed a series of audacious maneuvers that led to their initial breach of MGM Resorts. Their tactics involved cunning social engineering tactics that successfully manipulated the IT help desk into unwittingly resetting a user account—a classic example of exploiting low-hanging fruit for nefarious purposes.

Furthermore, the adversary escalated their intrusion by securing privileges and granting domain controller access. They astutely exfiltrated credentials, subsequently employing their dark art to crack them. Adding to their arsenal, they claimed to have intercepted passwords during the synchronization process between Okta and, presumably, Active Directory.

In a disturbingly pivotal development, the threat actor acquired Okta super user access and Azure Global Admin privileges. This conquest provided them with near-complete control over the expansive digital terrain.

The precise extent of data obtained during these incursions remains uncertain, but the threat actor’s insidious presence was firmly established.

Regrettably, MGM Resorts’ initial attempts at containment proved futile during this phase.

Sunday 9/10

MGM Resorts initiated additional containment measures on this fateful day, desperately striving to expel the audacious adversary from their digital domain. However, these valiant efforts were met with stubborn resistance as the attacker tenaciously clung to their internal foothold.

Monday 9/11

The threat actor escalated their campaign of digital terror, purportedly encrypting over 100 ESXi hypervisors. It is crucial to note that these hypervisors are the bedrock upon which virtual machines are hosted, amplifying the impact across many servers. The attacker exploited vulnerabilities that often lurk in the periphery—a grim reminder of how the low-hanging fruit can serve as a conduit for a massive company attack.

In an ominous gesture, the threat actor provided a link, presumably giving access to a sample of the stolen data. Thus, heightening concerns about the gravity of the situation.

Tuesday 9/12 – Wednesday 9/13

In concert with external experts, MGM Resorts persisted in tireless efforts to contain and neutralize the threat. These pivotal days were marked by intensive incident response and recovery operations, aiming to reclaim control over their besieged digital infrastructure.

Simultaneously, the threat actor continued their vigilance, monitoring the negotiation portal for any signs of interaction. Their evident frustration at the lack of engagement hinted at their evil intentions.

Thursday 9/14

Undeterred and fearless, the threat actor seized the digital podium to present a staggering 1,101-word statement. In this message, they asserted their enduring control over the environment and made chilling threats of further attacks unless MGM Resorts initiated contact.

Aftermath of MGM Breach

Our collective hearts go out to the steadfast MGM team grappling with this relentless adversary throughout this complicated ordeal.

In the shadow of this evolving crisis, it becomes abundantly clear that managing an active attacker situation is a formidable challenge, defying simplistic solutions. Further, the threat actor’s sophistication far surpasses conventional ransomware groups, rendering the MGM team’s task extremely challenging.

For those of us observing and learning from this unfolding drama, it is paramount to recognize the underlying value of this information. Understanding the insidious techniques employed by such groups empowers us to fortify our security programs, evolving them to then counter these evolving threats.

Acknowledging that an impervious security program remains an idealistic notion is imperative. In the face of a determined adversary, a breach remains a possibility regardless of the defenses in place.

In the aftermath of the MGM Resorts International cyber breach by Scattered Spider, a notorious hacking group, our cybersecurity-focused IT company offers assistance to businesses facing similar threats. WheelHouse IT can educate your workforce on cyber threats, fortify security controls, safeguard your data, create incident response plans, and ensure data privacy. The MGM breach serves as a stark reminder of the need for robust cybersecurity.

Contact us to tailor our services to your organization’s needs and strengthen your digital defenses against evolving cyber threats. Don’t wait; secure your digital assets now to prevent future breaches.