On Monday, MGM Resorts International (NYSE:MGM) disclosed a cyberattack that forced it to take many of its IT systems offline.
In a statement posted to its official X (Twitter) account, MGM Resorts said that it identified a “cybersecurity issue affecting some of the Company’s systems.” The statement indicated that it responded by shutting down certain systems to “protect [their] systems and data.” It also stated that the company “notified law enforcement” and “quickly began an investigation with assistance from leading external cybersecurity experts.”
Many X users posted photos and videos of various MGM properties in Las Vegas, Nev. claiming that various digital systems were not working. These systems include ATMs, slot machines, reward system, merchant processing (credit and debit cards), and digital room keys. Other pictures showed extremely long lines at the front desk and in parking structures.
As of Wednesday morning, the company’s website remained offline.
Cybersecurity Twitter (X) Provides Critical Details on MGM Resorts Cyberattack
According to a post from an account belonging to malware repository, vx-underground, the ransomware group, ALPHV, employed a vishing attack on the company’s help desk. Vishing is a form of phishing, or using social engineering to trick individuals into disclosing sensitive information, that utilizes voice communications, generally via a phone call.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A Company valued at $33,900,000,000 was defeated by a 10-minute conversation.”
Another user questioned vx-underground on the source of the allegation that ALPHV is behind the attack, to which vx-underground responded, “The Threat Actors themselves,” claiming to have direct communication with the ransomware group.
However, as of Wednesday, ALPHV/BlackCat had yet to mention the attack on its dark leak pages, according to Stefanie Schappert, a Senior Journalist at cybernews.
Another X user, @CyberSleuth1, said, “ALPHV has demonstrated a higher level of sophistication with the new capabilities of their Sphinx variant.” @CyberSleuth1, whose bio indicates that they previously worked at the National Security Agency (NSA), U.S. Cyber Command, Cyber National Mission Force, and U.S. Space Command, regularly posts information relating to other high profile cyberattacks
“They are very adept at social engineering for access so this isn’t a complete surprise,” the post continued.
Neither vx-underground nor @CyberSleuth1 responded to requests for comment.
Background on ALPHV/BlackCat
ALPHV aka BlackCat is a “ransomeware-as-a-service” (RaaS) provider that is likely comprised of other ‘big-game hunter’ ransomware groups that were dismantled or arrested, like the Russian group, REvil. The group built their ransomware with Rust which is known for its “fast performance and cross-platform capabilities, leading to both Linux and Windows variants being observed.” Cybersecurity rating company, SecurityScorecard, did a technical deep dive on the ALPHV/BlackCat ransomware.
In April 2022, the Federal Bureau of Investigation (FBI) released a FLASH report detailing indicators of compromise (IOC) associate with the RaaS. As of its publishing, the FBI indicated that the ALPHV ransomware had compromised at least 60 entities around the world.
ALPHV/BlackCat’s victims include aviation company, Swissport, and German oil companies, Oiltanking and Mabanaft, stated Lee Mathews in an April 2022 article for Forbes.
Casinos are Prime Targets for Ransomware Attacks
This is not the first time MGM Resorts was the victim of a cyberattack. In 2019, hackers allegedly stole personally identifiable infomation (PII) relating to 142 million customers. The company is currently the defendant in several lawsuits over the breach.
“MGM Resorts has a history of gambling with people’s data. For instance, in 2019 a security breach occurred which led them to disclose that the details of 10 million guests were taken. However, it wasn’t until the data was made public by the attacker that MGM Resorts revealed they were wrong about how much data was taken by over an order of great magnitude. As a result, 142 million users details were actually taken in the original breach,” Brad Freeman, director of technology at threat detection platform SenseOn, told Infosecurity Magazine.
Caesars Entertainment Likely Also Victim of Ransomware Attack
More recently, Caesars Entertainment Inc. (NASDAQ:CZR), is believed to have paid tens of millions of dollars in ransom after suffering their own ransomware attack. The company is the owner and/or operator of more than 50 hotels and casinos, most notably Caesar’s Palace and a dozen others on or near the Las Vegas Strip.
According to William Turton at Bloomberg, “people familiar with the matter” said that the company is “expected to disclose the cyberattack in a regulatory filing imminently,” presumably with the U.S. Securities and Exchange Commission (SEC). The group behind the Caesars ransomware attack is known as Scattered Spider or UNC 3944, and it is also skilled at employing social engineering to gain access to large networks.
In their own 8-K filing with the SEC late Wednesday, MGM Resorts disclosed that it had filed a press release on Tuesday regarding the “cybersecurity issue.” The press release contained the same message originally posted on the company’s X account.
The SEC adopted new rules for disclosure of cybersecurity risks, as well as material effects of cybersecurity events in July. These rules would have required MGM to disclose additional details; however, these new rules do not go into effect until later this year.
MGM Resorts Investigation Continues
The FBI discourages organizations from paying ransoms on cyberattacks, as there is no guarantee the data will not be sold on the dark web at a later date.
At this time, it is unclear what kind of data the ransomware gang stole or how much they have demanded for its safe return.