Editor’s Note: This is an evolving MGM Resorts and Caesars Cyber attacks related story, which will change as new information is disclosed and discovered as the investigation into these events continues. This post will be updated as new information becomes available.
Las Vegas was rocked by twin disclosures of cyberattacks against MGM Resorts and Caesars Entertainment this week – two of the biggest casino and resort companies in the world. Beginning with a major service disruption at multiple MGM properties, the news was followed by a Securities and Exchange Commission (SEC) filing by Caesars that they had also suffered a breach. Let’s take a look at what we know about the situation so far.
MGM Resorts has a run of bad luck
On or about September 9, a threat actor was able to gain unauthorized access to MGM Resorts data systems, taking several key public-facing systems offline and potentially removing sensitive data from the organization. Systems used to manage customer loyalty platforms, check-in for guests, guest services such as room service, and even the door locks on many of the resort guest rooms were unusable as the organization raced to deal with the incursion and resulting disruption. While MGM Resorts has not yet defined what systems were accessed and what data may have been taken, the very public nature of the attack made it impossible for the organization to deny that an attack did, indeed, occur.
Within about 48 hours, vx-underground announced on X (formerly Twitter) that the ALPHV group and their affiliates (including Scattered Spider) were responsible for the attack, citing confidential sources within the threat actor group itself. According to the information obtained by vx-underground, the attackers leveraged social engineering techniques to trick employees into giving them access to systems that would otherwise be inaccessible except to internal teams. While this information has not yet been corroborated by any official first-party source or by law enforcement, vs-underground does have a solid reputation in their reporting of threat activities, correctly attributing many attacks over the last several years.
Caesars Entertainment may have paid rendered unto someone
Days later, Caesars Entertainment filed a Form 8-K with the SEC to declare that they had experienced a “material event” due to a cybersecurity incident. A material event is defined by Harvard Law School as, “… those matters as to which an average prudent investor ought reasonably to be informed before purchasing the security registered.” In short, an organization that is publicly traded must notify the SEC if an event occurs that could have an impact on the trading of that organization’s shares. The filing notes that a threat actor did gain access to, and did obtain a copy of, a sensitive data-set – the customer loyalty program records. While no specific details were revealed in the filing, one particular statement does lead to the potential that Caesars paid a ransom to end the attack: “We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.” This would indicate that communication between Caesars and the threat actor occurred, and that some agreement was reached to convince the attackers to destroy their stolen copy of the data. While it cannot be confirmed that Caesars paid the threat actors responsible, that is the most common method of achieving this goal.
Both Companies may have seen the same BlackCat
The suspected threat actor in both MGM Resorts and Caesars attacks is the ALPHV/BlackCat Advanced Persistent Threat (APT) group. This criminal organization has been in operation since at least 2021 and specializes in ransomware attacks in various countries around the world. While they appear to be a Russian APT group (due to most communications being in Russian), their identities and locations have not been confirmed by threat intelligence groups. Compounding and confusing the overall situation is that ALPHV/BlackCat is known to work through a network of affiliate threat actors with multiple locations around the world and varying political, financial, and other end goals.
The tactics used in these two attacks do fit the overall pattern of the APT group and their affiliates, however. Initial access by forms of social engineering is common, followed by “double-extortion” ransomware – a situation where not only is the data encrypted on the victim’s systems, but an unencrypted version is also exfiltrated onto the systems of the threat actors. This stolen data copy can be used to further coerce the victim into paying the ransom in order to avoid additional data exposure (and the regulatory consequences of that exposure) and/or to inflict reputational damage on the organization itself. If the ransom is paid, the attack is stopped, and the data copy is (– reportedly) – destroyed by the threat actor. If not, then the data is released via dark-web sites and available to the general public in addition to other threat actors. Unfortunately, ALPHV/BlackCat and their affiliates have been known to perform “triple-extortion” attacks, where the data is also used to extort money directly from customers of the victim company in return for not releasing sensitive information found about that customer in the stolen data set.
There is a betting strategy for defending against ALPHV
While ALPHV/BlackCat as an APT group is considered to be sophisticated, there are methods that can be used to defend an organization against its attacks. First and foremost, training end-users to recognize the signs of social engineering is important. If something feels “off” or just not right, it very well may be; confirming an odd request with a supervisor could be the difference between smooth sailing and having to recover from an attack.
Prevention at the user level may not always be an option; especially as threat actors continue to refine their social engineering activities to produce harder to recognize attack attempts. This is why a multi-layer defensive strategy is absolutely critical. ALPHV/BlackCat employs multiple tactics that can be identified by EDR and XDR systems tuned to look for them. Most notably, many of their attacks utilize known security tools such as Mimikatz and LaZagne. Their attacks also frequently make changes to security controls such as Group Policy Objects (GPOs) in Active Directory. These behaviors can be identified and blocked by different forms of endpoint controls – if deployed on all devices, including Windows, Linux, and MacOS desktops, servers, and Cloud instances and properly tuned for the environments these assets run within. Alterations to GPOs can also be blocked based on user access controls and limitation of privileges.
Additionally, any form of unexpected encryption operations should be blocked and should trigger alerts and alarms within the Security Operations Center (SOC) to investigate immediately. SIEM solutions can be configured to alert on such activities, and many EDR and XDR platforms can also block the activity and raise an alert for immediate review. If the activity is legitimate, an exclusion can be configured and the process run again; but in situations like these attacks, this blocking action can end up saving the organization millions in ransom payments, recovery efforts, and lost reputation. The use of EDR and XDR solutions across all Operating Systems that can identify sequences of events (including attempts to elevate privileges, scanning of file systems, and attempts to encrypt data) are viable solutions for limiting and/or stopping threat actors from successfully performing these forms of attack when used as one layer of controls. As no single defensive tool will catch all forms of ransomware attacks alone, configuring defenses in multiple, compensating layers is a necessity.
Such defenses must also be regularly tested. Cymulate Breach and Attack Simulation (BAS) can put EDR and XDR tools through their paces to ensure they recognize and block known ransomware methodologies and scenarios. BAS can also simulate data exfiltration to help tune data control solutions and ensure they are not permitting sensitive information to leave the control of the organization. Continuous Automated Red-Teaming (CART) can allow an organization to play out an entire attack and determine if the layered defenses properly stop it from succeeding at compromising the organization. All these assessments can be automated to allow for ongoing testing with existing and newly discovered attack techniques over time to ensure that defenses are not drifting as changes occur within both the organization and the threat actor community.
Both companies and the attackers are keeping up a poker face
Neither Caesars Entertainment nor MGM Resorts are providing additional information at the current time, citing both internal and law enforcement investigations. Cymulate will continue to monitor the situation, and update this post as new information becomes available. As investigations, new data will come to light to fill in the current gaps in the story. Additionally, it is expected that both organizations will report with much more detail in their annual filings with the SEC, based on the new regulations which will go into effect in December of this year.
Update: September 14, 2023
Even before we were able to post this to the Cymulate Blog, new information has come to light. The Financial Times is reporting that someone identifying themselves as part of Scattered Spider – an affiliate of ALPHV and the suspected perpetrators of this series of attacks – had even more in store for these gaming companies. The original plan included an attempt to alter the software of the casinos’ slot machines, then hire independent contractors (known as “mules” in the cybersecurity world) to collect as much money as possible from the machines until the casinos identified and stopped the attacks. The alterations would reportedly have caused the machines to pay out more money than they would when operating normally. This part of their plan appears to have failed, according to the anonymous source. The Financial Times was unable to verify the identity of their source, or if this source was indeed working as part of Scattered Spider or another ALPHV affiliate. More info will be posted here as it is discovered and/or disclosed.