Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

On September 12, 2023, the world woke up to the news of another significant cyber-attack, this time on MGM Resorts International, a renowned name in the hotel and casino industry. The incident affected their operations across various locations, including iconic Las Vegas.

MGM was quick to assure its customers and stakeholders that the attack did not compromise any credit card information or other sensitive data. In a report to the SEC (Securities and Exchange Commission) on Tuesday, they emphasized their commitment to security and privacy, stating that they had engaged with law enforcement and cybersecurity experts to investigate the breach thoroughly. According to their disclosure, the impact on operations was a result of a decision to shut down some systems once the attack was detected.

While MGM’s official statement provided a broad overview of the incident there are still many questions unanswered. The specifics of the breach, the extent of the data accessed, and the potential ramifications remained unclear, which is to be expected given its ongoing nature. However, this lack of clarity inevitably paves the way for a plethora of rumors and speculations.

Among these rumors, a very interesting statement, published on September 15 allegedly by the attackers themselves, stands out. According to the statement, the cyber-attack on MGM resorts international was executed by the ALPHV ransomware gang. ALPHV, also known as BlackCat, is one of the most active and dangerous ransomware groups in the world, and it is known for its aggressive tactics and its willingness to target high-profile victims.

 In their public statement, ALPHV detail their actions, MGM’s responses and their perspective on the entire incident. Here are some highlights of the statement:

  1. The attacker gained access to MGM’s domain controller, looking for hash dumps to crack passwords
  2. The attacker also accessed Okta Agent servers, where they were sniffing passwords
  3. The attacker was eventually able to have MGM’s Okta super administrator privileges and global administrator privileges for MGM’s Azure tenant.
  4. ALPHV launched ransomware attacks against more than 100 ESXi hypervisors in MGM’s environment on September 11th.
  5. ALPHV claim to have acquired 6TB of data from MGM’s systems. While they haven’t released any data yet, they’ve threatened to do so unless a ransom is paid.

The veracity of the information released by the attacker remains uncertain. It is entirely possible that this disclosure is part of a calculated psychological campaign aimed at exerting added pressure on MGM. Such tactics can be employed to sow doubt, create internal discord and further the attacker’s agenda, making it imperative to approach such claims with caution and skepticism.

However, even if the statement does not describe the true story, it sheds some light on how attackers can leverage the inherent complexity of hybrid environments with on-premises data centers, Cloud and SaaS (Software as a Service). We at Mitiga see this approach expanding and are closely monitoring publications related to this attack and others, looking for new or updated Cloud Attack Scenarios and TTPs (tactics, techniques, and procedures). As we identify such TTPs, we use our expertise in Cloud and SaaS forensics to uncover the traces that these attacks leave in Cloud and SaaS forensic data. The insights are then codified and added to our library of indicators of attacks (IOAs). We use this Cloud Attack Scenario Library (CASL) to continuously scan the forensic data lakes we amass for our customers in order to uncover ongoing or past attacks. As attacks like the one that affected MGM become increasingly common, this is an approach more organizations will be turning to strengthen their investigation capabilities and build greater cyber resilience. 

We’ll keep updating.

LAST UPDATED:

April 23, 2024

Don't miss these stories:

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?

Viral Outbreaks: Thinking of Microsoft’s New Wormable Vulnerability in a Coronavirus Context

But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?

Unlocking Cloud Security with Managed Detection and Response

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.