September 18 Update
On September 14, the ALPHV group released a statement titled “Setting the Record Straight” to ensure they were not taken out of context by the media. It reveals their side of the story and some of the reasons they chose to target MGM Resorts. While it is written as though they are helping the community and justifying the attack, this organization has caused a tremendous amount of damage to its victims. Some of the key rumors they attempt to debunk are:
- They did not tamper with the slot machines to spit out money.
- The threat actors were not teenagers from the US and UK.
- The media shouldn’t point fingers without evidence.
Without a ransom note, letter, or tangible evidence, attributing an attack to a specific group is very difficult because many of their tactics, techniques, and procedures (TTPs) are publicly known and shared throughout the threat actor community.
While unconfirmed, multiple sources have said that “Scattered Spider,” a subsidiarity of the ALPHV/BlackCat ransomware group may be responsible for the Caesars Entertainment breach on September 7 that led to a $15 million payout.
As of September 13
In a shocking revelation, as disclosed in a tweet from VX-Underground, the ALPHV ransomware group successfully compromised the cybersecurity defenses of MGM Resorts, a company valued at a staggering $33.9 billion. This high-profile breach highlights the alarming ease with which cybercriminals are infiltrating even the most robust security systems.
The attackers employed a cunning method to gain access to MGM Resorts’ network. They initiated their attack by leveraging LinkedIn. After identifying an MGM Resorts employee, they proceeded to exploit a weakness in the company’s defenses by placing a simple phone call to the Help Desk. Incredibly, it took a mere 10-minute conversation for the attackers to infiltrate the network.
This cyberattack exhibits the characteristics of the ALPHV/BlackCat ransomware group, which has been actively monitored by cybersecurity experts for several years. Blackpoint Cyber previously released a blog post shedding light on the group’s tactics, techniques, and procedures (TTPs).
One alarming aspect of the attack is the threat actors’ use of legitimate software. Instead of relying on custom-made tools or leaked source code, the attackers exploit native software present on the target machines, such as powershell.exe and schtasks.exe. This approach allows them to remain undetected and unaltered, evading traditional cybersecurity measures.
The attackers’ ultimate goal was to deploy the BlackCat/ALPHV ransomware, a rapidly executing threat that, according to DarkFeed, is responsible for over 500 attacks worldwide, typically focusing on high profile victims. Written in Rust, this ransomware operates with high efficiency and minimal encryption or obfuscation, making it a potent weapon in the hands of cybercriminals.
Phishing remains a pervasive threat in the cybersecurity landscape, where malicious actors impersonate trusted entities to trick individuals into revealing sensitive information or clicking on malicious links. One of the most crucial aspects of defense against phishing is the rigorous validation of information. Individuals and organizations alike must:
- exercise skepticism when receiving unsolicited emails or messages,
- independently verify the authenticity of requests for sensitive data, and
- be cautious of unexpected attachments or links.
Cybersecurity professionals are urged to be aware of the TTPs associated with these attacks and to implement mitigation strategies accordingly.
MGM Resorts’ cybersecurity breach stands as a cautionary tale for organizations of all sizes, highlighting the critical importance of maintaining a robust security posture in the face of relentless cyberthreats.
Bytes & Insights: The Key Takeaways
In Summary: VX-Underground released a tweet which identified ALPHV (BlackCat) as being the ransomware group responsible for the MGM Resorts attack. It highlights the importance of being aware of threat groups’ TTPs and practicing caution and validation in potential phishing avenues of approach.
Why It Matters: For MSPs and their clients, this serves as a reminder of the evolving strategies employed by cybercriminals. Understanding the attackers’ tactics, such as exploiting common software, lateral movement, and phishing, is essential for MSPs to enhance their defenses and protect their clients’ networks. It emphasizes the need for MSPs to stay vigilant, implement effective mitigation strategies, and educate clients about the importance of cybersecurity hygiene in safeguarding their valuable data and operations.
To stay up to date on all APG intel, follow them on Twitter and Reddit.