Incident Name: MGM Resorts International September 2023 Ransomware Attack
Date of Incident: September 10th, 2023
Summary:
On September 11th, 2023, MGM Resorts International announced that they are currently dealing with a cyber attack that is impacting their company’s systems and all 31 of their resorts, many of which are located in Las Vegas. Numerous systems are currently offline, including the main website, casino floor machines and services, reservations, and the MGM Rewards app. Customers have been instructed to contact each hotel directly using their phone numbers to address MGM rewards-related issues. As a result of this attack, customers are experiencing long queues, difficulties accessing hotel rooms, and disruptions in the casinos across all the resort hotels in Las Vegas.
This incident is believed to be a ransomware attack. On September 12th, malware researchers from vx-underground revealed on X (previously Twitter) that the ALPHV ransomware group was responsible for this cyber attack. The threat actors allegedly obtained employee information from LinkedIn and then exploited helpdesk personnel through social engineering techniques to gain unauthorized access to MGM systems. It is worth noting that MGM has not confirmed these details or disclosed any plans regarding the ransom payment. Furthermore, as of now, MGM has not appeared on the ALPHV leak site.
There have been unverified reports on social media suggesting that Caesars Palace in Las Vegas experienced a ransomware attack the week before and paid the ransom. However, the hotel has not officially confirmed these claims. As of September 12th, 2023, MGM has announced partial restoration of some systems. Given that this situation is still evolving, further updates will be provided in due course.
It seems that targeting helpdesk employees, who typically possess elevated privileges, is becoming an increasingly popular approach for threat actors to infiltrate organizations through social engineering. Recently, Okta, a provider of identity and authentication services, issued a warning to its customers about an ongoing and sophisticated social engineering attack targeting IT service desk employees. Beginning in August 2023, multiple Okta customers reported falling victim to these attacks, which leveraged a technique known as vishing to deceive employees.
Key Social Engineering/OSINT Themes:
- Recon – MGM employee and organizational information was harvested via LinkedIn (allegedly). The threat actor leveraged exposed employee information to conduct a social engineering attack.
- Vishing – The threat actor targeted IT Help Desk personnel with high privileges with the purpose of gaining access.
Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.
High Risk Employees
- HASP Framework 1.1 — Identify high-value employee targets
- HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
- HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
- HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets
Exposed Employee PII
- HASP Framework 2.1 — Identify exposed employee PII
- HASP Framework 2.2 — Reduce exposed employee PII
Exposed Credentials
- HASP Framework 3.1 — Identify exposed work credentials
- HASP Framework 3.7 — Restrict service account access
- HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
- HASP Framework 3.9 — Monitor for MFA configuration changes
- HASP Framework 3.10 — Monitor for new MFA registrations
Exposed Remote Services
- HASP Framework 4.2 — Identify exposed shadow IT
- HASP Framework 4.4 — Manage shadow IT / remote access
Indicators of Attack
- HASP Framework 7.1 — Monitor for suspicious external accounts
- HASP Framework 7.2 — Request takedowns for suspicious external accounts
- HASP Framework 7.3 — Alert your organization about suspicious external accounts
- HASP Framework 7.4 — Monitor for suspicious domains
- HASP Framework 7.5 — Block suspicious domains
Cyber Awareness
- HASP Framework 8.1 — Train employees on social engineering attacks
- HASP Framework 8.2 — Provide employees with social engineering phishing simulation training
- HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures
Industry: Financial Services, Professional Services
Actor: Suspected to be ALPHV ransomware group
Motivations: Financial
Related Hacks: Marriott (2022) / IHG (2022), Luna Hotels & Resorts (2023)
Breach Notice/Company Notice:
Other Sources:
- vx-underground on Twitter
- MGM Resorts shuts down IT systems after cyberattack
- MGM Resorts Suspends IT Systems Following Cyber Incident
- Hotel giant Marriott confirms another data breach
- IHG attackers phished employee to deploy destructive wiper
- Luna Hotels & Resorts Cyber Attack Highlights Threat to Hospitality Industry
- Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum