Rewterz Threat Alert – BlackCat/ALPHV Ransomware Group Allegedly Encrypted Over 100 MGM ESXi Servers

Severity

High

Analysis Summary

An affiliate of the BlackCat ransomware group, also known as APLHV, recently carried out a significant cyberattack on MGM Resorts, leading to the disruption of the company’s operations and the shutdown of its IT systems. The attack, which began on Friday, involved the infiltration of MGM’s infrastructure, during which more than 100 ESXi hypervisors were encrypted by the attackers after the company had taken down its internal infrastructure.

“MGM Resorts recently identified a cybersecurity issue affecting some of the Company’s systems,” the company mentioned

BlackCat claimed that they had exfiltrated data from MGM’s network and maintained access to some parts of the infrastructure and threatened to launch further attacks unless a ransom agreement was reached with the company. The threat actor behind the MGM breach was also tracked by various cybersecurity companies under different names, including Scattered Spider, 0ktapus, and UNC3944. 

The news of the alleged breach at MGM Resorts by threat actors associated with the ALPHV ransomware operation was initially reported by the cybersecurity researcher known as vx-underground. Some researchers reported that Scattered Spider had also breached Caesars Entertainment’s network, prompting concerns about the potential leakage of customer data stolen during the attack. 

Scattered Spider is considered to be a group of threat actors known for using a wide range of social engineering attacks, like impersonating help desk personnel to steal credentials, SIM swapping attacks, and phishing, in order to breach corporate networks. One of Scattered Spider campaigns called “oktapus” was used to target more than 130 organizations to steal Okta credentials and 2FA codes.

BlackCat claimed that MGM Resorts had not responded to their communication attempts and had only taken action to disconnect their Okta Sync servers after learning about the breach. Despite this, the hackers retained super administrator privileges on MGM’s Okta environment and Global Administrator permissions to the company’s Azure tenant. Frustrated by MGM’s lack of engagement, the threat actors eventually deployed the ransomware attack against the ESXi hypervisors on September 11th.

The attackers claim that they don’t know the exact details of the type of data they have stolen, but they threatens to leak it online if MGM doesn’t reach an agreement with them. To put more pressure on the company, BlackCat also threatened to carry out additional attacks using their current access to MGM’s infrastructure. These claims are unconfirmed though.

Once Scattered Spider breaches a network, they often employ Bring Your Own Vulnerable Driver attacks to gain elevated access on compromised devices. This access is then used to move laterally across the network, steal data, and gain access to admin credentials. While the use of ransomware is relatively new for this hacking group, their attacks consistently involve extortion, with demands for million-dollar ransoms to prevent data publication or to receive a decryption tool.

This is the second time MGM Resorts has experienced a cybersecurity incident since 2019. In the earlier breach, which occurred in 2019, hackers compromised one of the company’s cloud services, resulting in the theft of over 10 million customer records. The breach came to light in 2020 when an archive containing this stolen data, including guest names, dates of birth, email addresses, phone numbers, and physical addresses, was publicly shared on a hacker forum

Impact

• Data Exfiltration
• Operational Disruption
• Unauthorized Access

Indicators of Compromise

MD5

• 3815ca81d6f85aa652ca08b46bdaa508
• 007f0ca074070ec6eba0e8fa486e0c62

SHA-256

• dbdd12737909e4c02577efeb4442dc106915ad6129c287c7decf8782f7a6d214
• 9827104283189e5003db02682f286d8ebf4a955e4c2c39594e101fce36d96f20

SHA-1

• f669d3750c595934903e3549884eaf98b0e00cdd
• 943176da2a9ae059617def4774e148414a9fa11e

Remediation

• Immediately disconnect or isolate the compromised systems from the network to prevent the malware from spreading further. This may involve shutting down affected servers or segments of the network.
• Conduct a thorough investigation to determine the extent of the breach, including identifying which systems and data were compromised.
• Implement measures to contain the breach and prevent further unauthorized access. This may involve patching vulnerabilities, resetting compromised credentials, and deploying updated security policies.
• Implement multi-factor authentication (MFA) and strong password policies to enhance access control.
• Regularly update and patch software and systems to mitigate vulnerabilities.
• Conduct regular security audits and penetration testing to identify and address weaknesses.
• Encrypt sensitive customer and investor data both in transit and at rest to prevent unauthorized access in case of a breach.
• Ensure secure storage of backups and sensitive information with access restricted to authorized personnel only.
• Develop a robust incident response plan that outlines steps to take in the event of a breach. This should include procedures for containment, investigation, and notification of affected parties.
• Develop a long-term cybersecurity strategy to prevent future incidents, including investing in advanced threat detection and response capabilities