As the dust settles for MGM and systems are restored following a suspected cyber-attack, cybersecurity experts are now scrutinizing the hospitality behemoth’s security posture and firmly fingering the BlackCat Ransomware gang as the responsible party.
The cyber incident affected critical parts of its business for several hours, including its main website, the websites of all 31 MGM resorts, including a dozen in Las Vegas, the MGM mobile rewards app, online bookings and in-casino services such as ATMs, slot machines and card payment machines.
MGM confirmed on September 12 that its IT systems were back online.
However, at the time of writing, the main MGM website was still offline and concerns have been raised via a Las Vegas social media account, @LasVegasLocally, as to whether the company will be able to pay its employees on Friday.
It’s affecting everything. MGM is scrod. https://t.co/zqURIKkfC4 pic.twitter.com/jGqlVWxNHI
— Vital Vegas (@VitalVegas) September 11, 2023
MGM Has been In Cybersecurity Trouble Before
For many cybersecurity experts, this incident spotlighted how vulnerable the casino industry is.
Zane Bond, head of product at Keeper Security, explained to Infosecurity: “Casinos and hotels collect a wide range of sensitive information about their guests, from credit card information to PII, all while transacting enormous sums of money.”
Bond also highlighted that the intellectual property that underpins casino operations provides an additional unique and extremely valuable target for cyber-criminals.
“Think of all of the software that runs modern gaming systems, like slot machines. Casinos aren't just gaming companies anymore; they're software developers and these systems are some of the most advanced and connected in the world. The technology in gambling is astounding,” he said.
According to Brad Freeman, director of technology at SenseOn, the event also highlighted the security shortcomings of MGM, owner of some of the most prestigious Las Vegas hotels and casinos such as the Bellagio, the MGM Grand, the Luxor and the Mandalay Bay – where the latest edition of BlackHat USA was held.
"MGM Resorts has a history of gambling with people's data. For instance, in 2019 a security breach occurred which led them to disclose that the details of 10 million guests were taken. However, it wasn't until the data was made public by the attacker that MGM Resorts revealed they were wrong about how much data was taken by over an order of great magnitude. As a result, 142 million users details were actually taken in the original breach,” he told Infosecurity.
“When an intruder has access to systems inside a casino network the stakes are high. While MGM Resorts appear to have carried out a series of undisclosed preventative measures, after causing major disruptions to casino operations, information regarding their next steps remains scarce. If data has been taken we will know about it soon due to Nevada's data breach reporting laws."
Ransomware, the Most Probable Cause
Although MGM hasn’t disclosed the origins of the incident, many security researchers believe a ransomware attack hit the hospitality behemoth.
Speaking to Infosecurity, Fergal Lyons, cybersecurity evangelist at Centripetal, said: "While the event has not been officially disclosed, the early indications are that this is severe and widespread ransomware attack. If past performance in this industry is an indicator, then we could anticipate MGM paying the ransom if they see no other option.”
On September 13, the Vx-underground collective of malware researchers claimed that ALPHV/BlackCat reached out to them and confirmed responsibility for the attack.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” Vx-underground said on X, referring to a phone-based social engineering method that was supposedly used in the incident.
They also believe that the ransomware gang demanded a ransom from MGM Resorts International, but the company didn’t pay.
The ALPHV/BlackCat leak site does not mention the attack at the time of writing.
Who are BlackCat Hackers?
ALPHV/BlackCat is a ransomware gang that has operated a ransomware-as-a-service (RaaS) model since 2021.
It has compromised over 100 organizations, including Mazars Group, OilTanking GmbH, Swissport, Florida International University, University of North Carolina A&T and, more recently, Seiko.
According to IBM Security X-Force and Anozr Way, the group was one of the most active ransomware gangs in 2022.
It is known for using a sophisticated ransomware variant known as Sphinx and developed using the Rust programming language.
However, it has also been observed exploiting a known vulnerability in Fortra’s file transfer solution GoAnywhere MFT (CVE-2023-0669) in April 2023.
According to a Microsoft research profile, ALPHV/BlackCat is known to have worked closely with other ransomware groups such as Conti, LockBit, and REvil, as well as having links to the Darkside and Blackmatter cyber-criminal cartels.
Read previous story: MGM Resorts Hit By Cyber-Attack, Systems Down