MGM Las Vegas Cyber Attack leading to Computer system outage impacting operations
On September 11, 2023, MGM Resorts publicly disclosed a significant cybersecurity breach affecting their systems. The announcement came amidst disruptions in various services, including hotel bookings and casino operations. The breach also exposed sensitive customer data, such as Social Security numbers and driver’s license information. While the exact platform where MGM Resorts posted the announcement is not specified in the information provided, such announcements are typically made through official press releases, the company’s website, and social media channels to ensure wide dissemination of the information. Notably, MGM Resorts was not the only victim; Caesars Entertainment also experienced a similar cyber attack, putting their customer loyalty program database at risk. The MGM resorts have shutdown its operations at the moment. The website shows the following
The MGM Resorts data breach was a significant cyber incident that came to light in September 2023. The MGM Resorts cyberattack occurred on September 10, 2023. The company has not yet disclosed the full extent of the breach, but it is believed that the personal information of millions of guests may have been exposed.
MGM Resorts has said that it is working with law enforcement and cybersecurity experts to investigate the incident. The company has also said that it is taking steps to secure its computer systems and to prevent future cyberattacks.
The MGM Resorts cyberattack is a reminder of the growing threat of cyberattacks. Businesses and individuals need to be vigilant about protecting their personal information.
How did the MGM Resorts breach happen?
How MGM Resorts Became the Latest Victim of a Ransomware Attack?
MGM Resorts fell victim to a ransomware attack primarily due to a multi-layered social engineering scheme executed by the hacking group known as Scattered Spider. The group is believed to be a subgroup of the larger ALPHV ransomware group. The attackers used voice phishing (vishing) to trick employees and help desk staff into revealing login credentials. They also employed SIM swapping to acquire additional employee information, including passwords. Once they had the necessary credentials, they exploited vulnerabilities in Okta, a widely-used identity and access management service, to gain unauthorized access to MGM’s systems. After gaining this access, they deployed ransomware to encrypt the company’s data.
When did the MGM Resorts breach happen?
The MGM Resorts cyberattack happened on September 10, 2023 when MGM Resorts first started experiencing system outages. The ransomware was deployed sometime between September 11 and September 17, 2023
How Hackers Broke Into MGM Resorts?
The cyber attack on MGM Resorts was a multi-stage operation that involved several techniques, including social engineering, vishing, and exploiting vulnerabilities in the company’s identity infrastructure.
- Initial Reconnaissance: The attackers first identified an MGM Resorts employee on LinkedIn. This gave them the basic information needed to impersonate the employee convincingly.
- Vishing Attack: Using the information gathered, the attackers called MGM Resorts’ IT help desk, posing as the employee. They claimed to have lost their login credentials and successfully tricked the help desk into providing them.
- Network Access: Once they had the login credentials, the attackers gained initial access to MGM Resorts’ network.
- Lateral Movement: The attackers then moved laterally within the network, aiming to escalate their privileges. The exact techniques used for this lateral movement are not specified, but they eventually gained access to a domain controller and stole user passwords stored there.
- Ransomware Deployment: At this stage, the attackers deployed ALPHV (also known as BlackCat) ransomware on MGM’s network, encrypting data and causing system outages.
- Persistence and Further Exploitation: The attackers persisted in their lateral movement until they gained access to MGM’s Okta server. Okta is an identity and access management service that MGM used to manage access to various Software as a Service (SaaS) applications.
- Data Exfiltration: Once on the Okta server, the attackers were able to exfiltrate plaintext passwords, giving them the ability to log into any of the SaaS apps managed by Okta.
- Active Directory to Okta: Interestingly, while the attackers had access to Active Directory (AD) hashes, they did not have access to the passwords. They used AD as a stepping stone to pivot to Okta, exploiting a weakness in the connection between AD and Okta to steal plaintext passwords.
- Impact: The attack led to significant disruptions, including the shutdown of hotel room digital keys, slot machines, ATMs, paid parking, and online reservations. Guests experienced considerable inconvenience, including long wait times for check-in and even being locked out of their rooms.
The attack was sophisticated, exploiting both human and technological vulnerabilities to achieve its objectives. It serves as a stark reminder of the need for robust cybersecurity measures, including employee training and secure configurations of identity and access management systems.
Who are behind MGM resorts cyber attack leading to data breach?
The hacking group responsible for the attack is known as Scattered Spider, believed to be a subgroup of the larger ALPHV ransomware group. The hacking group Scattered Spider, also identified by the designation UNC3944, is particularly skilled in social engineering tactics including voice phishing and SIM swapping, to gain unauthorized access to their targets. According to information from cybersecurity experts who are familiar with the group, its members are primarily located in the United States and the United Kingdom. Some of these members are as young as 19 years old. Additionally, Scattered Spider is known to occasionally collaborate with another ransomware group called ALPHV, which is believed to be based in Russia, as per cybersecurity experts.
What data was compromised and how many people were affected?
The hacking group claimed to have stolen data from the MGM loyalty program database, which includes sensitive information like driver’s license numbers and Social Security numbers. The exact number of people affected has not been publicly disclosed, but given the nature of the data and the scale of MGM Resorts’ operations, it could potentially be a significant number.
Who was responsible for the MGM Resorts data breach?
The responsibility for the data breach lies with the hacking group Scattered Spider. However, it’s crucial to note that MGM Resorts also bears some responsibility for not adequately protecting its systems and data from such social engineering attacks.
MGM Resorts Data breach by the numbers
- Financial Impact: Shares fell 7.9%, from $43.74 to $40.29, between September 8 and 18.
- Revenue Loss: A reported minimum of $4 million daily.
- Data Compromised: Data from the MGM loyalty program, including driver’s license and Social Security numbers, was stolen. The exact number of affected individuals is not yet known.
- Customer Experience: Negative stories proliferated on social media.
- Brand Reputation: The system shutdown and unavailability led to a hit on the stock and credit rating.
- Consumer Trust: There is a fear of loss and misuse of personally identifiable information (PII).
- Administrative Costs: Systems shutdown led to additional costs.
- Investigation and Legal Costs: The cost of investigation efforts and legal/regulatory obligations.
- Data Recovery Costs: Expenses related to restoring encrypted or lost data.
- Insurance Gaps: Losses that may not be covered by existing cyber-insurance policies.
- Employee Morale: The incident led to uncertainty and stress among employees.
How did MGM Resorts handle the breach?
MGM Resorts initially reported the system outages as technical issues on September 11. By September 12, they issued a second statement indicating that all resorts were still operational despite customer-reported issues. It wasn’t until September 14 that Reuters reported Scattered Spider was behind the attack, which MGM Resorts confirmed. On September 20, MGM announced that it had restored service to all of its systems. During this period, the company was also working to resolve the cybersecurity issue, although the details of these efforts have not been publicly disclosed.
Upon discovering the breach, MGM Resorts took several critical actions:
- Notification: The company acknowledged the incident and reported that they had notified all affected guests.
- Security Measures: MGM Resorts mentioned that they had bolstered their network security following the incident to prevent future breaches.
- Collaboration with Law Enforcement: They cooperated with law enforcement agencies to address and investigate the breach further.
What happened to MGM Resorts after the data breach?
Was I affected by the MGM Resorts data breach?
If you believe you were affected by the MGM Resorts data breach, consider the following steps:
- Stay Vigilant: Watch out for suspicious emails, messages, or calls. With personal information exposed, you might be a target for phishing attacks.
- Monitor Your Accounts: Regularly check bank accounts and credit reports for any unusual activities.
- Use Credit Monitoring Services: These services can alert you to changes in your credit report, ensuring you catch any potential identity theft early.
- Update Passwords: Consider updating passwords for online accounts, especially if you use similar passwords across different platforms.
What are the lessons learned from the MGM Resorts data breach?
The MGM Resorts cyber attack serves as a cautionary tale that emphasizes the need for a holistic approach to cybersecurity, encompassing technology, employee training, and robust policies and procedures.
The MGM Resorts cyber attack offers several key lessons for organizations aiming to bolster their cybersecurity posture:
1. Human Element Vulnerability
The attack underscores the vulnerability of the human element in cybersecurity. Even with advanced technological safeguards, social engineering tactics like vishing can be highly effective. Organizations need to invest in regular and comprehensive employee training to recognize and respond to such attacks.
2. Multi-Layered Attacks
The attackers used a combination of techniques, including social engineering, vishing, and exploiting technical vulnerabilities. This multi-layered approach highlights the need for a similarly multi-faceted defense strategy that includes both technological and human-focused measures.
3. Importance of Identity and Access Management
The attackers exploited weaknesses in MGM’s identity and access management systems, specifically between Active Directory and Okta. Organizations need to ensure that these systems are securely configured and regularly audited for vulnerabilities.
4. Rapid Lateral Movement
Once inside the network, the attackers quickly moved laterally to escalate their privileges. Network segmentation and strict access controls can mitigate the impact of such movements.
5. Data Exfiltration Risks
The attack led to the theft of sensitive customer data, including Social Security numbers and driver’s license information. Organizations need to encrypt sensitive data and monitor for unauthorized data access and exfiltration.
6. Geopolitical Considerations
The involvement of groups from different countries (U.S., U.K., and Russia) highlights the global nature of cyber threats and the need for international cooperation in cybersecurity.
7. Age is Not a Barrier
The young age of some of the attackers (as young as 19) indicates that cyber threats can come from individuals who may not have extensive experience but are nonetheless highly skilled.
8. Financial Impact
The immediate financial impact, including the drop in stock prices and daily revenue losses, underscores the need for cyber insurance and a well-defined cyber risk assessment and mitigation strategy.