Tech Security Bytes

,

Hot Take: MGM’s CyberSecurity incident – ransomware, vishing, and payouts?… oh my

As it’s been all over the news cycle the last few days, thought I’d add some thoughts on the recent MGM hack.

(cover image credit to wikipedia)

Some basic facts:

  • Sometime Sunday into Monday, Threat Actors exploited compromised access to MGM’s systems, launching a cyber attack. (I say “used” instead of “acquired” because the exact timing of the initial access and the duration of their presence — often called dwell time — remain ambiguous. A long dwell time could be a possibility
  • The impact of that attack was broad – affecting hotel check-ins, electronic door locks, billing, and other functions across many MGM properties.
  • MGM announced late yesterday that their systems were back online, but their website is still inaccessible at the time of this publication.
  • Intriguingly, malware experts VX-Underground, as reported in CyberNews and TheStack, suggest that the ALPHV/BlackCat group orchestrated this ransomware attack, gaining access within minutes via phishing/vishing techniques. There hasn’t been an “official” confirmation from the group yet, but VX-Underground often has a finger on the pulse of such matters.

What the facts Tell us

  • A widespread outage followed by swift and “clean” recovery (See below) has the classic indicators of a ransomware event.
  • A speedy response suggests two possibilities: MGM and its security allies had a robust internal incident management procedure (which might include business continuity and disaster recovery planning), or they met the attackers’ demands and paid out.
  • The claim that this was accomplished via phishing is not confirmed, but very feasible. Phishing remains a primary tactic to gain initial access, and companies without a strong security focus often neglect it during their security training.
People are always the weakest link – many “headline” hacks start like this…
  • MGM has had past incidents that hint at potential security gaps, notably the 2020 breach affecting over 10.5 million guests/users. If memory serves me (although I couldn’t locate a specific article), phishing was speculated as a probable point of entry. then as well
  • The discrepancy between MGM’s announcement of being back online and their website’s downtime suggests a risk/cost-based emergency recovery strategy. Prioritizing check-ins and payments — immediate revenue streams — makes sense, with the company webpage (affecting future business and reputation) being addressed later. While this strategy is prudent, it signals that there’s more to come on this issue.
  • Although unconfirmed, ALPHV/BlackCat involvement would make sense here – they are known ransomware actors and also offer “Ransomware as a service”,

Hypothesis / Commentary

  • This is 99% likely ransomware. My guess is they acquiesced and paid out. Other security indicators / past history for MGM being not good, I’m skeptical they had a recover strategy that would get them even baseline functionality this fast.
  • Given the impact of this incident and the past history, I’m guessing the overall security posture has not markedly improved and that easy lateral (and likely vertical) movement is possible in their environment.
  • Though MGM touts adherence to various industry and other voluntary standards in their statements to the media – I wouldn’t place much stock in this. Standards are a minimum bar, and meeting them does not make you secure by definition (especially given there are multiple ways to meet standards, some of which are more or less secure than others),
  • Any company taking the security of its data seriously should strive to exceed them in all areas that are pertinent to their business. MGM’s statements about meeting standards, plus the past few breaches, make me think this is more a box-checking exercise for them.

Followup Resources / information

Sean Reilly
,

Leave a comment