On September 11, news reports began emerging stating that MGM Resorts International had suffered a cyber incident and had shut down several critical IT systems. This was soon followed by MGM posting to their Twitter account acknowledging they had suffered a cyber incident.
Still, the statement was light on details despite the company's main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines being taken offline.
The outage is believed to have happened the previous night. Rumors of possible ransomware attack were soon to follow. On September 14, Bleeping Computer reported that a BlackCat ransomware affiliate, ALPHV, was responsible for the attack.
The BlackCat ransomware gang released a statement noting that they had infiltrated MGM's infrastructure since Friday and encrypted more than 100 ESXi hypervisors after the company took down the internal infrastructure.
Data was allegedly exfiltrated from the network, and threat actors still maintain access to some of MGM's infrastructure. The network access would be used to deploy new attacks unless an agreement to pay a ransom is reached.
The news that ALPHV was behind the attack was initially broken by vx-underground on Twitter, who stated,
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
BlackCat admins further stated,
After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident,
While Bleeping Computer could not confirm ALPHV's involvement beyond a shadow of a doubt, BlackCat admins did confirm that one of their affiliates was responsible.
It can also be inferred with a high confidence level that ALPHV is the threat actor tracked by CrowdStrike as a Scattered Spider. The actor also attacked Ceasars Entertainment Group, who may have paid millions in ransom to assist recovery efforts.
On Thursday, after Bloomberg News reported that Caesars had been hit by a cyberattack, the company disclosed the hack in a regulatory filing. The company’s shares were relatively unchanged Thursday at 9:49 a.m. in New York after dropping 2.7% Wednesday to $52.35.
The group behind the attack is known as Scattered Spider or UNC 3944, according to the people. Its members are skilled in social engineering to gain access to large corporate networks, according to cybersecurity experts. In the case of Caesars, the hackers first breached an outside IT vendor before gaining access to the company’s network, according to the people.
Scattered Spider is interesting for several reasons. It is believed that the hacking group consists of English-speaking teenagers and young adults ranging from 16-22 years of age rather than individuals from the old Soviet sphere of influence.
Often, attacks are initiated by individuals pretending to be help desk staff to trick users into supplying credentials. The group uses several supplementary tactics to achieve this goal, including SIM, MFA fatigue, and phishing attacks to gain access to multi-factor authentication codes.
The group is also well-known for employing Bring-Your-Own-Vulnerable-Driver attacks to compromise networks. These attacks involve a threat actor deploying a driver with a known vulnerability onto a targeted network to compromise the network using the vulnerability inherent in the driver.
Other than MGM and Ceasars, high-profile victims include T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy.
BlackCat Now Targets Azure Storage
Threat actors behind and affiliated with BlackCat have certainly been busy. We recently published an article detailing improvement to the malware's encryptor, dubbed Sphinx, and how recent attacks were seen dropping the Impacket networking framework and the Remcom hacking tool during the infection process.
Like with bad daytime television trying to sell you something, the line "but wait, there's more" definitely applies here.
The Sophos X-Ops team announced that during investigations into a recent breach, it was discovered that the threat actor could target Azure Storage accounts via ransomware executable with the extension .zk09cvt.
The extension was later tracked to known BlackCat activity. The initial compromise of the target infrastructure was achieved by using a stolen One-Time Password (OTP). It is believed the OTP was stolen from the victim's LastPass vault using the LastPass Chrome extension.
As for the targeting of Azure Storage, researchers stated,
The threat actors were able to gain access to the customer's Azure portal, where they obtained the Azure key required to access the storage account programmatically. The adversary encoded the keys using base-64 and inserted them into the ransomware binary with execution command lines as shown. The “-o” argument targets an Azure Storage account name and access key, and the same binary was executed multiple times to target 39 unique Azure Storage Accounts, resulting in successful encryption.
The ability to encrypt data in Azure Storage containers is a developing story. Still, it does show the skill BlackCat developers and affiliates like ALPHV have, as well as an extensive toolset that can exploit the human side of operations to grant access to IT infrastructure.