Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Hack group BlackCat (ALPHV) claimed responsibility for the recent hack of MGM Resorts, which owns hotel, resort and casino chains around the world. Hackers claim to have encrypted more than 100 ESXi hypervisors, forcing the company to almost completely disable its internal infrastructure. At the same time, the attackers allegedly still retain access to the MGM network.
The attack on MGM Resorts occurred last weekend, and the incident led to the shutdown of many of the company's computer systems, including the websites of major hotels in Las Vegas and New York, booking systems and some casino services.
In particular, it was reported that slot machines do not work in the casino, hotel visitors are denied key cards from rooms, electronic transfers of winnings in the casino have slowed down, the MGM Rewards app does not work, and users are invited to contact the company by phone for booking questions.
Vx-underground researchers were the first to report on the connection of BlackCat (ALPHV) with this attack, writing that a 10-minute phone call was enough to hack a $ 34 billion company. According to them, the hackers simply " went to LinkedIn, found an employee of [MGM Resorts] and arranged a call from technical support."
Now the information about their involvement in the hacking was confirmed by the hackers themselves, publishing a message on their website on the darknet, as well as talking to journalists. So, the attackers told the Bleeping Computer publication that one of the group's "partners" was behind the attack on MGM.
According to media reports, we are talking about a hack group that Crowdstrike specialists track under the name Scattered Spider, and other companies are designated as 0ktapus (Group-IB), UNC3944 (Mandiant) and Scatter Swine (Okta).
According to researchers, this group mainly uses social engineering to hack corporate networks. So, attackers impersonate technical support specialists (to extort user credentials), use SIM card substitution attacks (to seize control of the desired phone number), as well as phishing and other methods (to circumvent multi-factor authentication).
At the same time, it is believed that the main composition of Scattered Spider is English — speaking teenagers aged 16 to 22 years, and in general, the group is very similar to Lapsus$, whose participants used similar attack methods and were about the same age. Mandiant experts suggest that there may even be a connection between these groups.
Representatives of BlackCat (ALPHV) said that while MGM Resorts remains silent, that is, the company is obviously not going to discuss with the attackers the payment of the ransom. At the same time, the hackers emphasize that the only action on the part of MGM was to disable "every single Okta Sync server after they found out that we were hiding on their Okta Agent servers."
Despite the shutdown of Okta Sync servers, hackers claim that they still have access to the company's network. According to them, they still have superadministrator rights in MGM's Okta environment, as well as Global Administrator rights in the company's Azure tenant.
"After waiting one day, on September 11, we conducted a successful cryptographer attack on more than 100 ESXi hypervisors in their environment. This happened after they engaged third-party companies to help localize the incident, " the hack group states.
The attackers say they do not yet know exactly what data they stole from MGM, but promise to make the information publicly available if they do not reach an agreement with the company. To force the company to pay, the group threatens to use existing access to MGM's infrastructure to " conduct additional attacks."
It is also worth noting that last week the Financial Times and TechCrunch reported, citing their own sources, that the hackers ' original plan was to attack only MGM slot machines. Allegedly, the attackers were going to slowly siphon funds from the devices, sending their own "mules"to the casino. When this plan failed, the group turned to proven methods and encrypted MGM's systems.
After these statements of journalists, representatives of BlackCat (ALPHV) updated the message on their website, saying that they did not intend to hack slot machines at all, as this would not bring any benefit, but would interfere with possible ransom negotiations. The attackers also note that information about teenage hackers is just rumors and nothing more.
The attack on MGM Resorts occurred last weekend, and the incident led to the shutdown of many of the company's computer systems, including the websites of major hotels in Las Vegas and New York, booking systems and some casino services.
In particular, it was reported that slot machines do not work in the casino, hotel visitors are denied key cards from rooms, electronic transfers of winnings in the casino have slowed down, the MGM Rewards app does not work, and users are invited to contact the company by phone for booking questions.
Vx-underground researchers were the first to report on the connection of BlackCat (ALPHV) with this attack, writing that a 10-minute phone call was enough to hack a $ 34 billion company. According to them, the hackers simply " went to LinkedIn, found an employee of [MGM Resorts] and arranged a call from technical support."
Now the information about their involvement in the hacking was confirmed by the hackers themselves, publishing a message on their website on the darknet, as well as talking to journalists. So, the attackers told the Bleeping Computer publication that one of the group's "partners" was behind the attack on MGM.
According to media reports, we are talking about a hack group that Crowdstrike specialists track under the name Scattered Spider, and other companies are designated as 0ktapus (Group-IB), UNC3944 (Mandiant) and Scatter Swine (Okta).
According to researchers, this group mainly uses social engineering to hack corporate networks. So, attackers impersonate technical support specialists (to extort user credentials), use SIM card substitution attacks (to seize control of the desired phone number), as well as phishing and other methods (to circumvent multi-factor authentication).
At the same time, it is believed that the main composition of Scattered Spider is English — speaking teenagers aged 16 to 22 years, and in general, the group is very similar to Lapsus$, whose participants used similar attack methods and were about the same age. Mandiant experts suggest that there may even be a connection between these groups.
Representatives of BlackCat (ALPHV) said that while MGM Resorts remains silent, that is, the company is obviously not going to discuss with the attackers the payment of the ransom. At the same time, the hackers emphasize that the only action on the part of MGM was to disable "every single Okta Sync server after they found out that we were hiding on their Okta Agent servers."
Despite the shutdown of Okta Sync servers, hackers claim that they still have access to the company's network. According to them, they still have superadministrator rights in MGM's Okta environment, as well as Global Administrator rights in the company's Azure tenant.
"After waiting one day, on September 11, we conducted a successful cryptographer attack on more than 100 ESXi hypervisors in their environment. This happened after they engaged third-party companies to help localize the incident, " the hack group states.
The attackers say they do not yet know exactly what data they stole from MGM, but promise to make the information publicly available if they do not reach an agreement with the company. To force the company to pay, the group threatens to use existing access to MGM's infrastructure to " conduct additional attacks."
It is also worth noting that last week the Financial Times and TechCrunch reported, citing their own sources, that the hackers ' original plan was to attack only MGM slot machines. Allegedly, the attackers were going to slowly siphon funds from the devices, sending their own "mules"to the casino. When this plan failed, the group turned to proven methods and encrypted MGM's systems.
After these statements of journalists, representatives of BlackCat (ALPHV) updated the message on their website, saying that they did not intend to hack slot machines at all, as this would not bring any benefit, but would interfere with possible ransom negotiations. The attackers also note that information about teenage hackers is just rumors and nothing more.
