A financially motivated cybercrime group known as Scattered Spider has reportedly been behind the recent cyberattack on the casino and hotel chain MGM Resorts International.
The breach impacted some of the hotel chain’s IT systems, including the main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. The company said that all of MGM’s Grand Hotels & Casinos properties have been impacted by outages, including MGM Grand, Bellagio, Cosmopolitan, Aria, New York-New York, Park MGM, Excalibur, Luxor, Mandalay Bay and Delano.
Citing people familiar with the matter, Reuters reported that the Scattered Spider gang was identified as a culprit behind the hack.
Scattered Spider (aka 0ktapus, UNC3944, and Storm-0875), is a relatively new player on the cybercrime scene known for their use of a variety of social engineering tactics for gaining initial access, including calling employees and impersonating IT staff, using Telegram and SMS messages that redirect to phishing sites, and employing MFA fatigue.
A multi-factor authentication fatigue attack (also known as MFA Bombing or MFA Spamming) is a social engineering technique where attackers repeatedly push second-factor authentication requests to the target victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity via notification, thus authenticating the attackers’ attempt at entering their account or device.
Interestingly, the group’s members are likely based in the UK or Europe, researchers believe. Until recently, Scattered Spider has been known primarily for data theft extortion without ransomware deployment, but new evidence suggests that the gang has gone for the ALPHV/BlackCat ransomware-as-a-service operation.
This may be not far from the truth as the ALPHV/BlackCat ransomware group has claimed responsibility for the MGM Resorts cyber outage.
According to a post by malware library vx-underground, the attackers’ tactic involved gaining an employee’s trust via a phone call, which reportedly took only 10 minutes to execute.
“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” the post reads.
It should be noted that the gang’s claims have not been verified by security researchers.
A recent Bloomberg report said that another casino operator, Caesars Entertainment, had been hacked and paid tens of millions of dollars to hackers who threatened to leak its data in recent weeks. The report claims that Caesars Entertainment and MGM Resorts were breached by the same group.