Fraud Management & Cybercrime , Ransomware

MGM Resorts Says Hotels 'Operating Normally' After Attack

But Digital Room Keys Still Unavailable; Slot Machines Have 'Intermittent Issues'
MGM Resorts Says Hotels 'Operating Normally' After Attack
The MGM National Harbor Hotel and Casino in Oxon Hill, Maryland (Image: Shutterstock)

MGM Resorts International is declaring a return to normalcy at its hotels and casinos following a midmonth hit by ransomware-wielding attackers. Even so, numerous systems remain offline as the company seeks to rebuild its IT infrastructure.

See Also: External Cybersecurity Starts with Protecting your Domains

"All of our hotels and casinos are operating normally," the Las Vegas-based company said in a Wednesday statement apparently meant to calm investors who sent the company's stock falling since the attack (see: Big MGM Resorts Outage Traces to Ransomware, Researchers Say).

The company confirmed that "intermittent issues" remain, including with some slot machines, as well as being unable to accept online hotel bookings or to issue digital key cards, leading it to issue physical room keys instead.

"Our slot machine ticket-in/ticket-out systems are back up and running, and our casino cashiers and slot guest service representatives are happy to help guests who may experience intermittent issues," it said. "We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly."

MGM Resorts is one of the world's biggest casino operators, running 31 casino hotels globally. The company's hotels in Las Vegas include the Aria, Bellagio, Excalibur, Luxor, Mandalay Bay, MGM Grand, Mirage and New York-New York. The company also operates casino hotels in Maryland, Michigan, Mississippi, New Jersey, New York and Ohio, as well as China.

On Thursday, the Las Vegas Review-Journal detailed reports from employees of MGM Resorts. They said that multiple "systems still aren't functioning properly," it said, including systems for preparing work schedules, and that "there is no way to take vacation of any kind."

MGM Resorts first warned on Sept. 11 that multiple hotel and casino systems were offline due to an unspecified "cybersecurity issue" that began the prior day, leading it to proactively take some systems offline as it responded, backed by external cybersecurity experts.

The company's stock closed at $37.88 on Thursday, down 12.5% since Sept. 11.

Alphv Claims Credit

The Russian-speaking Alphv ransomware group, also known as BlackCat, quickly claimed credit for attacking MGM Resorts, saying it used a social engineering attack that took the group about 10 minutes to execute to trick a help desk employee, after which on Sept. 8 it gained access to administrator-level access to MGM Resorts' Okta identity servers and "Azure tenant." That intrusion led MGM Resorts to proactively deactivate parts of its network, the attackers claimed.

Alphv said it had demanded a ransom from MGM Resorts but that the company didn't respond. Subsequently, "we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment," the ransomware group said.

The attackers have continued to attempt to extort MGM Resorts, which reported 2022 annual revenue of $13.1 billion, including by attempting to name and shame the company via Alphv's Tor-based data leak site. The attackers have yet to leak any supposedly stolen data.

MGM Resorts didn't respond to multiple requests for comment.

Alphv also recently attacked Caesars Entertainment. While the casino and hotel giant hasn't said when that attack occurred, it said that on Sept. 7 it discovered its attackers had stolen data. Caesars received a ransom demand of $30 million from its attackers and paid them approximately half of that, The Wall Street Journal reported. Caesars said the payment was for a promise that the extortionists would delete the data they stole (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).

Brian Krolicki, a member of the Nevada Gaming Commission, which regulates casinos based in the state, has called for details of the ransomware attacks against Caesars and MGM Resorts to be released publicly. "It would behoove all of us to really get a good handle on just what happened," including reviewing how these types of attackers could be better avoided, how the details of the attack were reported to the commission, and how its policies might need to be refined, he said at a Tuesday meeting of the Gaming Commission.

"Right now, the priority is to just recover and make sure that patrons are made whole, the systems are secure," he said, adding that once that has been done, he would like to get a briefing - preferably on the public record - "on what's transpired."

Okta Flags Repeat Attacks

Earlier this week, David Bradbury, CSO of identity management company Okta, told Reuters that five of Okta's customers have fallen victim to Scattered Spider - aka UNC3944 or Muddled Libra - which is a security industry codename for a group suspected of being an Alphv affiliate. In the incidents, attackers tricked a help desk employee into giving them duplicate access to an employee account, enabling them to bypass Okta multifactor authentication controls.

"We've seen consistently over the past six to 12 months a ramp-up in these types of attacks," Bradbury told Reuters, saying Okta is assisting with investigations into the five attacks. While he didn't name the victims, he said three are in the manufacturing, retail and technology space. The other two appear to be Caesars and MGM Resorts.

The surge in these attacks led Okta on Sept. 1 to issue a security alert to customers, warning that "in recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multifactor authentication factors enrolled by highly privileged users."

Okta said the tactics being used by attackers "are preventable and present several detection opportunities for defenders," and it released detailed defensive recommendations for customers. These include strengthening "help desk identity verification processes," as well as "enforcing phishing-resistant authentication" and limiting the use of super administrator roles, among other steps.

"Muddled Libra's tactics can be fluid, adapting quickly to a target environment," the Unit 42 threat intelligence team at Palo Alto Networks recently reported. "They continue to use social engineering as their primary modus operandi, targeting a company's IT help support desk."

In one successful attack the firm investigated, it found that the attackers had moved quickly and "successfully changed an account password and later reset the victim's MFA to gain access to their networks" in just a few minutes, researchers said.

MGM Seeks Linux Admin

Unlike Caesars, MGM Resorts appears to have paid no ransom to its attackers but instead chose to rebuild its affected IT infrastructure.

Texas-based software development firm Arganteal on Thursday posted a job listing for an immediate hire as on-site Red Hat Linux system administrator, working on a contract basis for $100 per hour, based in Las Vegas. "This role will be helping the MGM Grand Casino to build its net new IT environment after the recent ransomware hack," the job listing reads.

"Candidates must be willing to work every day until the new IT environment is fully stood up," the job listing states, clarifying that this means contractors are expected to be present "10 hours per day, seven days a week" - no remote work allowed. The project is scheduled to last until Oct. 15.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.