Caesars says cyber-crooks stole customer data as MGM casino outage drags on
Zero-days are so 2022. Why not just social engineer the help desk?
Updated Casino giant Caesars Entertainment has confirmed miscreants stole a database containing customer info, including driver license and social security numbers for a "significant number" of its loyalty program members, in a social engineering attack earlier this month.
The admission comes as MGM Resorts enters its fourth day of inoperable IT systems and casinos following a "cybersecurity issue." Internet crime gang Scattered Spider, understood to be responsible for that intrusion, reportedly bragged that all it took to break into the corporation's networks was a ten-minute call with the help desk.
It's also reported the arachnid crew hit both Caesars and MGM Resorts, though some reps for Scattered Spider, also known as 0ktapus, claimed they only hit MGM and had nothing to do with the Caesars raid.
Then fall Caesars
In an 8-K form submitted late last week to the SEC, America's financial watchdog, Caesars – which owns more than 50 resorts and casinos in Las Vegas and 18 other US states – disclosed the theft of its customer database, which it blamed on "a social engineering attack on an outsourced IT support vendor."
Caesars declined to answer The Register's questions. The digital break-in was discovered on September 7, according to its SEC filing. The crooks stole Caesars' loyalty program database, which was stuffed with people's sensitive personal information.
"We are still investigating the extent of any additional personal or otherwise sensitive information contained in the files acquired by the unauthorized actor," Caesars told the SEC. "We have no evidence to date that any member passwords/PINs, bank account information, or payment card information (PCI) were acquired by the unauthorized actor."
Upon noticing suspicious IT network activity, the entertainment goliath said it not only immediately launched a probe, it also hired "leading cybersecurity firms" to help with its incident response and remediation efforts, and notified law enforcement and state gaming regulators.
All of this sounds pretty routine, though there is another line in the SEC filing that seems to indicate extortion — and a payment made by Caesars to potentially stop the pain:
We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result.
That to us sounds like whoever broke into the IT systems made off with the data and wanted some kind of bung to keep the information private. The Register asked Caesars to clarify what specific steps were taken, among other questions about the fiasco: who is the unnamed IT outsourcer? Who was behind the break-in? Did those crooks demand a ransom and if so, how much, and was it paid?
We have yet to hear back from the corporation, though we will update this story as soon as we do.
Extortion seems like a safe bet
Other media outlets are reporting that it was, in fact, an extortion attack and that Caesars coughed up a ransom.
Vital Vegas earlier this week whispered about hearing "rumblings" that Caesars was trying to play down word of a cyberattack. Bloomberg on Wednesday reported the casino giant had paid "tens of millions of dollars to hackers" who broke in and stole company data.
Vital Vegas updated its coverage of the affair later that day to report Caesars paid $15 million to the extortionists, down from a $30 million demand, citing unnamed sources: "We are not making this up. Caesars talked them down like an episode of 'Pawn Stars.'"
- MGM Resorts shuts down website, computer systems after 'cybersecurity incident'
- More Okta customers trapped in Scattered Spider's web
- Save the Children hit by ransomware, 7TB stolen
- Airbus suffers data leak turbulence to cybercrooks' delight
Meanwhile, as the mass outage across MGM Resorts enters its fourth day, that Las Vegas casino and hotel behemoth issued a second statement about its ongoing "cybersecurity issue."
"We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly," it xeeted. In response, hotel guests shared videos of empty casinos and disconnected slot machines, and questioned how to cancel reservations and get a refund with the resorts' websites, email, and apps still not working.
There is one benefit: free parking at MGM Resorts properties.
Scattered Spider catches MGM in its web
Scattered Spider – a US-UK-based Lapsus$-like gang that specializes in social engineering attacks and is affiliated with the ALPHV ransomware operators – is said to be behind the MGM Resorts debacle. It's claimed all it took for the miscreants to infiltrate MGM Resorts was finding an employee on LinkedIn, then calling a help desk presumably to impersonate that staffer and gain access, or something like that.
"A company valued at $33,900,000,000 was defeated by a ten-minute conversation," as malware analysis nerve center VX-Underground put it.
In an interesting twist, and according to a Financial Times report, a spokesperson for the spider-themed crew claimed it had hoped to infect slot machine software at MGM Resort properties to rig the equipment, and then "recruit mules to gamble and milk the machines" of payouts.
When that wasn't possible, the gang returned to its tried and true method — a simple phone call to hoodwink some hapless employee — that worked in the past to compromise Okta and other high-profile victims.
That said, members of the ALPHV-Spider nexus denied going after the slot machines, saying: "Doing so would not to be to our benefit and would decrease the chances of any sort of deal."
MGM Resorts declined to answer The Register's questions about the security breach. ®
Updated to add
On Thursday the miscreants behind the MGM Resorts cyber-attack decided to “set the record straight” with a statement on their dark-web blog. This missive sets out, in their mind, what really happened in the MGM Resorts intrusion and subsequent IT shutdown.
Technically speaking, the missive was issued by the notorious ransomware-as-a-service gang AlphaV, also known as ALPHV and BlackCat, of which Scattered Spider is an affiliate or sub-group. In any case, the crew today said it's made “multiple attempts” to contact resort execs to no avail.
We’d suggest taking this statement with a heavy dose of salt — these are criminals, after all. “MGM shut down computers inside their network as a response to us,” the statement went. “No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.”
The gang said it broke into MGM Resorts IT environment on Friday, September 8, and "had been lurking on [MGM Resorts'] Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps." The gang said MGM realized something was up and switched off the company's Okta Sync servers, though the intruders were able to gain and maintain super administrator level in Okta, “along with global administrator privileges to their Azure tenant.”
When MGM network admins found they couldn’t evict the pests, staff shut down various parts of their infrastructure in an attempt to hold off the intruders, we're told.
“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11 after trying to get in touch but failing,” the crime gang boasted, adding that MGM Resorts appeared unwilling to negotiate with the extortionists to end the attack. And if a deal isn't reached, AlphaV may leak data, including personal information, stolen from the corporation.
“We still continue to have access to some of MGM's infrastructure. If a deal is not reached, we shall carry out additional attacks,” the statement read.
“We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us,” the gang added, referring to its observation of someone quietly popping in and out of a chat room AlphaV set up to broker a settlement with its victim.