Goliath has fallen

Goliath has fallen.

MGM Properties got hit and they got hit hard. Yes, I’m talking about the company that owns 31 unique gambling and hotel properties. Their casino and hospitality operations were brought to their knees causing them to shutter MGM Grand and other Las Vegas properties. Gambling was shut down and patrons were left unable to enter their hotel rooms.

Who’s responsible? A group identified as “Scattered Spider” or UNC3944, an affiliate of a ransomware-as-a-service “BlackCat.”

Once they compromise a company and steal its data, Scattered Spider attacks virtual machines through virtual serial and administrative consoles and purposely inject vulnerable signed drivers to escalate privileges or move laterally within a network. They use BlackCat ransomware to strike a final blow.

The BlackCat ransomware, developed by UNC3507, or ALPHV, has been widely used by threat actors in many cybersecurity incidents in the last year. Did you know that nearly 12% of all cybersecurity attacks in 2022 involved the BlackCat ransomware, including the attacks on semiconductor manufacturer, Seiko, and the international auditing and accounting company, Mazars Group?

Scattered Spider is known for its reliance on social engineering to establish a point of entry into an organization, which means they psychologically manipulate their victims to get what they want. Then they use advanced techniques to capture critical business and personal information. As if they weren’t deadly enough, being based in the United States, Scattered Spider has an advantage over foreign adversaries. This helps them in doing scams that involve things like calling a victim and convincing them to click links, accept MFA requests, or run executables, for example.

Once into a system, Scattered Spider steals data from the organization, including business documents, personal information such as social security numbers, and client and customer data for use in double extortion. Ransomware is deployed—in this case BlackCat, developed by ALPHV—which allows Scattered Spider to extort the business for ransom. Not willing to pay a ransom? Scattered Spider then goes to work through their affiliate network to post the stolen information for the second extortion attempt.

Here is the kicker, this cybersecurity event all started with a phone call to the MGM helpdesk where hackers convinced them to allow access.

While the MGM situation is still transpiring and many elements are still unknown, this attack highlights several areas of focus for all businesses and employees:

• Defense In Depth is essential to ensure that a small breach doesn’t turn into a major business catastrophe
• All employees must be continuously educated on how to resist social engineering exploits executed on them via email, text, or phone
• Organizations must proactively run tests to ensure that their employees are in fact resisting social engineering tactics—and re-train any under-performing employees
• Wise executives will press their suppliers, contractors, and other business partners to also take appropriate steps to assess and enhance their own security posture in order to further reduce their exposure to risk

But this doesn’t just stop with businesses and employees. Anyone who visited MGM properties is at additional risk, including those who have stayed at one of the hospitality properties or signed up for lines of credit. What should you do if this is you? Well, at the moment it’s still unclear what data was stolen, but it’s always a good idea to monitor bank accounts, credit/debit cards, and social security information.