MGM Resorts’ ransomware attack started with a single phone call

Social engineering allegedly led to MGM attack: $13 billion firm's cybersecurity "defeated by a 10-minute conversation"?

MGM Resorts’ ransomware attack started with a single phone call

A severe cybersecurity incident at MGM Resorts was facilitated by a social engineering attack on an employee identified on LinkedIn.

That’s according to malware repository and source code site vx-underground, which has established relationships with threat actors.

The incident has taken slot machines out of action at some of Las Vegas’s biggest casinos and forced the websites of the Aria, Bellagio, Mandalay Bay, and MGM Grand offline with likely extensive impact on bookings.

vx-underground said September 13 on X, previously Twitter: “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

Join peers following The Stack on LinkedIn

The group suggested in a subsequent post that the attack had been conducted by a suspected English-speaking big game-hunting cybercriminal group associated with ALPHV/aka BlackCat, known as Scattered Spider by prominent cybersecurity company CrowdStrike.

The Stack could not immediately independently confirm the claims.

ALPHV, aka BlackCat, has previous hit companies including Constellation Software, Estée Lauder, Sun Pharmaceuticals, and Western Digital.

Its reported affiliate Scattered Spider has been described as being known for attacks "which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access”

The group also uses MFA fatigue and SIM swapping techniques.

MGM ransomware attack: Social engineering?

Probably not IT support. 

vx-underground did not detail the precise approach the alleged social engineering attack took. Simply pretending to be IT support, saying that malicious software has been identified on the victim’s machine and that you need remote access that requires the targeted user to download a particular legitimate tool has worked for many penetration testers.

Sometimes that approach is boosted by access to a mail server that lets an attacker send and receive emails from either typo-squatted domain or an expired sub-domain; e.g. to send convincing phishing emails or even receive emails with details that can be used in the attack (e.g. an emailed request for IT support that can then be answered convincingly with minimal proactive social engineering even needed by the attacker.)

Just this week one security researcher told The Stack that they had gained access to thousands of emails for a Fortune 500 company because “basically, the company uses a second domain to send/receive email and SendGrid to process everything. They emailed me a delivery confirmation email which failed DMARC/SPF tests, which prompted me to check ownership of the domain. It expired eight months ago, so I picked it up and set up a catch all. Well over a thousand emails so far, all with names, company names, phone numbers, order numbers, delivery addresses, customer queries” they said via DM on X this week.

"Richly resourced" firms beaten by "juveniles"

Possibly an APT.

A July 24 report by the US “Cyber Safety Review Board” in the wake of extensive successful social engineering and MFA-bypass attacks by the Lapsus$ threat group noted that “Lapsus$ exploited, to great and wide effect, a playbook of effective techniques” adding pointedly that “if richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?”

The CSRB added: "As organizations integrate more robust authentication capabilities within their environments, they have an opportunity to reduce the efficacy of social engineering attacks. This will require prioritizing culture alongside more effective technology capabilities.

"Organizations should begin to require an explicit authentication event using a form of phishing-resistant MFA, such as FIDO2-backed tokens, for each sensitive transaction executed on their systems. The definition of a sensitive transaction will be dependent on the nature of the organization’s business but may include accessing a sensitive customer record; using privileged access in the infrastructure, for example to raise privileges to Administrator; or performing a Subscriber Identity Module (SIM) swap.

"Organizations should educate employees on a frequent and regular basis, possibly monthly, and in a relatable and easily digestible manner, on the latest threat landscape trends and how to prevent them. Organizations should foster a security culture where employees are incentivized to report potential intrusions while training employees on how to identify and respond to creative social engineering attacks."

MGM Resorts’ websites for venues like the MGM Grand, Aria and others remain offline with a redirect for restaurant reservations.

The MGM rewards application is also still reportedly working. The company said in its most recent update on X, that “our resorts including dining, entertainment, and gaming are currently operational and continue to deliver the experiences for which MGM is known. Our guests remain able to access their hotel rooms and our front desk staff is ready to assist our guests as needed. We appreciate your patience," it added.

See also: Veeam CISO Gil Vega on security culture, sleeping at night, tips for CISOs