Attack Vector
Posts
💥 Breach Breakdown 💥 - MGM

💥 Breach Breakdown 💥 - MGM

How did the ransomware gang do it, and who's to blame?

Scott Busby
October 02, 2023

Hey! Welcome to Attack Vector- The email that gives you your 5-minute dose of offensive cyber info.

In Today’s Email:

💥MGM Breach Breakdown
📃TTP’s Used In The Attack
⚠️ Who’s to blame for the attack?

💥 MGM Breach Breakdown 💥

MGM Grand - Las Vegas

MGM Casino (a casino in Las Vegas) suffered a massive breach in September. If you haven’t heard about it yet, you might live under a rock. The attackers, “Scattered Spyder” used ransomware from the “ALPHV” ransomware gang to encrypt MGM systems. The attack resulted in MGM shutting down a large portion of their operations in order to recover from the attack. But why and how did this happen?

As it turns out the source of the attack is from a well planned social engineering attack. Scattered Spyder found MGM employee information on LinkedIn and impersonated them while calling the MGM helpdesk. It appears that the attackers may have had credentials for this employee from a previous breach, or some other source and utilized social engineering to reset the users multi-factor authentication (MFA), which was the only thing preventing the attackers from gaining access to the MGM network.

Once they gained access to the network they were able to compromise the MGM Okta control panel and create their own identities. They used these account to move laterally and capture MGM sensitive information. They then attempted to communicate with MGM to negotiate a price for the stolen data, but MGM wouldn’t respond to the attackers. This eventually pushed Scattered Spyder to deploy ransomware into the MGM infrastructure, costing MGM millions and bringing down their systems for a several days.

Who do you think is at fault for the attack? What could MGM have done to prevent this from happening?

📃 Key TTP’s Used In The Attack 📃

MITRE ATT&CK Framework: https://attack.mitre.org/

Spear Phishing - T1192
- The spear phishing attack initiated the compromise. The attackers were able to get the MFA reset for a user they had credentials for.
Credential Dumping - T1192
- The credentials used by the attackers were previously acquired. This could have been from a number of sources, but it is thought to be from a previous data breach.
Account Manipulation - T1098
- The attackers used the admin account they compromised to create their own accounts in their identity management platform (Okta).
Data Encrypted for Impact - T1486
- Once the attackers realized that MGM wasn’t going to negotiate for payment in exchange for the compromised data, the attackers deployed ransomware across a large portion of their infrastructure.

Reference:

Cyber News: https://cybernews.com/security/mgm-cyberattack-claimed-alphv-blackcat-ransomware-group/

MITRE ATT&CK: https://attack.mitre.org/