We're an RSA Conference 2024 Innovation Sandbox Finalist!


On September 12, 2023, the world woke up to the news of another significant cyber-attack, this time on MGM Resorts International, a renowned name in the hotel and casino industry. The incident affected their operations across various locations, including iconic Las Vegas.

MGM was quick to assure its customers and stakeholders that the attack did not compromise any credit card information or other sensitive data. In a report to the SEC (Securities and Exchange Commission) on Tuesday, they emphasized their commitment to security and privacy, stating that they had engaged with law enforcement and cybersecurity experts to investigate the breach thoroughly. According to their disclosure, the impact on operations was a result of a decision to shut down some systems once the attack was detected.

While MGM’s official statement provided a broad overview of the incident there are still many questions unanswered. The specifics of the breach, the extent of the data accessed, and the potential ramifications remained unclear, which is to be expected given its ongoing nature. However, this lack of clarity inevitably paves the way for a plethora of rumors and speculations.

Among these rumors, a very interesting statement, published on September 15 allegedly by the attackers themselves, stands out. According to the statement, the cyber-attack on MGM resorts international was executed by the ALPHV ransomware gang. ALPHV, also known as BlackCat, is one of the most active and dangerous ransomware groups in the world, and it is known for its aggressive tactics and its willingness to target high-profile victims.

 In their public statement, ALPHV detail their actions, MGM’s responses and their perspective on the entire incident. Here are some highlights of the statement:

  1. The attacker gained access to MGM’s domain controller, looking for hash dumps to crack passwords
  2. The attacker also accessed Okta Agent servers, where they were sniffing passwords
  3. The attacker was eventually able to have MGM’s Okta super administrator privileges and global administrator privileges for MGM’s Azure tenant.
  4. ALPHV launched ransomware attacks against more than 100 ESXi hypervisors in MGM’s environment on September 11th.
  5. ALPHV claim to have acquired 6TB of data from MGM’s systems. While they haven’t released any data yet, they’ve threatened to do so unless a ransom is paid.

The veracity of the information released by the attacker remains uncertain. It is entirely possible that this disclosure is part of a calculated psychological campaign aimed at exerting added pressure on MGM. Such tactics can be employed to sow doubt, create internal discord and further the attacker’s agenda, making it imperative to approach such claims with caution and skepticism.

However, even if the statement does not describe the true story, it sheds some light on how attackers can leverage the inherent complexity of hybrid environments with on-premises data centers, Cloud and SaaS (Software as a Service). We at Mitiga see this approach expanding and are closely monitoring publications related to this attack and others, looking for new or updated Cloud Attack Scenarios and TTPs (tactics, techniques, and procedures). As we identify such TTPs, we use our expertise in Cloud and SaaS forensics to uncover the traces that these attacks leave in Cloud and SaaS forensic data. The insights are then codified and added to our library of indicators of attacks (IOAs). We use this Cloud Attack Scenario Library (CASL) to continuously scan the forensic data lakes we amass for our customers in order to uncover ongoing or past attacks. As attacks like the one that affected MGM become increasingly common, this is an approach more organizations will be turning to strengthen their investigation capabilities and build greater cyber resilience. 

We’ll keep updating.


April 17, 2024

Don't miss these stories:

Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan

Mitiga's research discovered a significant new post-exploitation security concept: involving the use of Systems Manager (SSM) agent as a Remote Access Trojan (RAT) on Linux and Windows machines, controlling them using another AWS account. We shared our research with the AWS security team and included some of their feedback to this advisory.

Ransomware Strikes Azure Storage: Are You Ready?

There’s been a recent surge in cloud ransomware attacks. Examples of such attacks were observed by Sophos X-Ops, which detected the ransomware group BlackCat/ALPHV using a new Sphinx encryptor variant to encrypt Azure storage accounts by employing stolen Azure Storage account keys. The BlackCat/ALPHV ransomware group is the same entity that claimed responsibility for infiltrating MGM’s infrastructure and encrypting more than 100 ESXi hypervisors.

How AWS EKS Pod Identity Feature Enhances Credential Management

This past week at re:Invent, AWS announced a very cool new product feature: EKS Pod Identity. As an AWS user, and specifically an EKS (Elastic Kubernetes Service) user, I spend a great deal of time connecting my pods and workloads to other AWS services and clusters in other regions and accounts, so for me, this feature arrives just in time.