MGM, Caesars cyberattacks send warning signal to banks

A cybercriminal group specializing in social engineering campaigns compromised both MGM Resorts and Caesars Entertainment this month, and the disruption continues for MGM.

The attacks highlight the complexity of the cybercriminal ecosystem, composed of multiple threat actors with various methods and specializations, and the perverse outcomes of paying ransomware demands.

The methods used by the group behind the MGM and Caesars attacks may serve as a preview of what banks may face as it expands from targeting business process outsourcers, as the threat actor did against Caesars, to banks and other types of companies. (In an SEC filing, Caesars said it was affected by a social engineering attack on an outsourced IT support vendor.)

Scattered Spider, the threat actor reportedly behind both the Caesars and MGM hacks, is a financially motivated group that uses social engineering tactics to compromise its victims. Cybersecurity firms track the threat actor with various names, including UNC3944, Scatter Swine and Muddled Libra.

Google-owned cybersecurity firm Mandiant said Scattered Spider began changing its tactics this year by deploying ransomware and targeting a broader swath of companies, including those in hospitality, retail, media and entertainment and financial services.

As part of this shift in tactics, Scattered Spider has started working with the Alphv threat group, which deploys Black Cat ransomware, according to Charles Carmakal, the chief technology officer at Mandiant. Alphv acts as a kind of software vendor to Scattered Spider and others.

"Alphv is a ransomware-as-a-service operation that works with many different discrete affiliates. One of those affiliates is UNC3944," Carmakal said in a post on LinkedIn.

Over the past few months, the group has started to deploy BlackCat ransomware, which is a growing concern for financial services companies, and advertising victims' data on the ransomware group's dark web blog (also known as an onion site), according to Carmakal.

Alphv has had its hand in other recent intrusions, including briefly claiming responsibility for a disruption of NCR point-of-sale terminals in April.

Cyber security

15 banks, credit unions confirm MoveIt data breaches

One security researcher said the total number of consumers who had data stolen in MoveIt breaches exceeds 20 million, and more are expected to be reported.

By Carter Pape

July 24

According to cybersecurity firm Trellix, Scattered Spider uses social engineering tactics to compromise victims. These tactics include SIM swapping, which enables criminals to send and receive texts and phone calls from a target phone number, and phishing, which involves impersonating a brand or person to steal passwords.

MGM has not said what data, if any, the Scattered Spider and Alphv groups stole from it. The hacking groups told Reuters and Bleeping Computer that they had stolen data from the casino chain but did not specify what kind. MGM did not respond to American Banker's request for comment.

Most MGM systems returned to normal on Friday, but as of Monday morning, online hotel reservations remained disabled.

Caesars Entertainment, which operates properties including Caesars Palace on the Las Vegas Strip, told the Securities and Exchange Commission on Friday that it had suffered a data breach and discovered it the week prior.

The breach did not disrupt any of the company's systems but did compromise drivers' license numbers and Social Security numbers for "a significant number" of Caesars loyalty program members.

Caesars Entertainment did not respond to American Banker's request for comment.

Caesars paid a ransom to the hackers, according to reports from Bloomberg and the Wall Street Journal. In its filing with the SEC, Caesars said it had "taken steps" to ensure that the stolen data had been deleted by the hackers, "although we cannot guarantee this result."

In other words, Caesars paid despite having no guarantees that paying would do anything, according to Allan Liska, a threat intelligence analyst at cyber intelligence firm Recorded Future.

"That is an EXTREMELY artful way of saying, oh yea we paid even though we know ransomware groups are lying bastards who won't actually delete the data," Liska said in a post on X, formerly known as Twitter.

The FBI advises against paying ransoms.

"The FBI does not support paying a ransom in response to a ransomware attack," the FBI said on its website. "Paying a ransom doesn't guarantee you or your organization will get any data back."

The FBI also notes that paying ransoms to cybercriminals "encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."