Hackers behind MGM cyberattack thrash the casino’s incident response

In an interesting turn of events, ransomware group ALPHV (aka BlackCat) released a statement on their leak site, thrashing both MGM Resorts International and the cybersecurity firm VX undergrounds for mishandling the ongoing cyberattack on MGM.

In a long message intended "to set the record straight," ALPHV detailed what has happened in the ransomware seizure of MGM's critical assets so far, noting MGM hastily locked out key services indicating a poor response team.

"MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps," ALPHV said in the message. "This resulted in their Okta being completely out."

The message also criticized VX Underground for "falsely reporting events that never happened" with regard to the tactics, techniques, and procedures (TTP) used.

ALPHV calls MGM response hasty

ALPHV claimed to have initially infiltrated MGM's network by exploiting vulnerabilities in the global casino owner's Okta Agent without deploying any ransomware. They gained super administrator privileges to MGM's Okta and Global Administrator privileges to their Azure tenant.

In response to network infiltration on Friday, September 8, MGM implemented conditional restrictions on September 10 that barred all access to their Okta environment owing to what ALPHV called "inadequate administrative capabilities and weak incident response playbooks."

"Due to their network engineers' lack of understanding of how the network functions, network access was problematic on Saturday," ALPHV said. "They then made the decision to "take offline" seemingly important components of their infrastructure on Sunday.

Despite infection since Friday, ALPHV only launched ransomware attacks a day after MGM's shutdown on Sunday (September 11), wherein it seized access to more than 100 ESXI hypervisors in their environment, according to the message. They did so "after trying to get in touch with MGM but failing."

However, experts like Bobby Cornwell, vice president of strategic partner enablement & integration at SonicWall, believe MGM's move to shut down was indeed justified. "Out of an abundance of caution, MGM made the right call to lock down all the systems it did, even if it meant inconveniencing its guests as a result of their actions," Cornwell said.

VX Underground schooled for misinformation

ALPHV called out VX Undergrounds, the cybersecurity research firm that first linked the attack to ALPHV, for misinforming and oversimplifying the TTP(s) deployed in the attack.

"At this point, we have no choice but to criticize VX Underground for falsely reporting events that never happened," ALPHV said. "They chose to make false attribution claims then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this. The TTPs used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate."

In an X (formerly Twitter) post, VX Underground had said, "All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation."

Uncertainly loom amid insider trading rumors

ALPHV said that an unknown user surfaced in MGM victim chat a few hours after the ransomware was deployed and that they couldn't link him to MGM as their email inquiries went unanswered. ALPHV posted a link to download exfiltrated materials up until September 12 in the discussion with the user, yet neither the user nor MGM has reacted to deadlines threatening a leak.

ALPHV also alleged dubious activities within MGM, questioning the company's interest in customer safety. "We believe MGM will not agree to a deal with us," ALPHV said. "Simply observe their insider trading behavior. No insider has purchased any stock in the past 12 months, while insiders have sold shares for a combined 33 million dollars."

Uncertainly looms as several of MGM key systems remain shut even days after the attack that came to light on September 10 when the company announced it was forced to shut down many systems due to a cybersecurity issue.

"The fact that the website is still down suggests this was the real prize for the attackers," Cornwell said. "While gaming systems do have an abundance of elements that a hacker would look for in a ransomware attack, the resort's website, which allows for bookings of rooms and entertainment does have a far-reaching and very public effect that could lead to a large payday for ransomware actors."