MGM hacked / all computer systems down.

[Sanlmar]

speaking of mood, moodys just fired a shot over the bow; continued disruption = negatively impact MGM credit.


https://robinhood.com/news/article/6...e-8f23acc0d4bb

You just got my juices flowing. I’m smiling irl.

Institutions are the dumb money in my world.

[sonatine]

yeah but you know.. is there dumb liquidity / smart liquidity?

[sonatine]

eta on getting this unfucked is 2 weeks minimum apparently

[lol wow]

hey tine two fingers MORE LIKE COMJEWTER SYSTEMS AMIRITE

[lol wow]

todd i apologize on behalf of ur race

[TheXFactor]

Apparently, the physical key card they give you is some sort of master key.

People's rooms are being broken into to and a lot of stuff is being stolen.

Unauthorized charges are showing up on customers credit cards.

Conventions that are suppose to be taken place soon will be cancelling.

MGM Resorts stock ia going to take a major hit. SELL, SELL, SELL!!!

Hotel phones may be inoperative. Druff is going to be pissed.

[sonatine]

https://techcrunch.com/2023/09/14/mg...ttered-spider/


good summary / sitch report.


btw although a lot of the downtime may be directly attributable to the actions of hackers, more than likely they are being forced to rebuild every element of their infrastructure from the ground up using tapes / trusted media basically.

[Sanlmar]

Forum Wars: Makes sense. MGM will probably have the best Hack/Ransomware infrastructure within 1 year: get ready for 25% more fees...

You believe MGM will get high draft choices because they finished last?

Worst to first rarely happens in business

Casinos pay terrible

[TheXFactor]

LOL.

Comedy of failures by MGM.

They should have paid the ransom.

Embedded Tweet

https://twitter.com/twt/status/1702442972501917827

[sonatine]

mgm website back online.

[FRANKRIZZO]

Yes, saw they paid 30 milli plus

[sonatine]

Yes, saw they paid 30 milli plus

this was actually Caesars, and i believe they only paid 15m despite the 30m figure being tossed around. unless you saw something specific about MGM paying 30m?


the standard practice these days is to hire a 3rd party to negotiate payment and most of these companies are insured for those payments regardless.


whats been fun has been combing through the blockchain trying to find how/where those payments were prepped/tendered.

[TheXFactor]

LOL.

Everything is fine.


Russian hackers claim MGM Resorts breach, irritating visitors

https://www.reviewjournal.com/busine...itors-2903998/

Embedded Tweet

https://twitter.com/twt/status/1702444589909414312

Okay but will they get paid two weeks from then?

Embedded Tweet

https://twitter.com/twt/status/1702411375652610534

[sonatine]

fwiw ALPHV arent russian. there may have been russians involved but they are likely teenagers who happened to be tapped in for lulz after ALPHV did the lions share of the breach. ALPHV, like Lapsus$, tend to work with teens to limit their legal exposure if things go sideways. from what i read of their attack narrative there wasnt a lot going on there that they would need outside help with.

[Ryback_feed_me_more]

https://techcrunch.com/2023/09/14/mg...ttered-spider/


good summary / sitch report.


btw although a lot of the downtime may be directly attributable to the actions of hackers, more than likely they are being forced to rebuild every element of their infrastructure from the ground up using tapes / trusted media basically.

Holy fuck somebody's getting fired in IT for sure after this.

News finally reported on the older Ceasers' attack. While I get their rivals, why Ceasers didn't shared the info on their attack with MGM is rather shitty, but this is about for once doing what's right instead of sitting on intel. Did Ceasers even report their attack to IC3 or just bury it due to concerns over stock prices? If not, they deserve a karmic bitchslap. Some night argue, they could be at least from an ethical standpoint, are a little to blame for MGMs intrusion. Good example. Your neighbor gets robbed but ya'll hate each other so he doesn't call the cops to report the break in. Same dudes break into your house, Same MO and everything I'd be pissed for sure.

[gut]

https://techcrunch.com/2023/09/14/mg...ttered-spider/


good summary / sitch report.


btw although a lot of the downtime may be directly attributable to the actions of hackers, more than likely they are being forced to rebuild every element of their infrastructure from the ground up using tapes / trusted media basically.

Holy fuck somebody's getting fired in IT for sure after this.

News finally reported on the older Ceasers' attack. While I get their rivals, why Ceasers didn't shared the info on their attack with MGM is rather shitty, but this is about for once doing what's right instead of sitting on intel. Did Ceasers even report their attack to IC3 or just bury it due to concerns over stock prices? If not, they deserve a karmic bitchslap. Some night argue, they could be at least from an ethical standpoint, are a little to blame for MGMs intrusion. Good example. Your neighbor gets robbed but ya'll hate each other so he doesn't call the cops to report the break in. Same dudes break into your house, Same MO and everything I'd be pissed for sure.

I would call Ceasers and MGM more "partners in crime" than "rivals"

[sonatine]

Embedded Tweet

https://twitter.com/myraccoonhands/status/1702351038529798391

[sonatine]

https://techcrunch.com/2023/09/14/mg...ttered-spider/


good summary / sitch report.


btw although a lot of the downtime may be directly attributable to the actions of hackers, more than likely they are being forced to rebuild every element of their infrastructure from the ground up using tapes / trusted media basically.

Holy fuck somebody's getting fired in IT for sure after this.

its not necessarily that cut and dried. if they follow a runbook and the runbook isnt appropriate for this contingency, you cant really hold the person who did their job as they were trained accountable.

plus the people who wrote those guidelines might be long gone. a lot of these types of corporations are still working off policy/procedure written decades ago.

an ex poster here used to have a lot of insight into casino IT and from what i gathered, its so heavily regulated that its basically like working for a state government. so nothing ever changes fast, if at all, to meet shifting external conditions.

honestly this is one of the reasons why its such a big deal when white house regimes start pushing these new improved standards and start mandating disclosures etc; if they didnt the death spiral would look a lot like the florida housing market, where none of these companies could find insurance and eventually they would all just get torn apart like a dead whale in sharky waters.

[sonatine]

Statement on MGM Resorts International: Setting the record straight
9/14/2023, 7:46:49 PM

We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.

MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.

On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers' lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to "take offline" seemingly important components of their infrastructure on Sunday.

After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.

In our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed. As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present.

We posted a link to download any and all exfiltrated materials up until September 12th, on September 13th in the same discussion. Since the individual in the conversation did not originate from the email but rather from the hypervisor note, as was already indicated, we were unable to confirm whether they had permission to be there.

To guard against any unneeded data leaking, we added a password to the data link we provided them. Two passwords belonging to senior executives were combined to create the password. Which was clearly hinted to them with asterisks on the bulk of the password characters so that the authorized individuals would be able to view the files. The employee ids were also provided for the two users for identification purposes.

The user has consistently been coming into the chat room every several hours, remaining for a few hours, and then leaving. About seven hours ago, we informed the chat user that if they do not respond by 11:59 PM Eastern Standard Time, we will post a statement. Even after the deadline passed, they continued to visit without responding. We are unsure if this activity is automated but would likely assume it is a human checking it.

We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner if he so chooses.

We believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?

We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months, while 7 insiders have sold shares for a combined 33 MILLION dollars. (https://www.marketbeat.com/stocks/NY...nsider-trades/). This corporation is riddled with greed, incompetence, and corruption.

We recognize that MGM is mistreating the hotel's customers and really regret that it has taken them five years to get their act together. Other lodging options, including casinos, are undoubtedly open and happy to assist you.

At this point, we have no choice but to criticize VX Underground for falsely reporting events that never happened. We typically consider their information to be highly reliable and timely, but we did not attempt to tamper with MGM's slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal.

The rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it. Starting to the actors' identities as they are so well-versed in them.

The truth is that these specialists find it difficult to delineate between the actions of various threat groupings, therefore they have grouped them together. Two wrongs do not make a right, thus they chose to make false attribution claims and then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this. The tactics, procedures, and indicators of compromise (TTPs) used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.

The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim that we had claimed responsibility for the attack before we had.

We still continue to have access to some of MGM's infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.
https://mgmresorts.com

[sonatine]