The ALPHV ransomware group, suspected to be behind the MGM Resorts cyber attack, has finally spoken out regarding the security incident.
Contrary to initial assumptions, the renowned global powerhouse in the casino and resort industry, MGM Resorts, initially did not fall prey to ransomware during the cyber attack. However, they later did.
ALPHV has provided clarification on its dark web platform, stating that ransomware was not deployed until a specific period had passed, during which the hackers attempted to establish communication with the MGM group.
The MGM Resorts Cyber Attack: ALPHV Ransomware Group’s Account
The much talked about MGM Resorts cyberattack has been officially confirmed as an incident involving unauthorized access and the acquisition of administrator privileges for their Okta Sync servers, by the ransomware group.
Okta, a California-based IT service management company, plays a central role in this breach. The company provides cloud-based software for ensuring secure user access, authentication, and the management of applications and websites.
ALPHV, also known as the BlackCat ransomware group, stated, “We have made multiple attempts to reach out to MGM Resorts International.”
However, their efforts to engage with MGM Resorts officials were not reciprocated. Instead, the company opted to safeguard its networks by shutting down their systems.
ALPHV also revealed that they observed MGM Resorts taking swift action to shut down all their Okta Sync servers. It became evident to ALPHV that MGM Resorts’ IT team had detected external entities present on their Okta Agents servers.
ALPHV was looking for passwords to gain access and remain unnoticed for logging in through an employee’s account credentials as part of the MGM Resorts ransomware attack.
In their post, ALPHV acknowledged encountering challenges when attempting to crack passwords from the domain controller hash dumps. This eventually resulted in the complete lockdown of Okta.
During this process, ALPHV emphasized that they successfully obtained full access to super administrator privileges within the Okta system, ultimately paving the way for the MGM Resorts cyber attack.
The hackers boasted of gaining Global Administrator privileges to their Azure tenant as well, which helped continue with the MGM ransomware attack.
MGM IT Team’s Struggle to Remove ALPHV Ransomware Group
ALPHV also elaborated on the situation where the MGM Resorts cybersecurity team attempted to evict them. “They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.”
“On Sunday night (September 10, 2023) MGM implemented conditional restrictions that bared all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks,” ALPHV wrote.
At each step of the MGM Resorts cyber attack, ALPHV met with hurdles, however, they managed to gain access to the systems and noted in the dark web post where the global casino giant lagged in implementing security protocols.
ALPHV claimed that the MGM Resorts networks were infiltrated not from Sunday but from Friday, 8 September, 2023 making it the seventh day of the MGM Resorts hacking.
On September 11, 2023, MGM Resorts posted the above alert on its Twitter/X account, notifying the public that they had recently detected a cybersecurity issue.
MGM Resorts Could Have Handled it Better, Says ALPHV
The ransomware group stated that MGM Resorts’ network engineers could have managed the cyberattack more effectively on Saturday.
On Sunday, one day after the initial incident, ALPHV executed a ransomware attack on MGM Resorts.
They targeted over 100 ESXi hypervisors in their environment on September 11. Meanwhile, they made several unsuccessful attempts to communicate with the MGM authorities who stirred clear and remained mum.
Unknown User on MGM Resorts Network
ALPHV noted the appearance of a user on the ‘MGM victim chat’ just a few hours after deploying the ransomware, as stated in their post on their leak site concerning the MGM Resorts hack.
This user, however, remained unresponsive to ALPHV and refrained from clicking on any links sent by the cybercriminal group.
The hackers sent emails with special links to the user. At this point, ALPHV was left unsure if the user was from the company or was someone with unauthorized access.
ALPHV wanted to prevent other IT Personnel from MGM Resorts from reading the chats.
This shows that someone who was accessing or monitoring the systems of MGM Resorts learned about negotiations but did not click on any links to maintain caution and not increase the attack.
The link to download all the exfiltrated data from the MGM Resorts systems was left accessible on the same chat, to the company for perusal for two days on September 12 and 13.
Speculating about the background and identity of the unknown user, ALPHV concluded, “Since the individual in the conversation did not originate from the email but rather from the hypervisor note, as was already indicated, we were unable to confirm whether they had permission to be there.”
The uncertainty surrounding this situation explains the time taken by ALPHV to claim the MGM Resorts cyber attack if they started with their heist a week ago.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
