BlackCat (ALPHV): What we know about the MGM hack

More than a week after it suffered a crippling ransomware attack, the hotel giant MGM is struggling to recover. The attack, linked to the ransomware-as-a-service (RaaS) group known as ALPHV, or BlackCat, caused slot machines and ATMs in MGM’s Las Vegas hotels to go dark and forced hotel staff to revert to pencil and paper while guests queued for hours in lines to check in and out of their rooms.

Additional compromises occurred in the last week, including of MGM competitor Caesar’s Entertainment, and clues emerged as to the how, why, and when of the attack.

Reporting — and a detailed statement by individuals claiming to represent ALPHV filling in pieces of the picture — are providing insights into the MGM attack. Here's what we know so far about it and the group behind it.

Get up to speed in Threat ResearchReplay Webinar: Threat Research Round-Up: Unpacking The Latest PyPI and NPM Supply Chain Attacks

BlackCat Targeting Layer 8

Published accounts of the incident and a statement by a group claiming responsibility for the hack of MGM indicate that social engineering was used by the ALPHA group to penetrate the defenses of MGM, Caesar’s, and other firms. Specifically, the attackers identified one or more highly privileged (super administrator) MGM employees and then fooled IT service desk personnel at MGM to reset the multifactor authentication used by those privileged users.

That fits with the modus operendi of other recent attacks. The access management provider Okta issued a statement in August warning about a pattern of such attacks affecting ”multiple US-based Okta customers,” though those customers were not named. The timing of that warning coincides with the reported attack on Caesar’s Entertainment.

Okta’s post about the attacks said threat actors obtained passwords for privileged user accounts or were able to “manipulate the delegated authentication flow via Active Directory” before they called the IT service desk. The threat actors would access the compromised account via anonymizing proxy services and an IP address that hadn’t previously been associated with the targeted account, Okta said.

Once in control of the super admin accounts, the attackers assigned higher privileges to other accounts they controlled or removed second-factor requirements altogether to facilitate lateral movement.

In the case of MGM, that left the threat actors with “super administrator privileges to (MGM’s) Okta” environment (mgmresorts.okta.com), along with “Global Administrator privileges to their Azure tenant,” according to a statement attributed to the threat group. “They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan,” the attackers wrote.

Are ALPHV cybercrooks without a cause?

As ReversingLabs has observed, ALPHA/BlackCat is a RaaS group — believed to be based in Russia — that leases its software and services to cybercriminal groups. In other words, those responsible for carrying out the attacks on MGM, Caesar’s, and others are likely affiliates of the more established ALPHA/BlackCat group.

So how was the MGM attack carried out? In recent days, reporting regarding the attacks on MGM, Caesar’s Entertainment, and other targets has provided good insights, with leading cybersecurity firms pointing at an unidentified group of North American and U.K. hackers — believed to be in their teens or early 20s — as the likely culprits.

Allison Nixon, the chief research officer at the firm Unit221B, told Politico’s Morning Cybersecurity newsletter that attackers were not Russian hackers. "They live in Five Eyes countries, and some of them are underage.” (Five Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States.) That account was corroborated by other leading threat intelligence firms, who said that three to four individuals between the ages of 17 and 24 were behind as many as 50 intrusions in the last 18 months.

The actors communicate via an “English-language Telegram channel known as the Com, where mostly high-school-aged individuals bond over a range of illicit activity, from sextortion schemes and fraud to blackmail,” Politico reported. However, none of the individuals behind the attacks has been identified yet.

The group uses its fluency in English to facilitate schemes such as smishing (SMS phishing), SIM swapping, and other social engineering methods. The group has proved adept at exploiting third-party vulnerabilities: leapfrogging from a compromised IT provider to its customers, the experts told Politico.

The group’s use of the BlackCat ransomware in recent attacks may indicate that its activities have attracted the attention of larger Russian cybercriminal gangs looking for a way into Western firms and drawn to affiliates whose status as juveniles lowers the stakes in the United Kingdom, and the United States.

BlackCat’s long tail

BlackCat/ALPHV is a group with a long record of activity. ReversingLabs first identified BlackCat’s Rust-based malware in 2021 and traces the group’s emergence to preceding ransomware gangs such as Carbanak, REvil, Dark Side, and BlackMatter. RL researchers have linked the group to attacks in the United States, Europe, and the Philippines against industry verticals including retail, transportation, pharmaceuticals, and telecommunications. (You can now add hospitality.)

The BlackCat RaaS gang gives its affiliates an 80% or 90% cut of the proceeds of a successful attack, according to our observations. That makes it an attractive offering for cybercriminals looking to make a quick buck.

As was seen with MGM, the initial stages of an attack that uses the BlackCat ransomware often involve spearphishing attacks to establish initial access, and exploitation of lax security practices that leave widely known vulnerabilities unpatched, including CVE-2016-0099, a seven-year-old privilege-escalation vulnerability affecting older versions of Microsoft Windows, or the two-year-old ProxyShell vulnerabilities (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523) affecting Microsoft Exchange.

Once inside an environment, standard tooling such as Mimikatz, Cobalt Strike, and Rsync is usually deployed to facilitate lateral movement and the compromise of additional assets.

The BlackCat ransomware itself is human-operated but flexible and powerful. It can employ a variety of encryption routines, including intermittent encryption of files, in which only parts of a file’s contents are encrypted. BlackCat can also spread between infected devices and offers criminals the ability to kill hypervisors and wipe their snapshots to prevent recovery, ReversingLabs has observed. Additional features facilitate data exfiltration and anti-forensics measures to prevent file recovery.

Slow down: Children ahead

The lesson, say experts, is that organizations need to take the threat of attacks seriously and make a study of attackers’ methods. That’s true, even in cases where the perpetrators aren’t old enough to buy themselves a celebratory beer.

For MGM, the attacks linked to ALPHV/BlackCat brought activity at its hotels and casinos in Las Vegas and elsewhere to a halt — costing the company tens of millions of dollars in lost revenue. FTC Commissioner Lina Khan was among those who found themselves stuck in a long line and scribbling credit card information on slips of paper to check out of a ransomware-crippled MGM Grand in Las Vegas.

As for preventing such attacks, a good place to start is with training staff to be mindful of sophisticated spearphishing, vishing (voice phishing), and other attacks that attempt to undermine two-factor authentication schemes. But organizations also need to keep eyes open for the many indicators of compromise that suggest something is amiss.

In the case of MGM, the malicious actors spent hours, if not days, within MGM’s environment before launching their attack. That was a critical window of opportunity for MGM to derail the operation or limit its scope. Given the impossibility of ruling out human errors of judgment, early detection is the best chance organizations have to keep from going bust at the hands of a ransomware group such as BlackCat.

Get up to speed in Threat ResearchReplay Webinar: Threat Research Round-Up: Unpacking The Latest PyPI and NPM Supply Chain Attacks