BlackCat/ALPHV reportedly encrypted more than 100 MGM ESXi hypervisors


Two major pieces of news broke Thursday evening regarding the MGM-Caesars breach that has plagued the two Las Vegas hotels all week.

BleepingComputer reported that the BlackCat/ALPHV ransomware group responsible for the attacks claimed to have infiltrated MGM’s infrastructure since last Friday and encrypted more than 100 ESXi hypervisors.

BlackCat reportedly said it exfiltrated network data and maintained access to some MGM infrastructure, threatening to deploy further attacks unless MGM ultimately agreed to pay a ransom.

Reports earlier this week indicated that negotiations between MGM and BlackCat/ALPHV were ongoing. It was also reported by Bloomberg that Caesars paid millions of dollars as a ransom.

The hackers said the only action they saw from MGM in response to the breach was MGM taking its Okta Sync servers offline after learning that BlackCat/ALPHV was hiding on its Okta Agent servers. Despite MGM shutting down Okta servers, the hackers said in their statement that they remained present on the MGM network.

Nick Hyatt, cyber practice lead at Optiv, explained that as large organizations have moved toward virtualization over the past decade, more and more of their technology has moved from bare-metal machines to virtualized servers. By encrypting ESXi servers, Hyatt said bad actors can cripple functionality: Encrypting the host server essentially disables all virtualized servers at once.

“It’s not a new tactic, but it’s effective,” Hyatt said. “As we see bad actor groups like this focus more on efficiency and payments rather than causing carnage, organizations must rely on defense in depth and ensure critical applications are protected by multiple layers of defense and redundancy. This is a costly problem, but in the long run results in a more secure environment.

Callie Guenther, senior director of cyber threat research at Critical Start, added that the group’s evolving modus operandi, particularly its reliance on social engineering attacks and Bring Your Own Vulnerable Driver (BYOVD) which grants them elevated Windows privileges, highlights the multifaceted nature of the cyber threat environment.

“This combination of data encryption and the threat of its disclosure is a stark reminder of the multidimensional challenges businesses face when dealing with ransom attacks,” Guenther said. “The alleged continued access that the attackers claim to have, even after their initial breach, highlights the importance of thorough post-incident investigations. The assumed demographic profile of these threat actors – primarily young, English-speaking people – serves as a poignant reminder that cyber adversaries can emerge from virtually any location.

Guenther said that when his team analyzed information about Okta’s breaches, particularly as it related to MGM and Caesars, they saw a different, but connected, phase of the attack chain. Guenther said the Okta compromise appears to be centered around social engineering attacks against IT service desk staff in order to reset MFA factors for highly privileged users.

“Once attackers gain super admin rights in Okta, they can potentially exploit these rights to further penetrate the organization’s network,” Guenther says. “This may include gaining elevated privileges on Windows systems. The “new methods of lateral movement and defensive evasion” mentioned in the Okta report likely relate to this. With the proper permissions, they could access critical systems, including those managing virtual environments such as ESXi hypervisors.

Guenther added that taking control of ESXi hypervisors gives attackers immense power over virtual machines. She said they could encrypt these virtual machines for ransom, as evidenced by the BlackCat/ALPHV ransomware attack on MGM.

“Most organizations run a significant number of their applications and databases on Windows virtual machines under ESXi hypervisors,” Guenther said. “If attackers leverage ESXi, and therefore VMs, they essentially control those Windows systems. This may lead to further data theft, system disruptions and other malicious activities. Essentially, Okta breaches can be considered an entry point or pivot point. Once attackers gain high privileges through tools like Okta, they can move laterally, escalating their privileges on critical systems like Windows servers, and then exploiting high-value targets like ESXi hypervisors.

BlackCat/ALPHV affiliate responsible for MGM attack?

For those who don’t know which groups are responsible for the MGM and Caesars attacks, SC Media covered it in Thursday’s report in which Michael Sikorski, vice president of engineering and CTO of Unit 42 of Palo Alto Networks , explained that BlackCat/ALPHV created the group’s unity. 42 calls “Muddled Libra” (aka Scattered Spider/UNC3944) an affiliate.

To make things even murkier, in today’s BleepingComputer story, BlackCat/ALPHV did not directly confirm that Scattered Spider carried out the MGM attack, but they did confirm that it was of one of their affiliates.

“BlackCat gives affiliates access to their ‘kit’ which includes ransomware, support, negotiations and access to their leak site,” Sikorski told SC Media. “It also allows Muddled Libra to put additional pressure on its targets and continue to find new revenue streams.”

In other news surrounding this story, Mandiant Google Cloud released a detailed blog this explains the genesis of Scattered Spider, what Mandiant calls UNC3944. In the blog, Mandiant explains that UNC3944 is a financially motivated threat group that has consistently used phone-based social engineering and SMS phishing campaigns to obtain credentials in order to obtain and increase security. access to the victim organization.

Although comprehensive and informative, the Mandiant Google Cloud post does not directly link UNC3944 and the MGM-Caesars incidents.

Leave a comment