Caesars says cyber-crooks stole customer data as MGM casino outage drags on

Updated Casino elephantine Caesars Entertainment has confirmed miscreants stole a database containing customer info, including driver licence and societal information numbers for a "significant number" of its loyalty programme members, successful a societal engineering onslaught earlier this month.

The admittance comes arsenic MGM Resorts enters its 4th time of inoperable IT systems and casinos pursuing a "cybersecurity issue." Internet crime pack Scattered Spider, understood to beryllium responsible for that intrusion, reportedly bragged that each it took to break into nan corporation's networks was a ten-minute telephone pinch nan thief desk.

It's besides reported nan arachnid unit deed some Caesars and MGM Resorts, though immoderate reps for Scattered Spider, besides known arsenic 0ktapus, claimed they only deed MGM and had thing to do pinch nan Caesars raid.

Then autumn Caesars

In an 8-K form submitted precocious past week to nan SEC, America's financial watchdog, Caesars – which owns much than 50 resorts and casinos successful Las Vegas and 18 different US states – disclosed nan theft of its customer database, which it blamed connected "a societal engineering onslaught connected an outsourced IT support vendor." 

Caesars declined to reply The Register's questions. The integer break-in was discovered connected September 7, according to its SEC filing. The crooks stole Caesars' loyalty programme database, which was stuffed pinch people's delicate individual information.

"We are still investigating nan grade of immoderate further individual aliases different delicate accusation contained successful nan files acquired by nan unauthorized actor," Caesars told nan SEC. "We person nary grounds to day that immoderate personnel passwords/PINs, slope relationship information, aliases costs paper accusation (PCI) were acquired by nan unauthorized actor."

Upon noticing suspicious IT web activity, nan intermezo goliath said it not only instantly launched a probe, it besides hired "leading cybersecurity firms" to thief pinch its incident consequence and remediation efforts, and notified rule enforcement and authorities gaming regulators.

All of this sounds beautiful routine, though location is different statement successful nan SEC filing that seems to bespeak extortion — and a costs made by Caesars to perchance extremity nan pain:

That to america sounds for illustration whoever collapsed into nan IT systems made disconnected pinch nan information and wanted immoderate benignant of bung to support nan accusation private. The Register asked Caesars to explain what circumstantial steps were taken, among different questions astir nan fiasco: who is nan unnamed IT outsourcer? Who was down nan break-in? Did those crooks request a ransom and if so, really much, and was it paid? 

We person yet to perceive backmost from nan corporation, though we will update this communicative arsenic soon arsenic we do.

Extortion seems for illustration a safe bet

Other media outlets are reporting that it was, successful fact, an extortion onslaught and that Caesars coughed up a ransom.

Vital Vegas earlier this week whispered astir proceeding "rumblings" that Caesars was trying to play down connection of a cyberattack. Bloomberg connected Wednesday reported nan casino elephantine had paid "tens of millions of dollars to hackers" who collapsed successful and stole institution data.

Vital Vegas updated its sum of nan matter later that time to study Caesars paid $15 cardinal to nan extortionists, down from a $30 cardinal demand, citing unnamed sources: "We are not making this up. Caesars talked them down for illustration an section of 'Pawn Stars.'"

• MGM Resorts shuts down website, machine systems aft 'cybersecurity incident'
• More Okta customers trapped successful Scattered Spider's web
• Save nan Children deed by ransomware, 7TB stolen
• Airbus suffers information leak turbulence to cybercrooks' delight

Meanwhile, arsenic nan wide outage crossed MGM Resorts enters its 4th day, that Las Vegas casino and edifice behemoth issued a 2nd connection astir its ongoing "cybersecurity issue."

"We proceed to activity diligently to resoluteness our cybersecurity rumor while addressing individual impermanent needs promptly," it xeeted. In response, edifice guests shared videos of quiet casinos and disconnected slot machines, and questioned really to cancel reservations and get a refund pinch nan resorts' websites, email, and apps still not working.

There is 1 benefit: free parking astatine MGM Resorts properties.

Scattered Spider catches MGM successful its web

Scattered Spider – a US-UK-based Lapsus$-like gang that specializes successful societal engineering attacks and is affiliated pinch nan ALPHV ransomware operators – is said to beryllium down nan MGM Resorts debacle. It's claimed each it took for nan miscreants to infiltrate MGM Resorts was uncovering an worker connected LinkedIn, past calling a thief table presumably to impersonate that staffer and summation access, aliases thing for illustration that.

"A institution weighted astatine $33,900,000,000 was defeated by a ten-minute conversation," arsenic malware study nervus halfway VX-Underground put it.

In an absorbing twist, and according to a Financial Times report, a spokesperson for nan spider-themed unit claimed it had hoped to infect slot instrumentality package astatine MGM Resort properties to rig nan equipment, and past "recruit mules to bet and beverage nan machines" of payouts.

When that wasn't possible, nan pack returned to its tried and existent method — a elemental telephone telephone to hoodwink immoderate hapless worker — that worked successful nan past to discuss Okta and different high-profile victims.

That said, members of nan ALPHV-Spider nexus denied going aft nan slot machines, saying: "Doing truthful would not to beryllium to our use and would alteration nan chances of immoderate benignant of deal."

MGM Resorts declined to reply The Register's questions astir nan information breach. ®

Updated to add

On Thursday nan miscreants down nan MGM Resorts cyber-attack decided to “set nan grounds straight” pinch a connection connected their dark-web blog. This missive sets out, successful their mind, what really happened successful nan MGM Resorts intrusion and consequent IT shutdown.

Technically speaking, nan missive was issued by nan notorious ransomware-as-a-service pack AlphaV, besides known arsenic ALPHV and BlackCat, of which Scattered Spider is an connection aliases sub-group. In immoderate case, nan unit coming said it's made “multiple attempts” to interaction edifice execs to nary avail.

We’d propose taking this connection pinch a dense dose of brackish — these are criminals, aft all. “MGM unopen down computers wrong their web arsenic a consequence to us,” nan connection went. “No ransomware was deployed anterior to nan first return down of their infrastructure by their soul teams.”

The pack said it collapsed into MGM Resorts IT situation connected Friday, September 8, and "had been lurking connected [MGM Resorts'] Okta Agent servers sniffing passwords of group whose passwords couldn't beryllium cracked from their domain controller hash dumps." The pack said MGM realized thing was up and switched disconnected nan company's Okta Sync servers, though nan intruders were capable to summation and support ace administrator level successful Okta, “along pinch world administrator privileges to their Azure tenant.”

When MGM web admins recovered they couldn’t evict nan pests, unit unopen down various parts of their infrastructure successful an effort to clasp disconnected nan intruders, we're told.

“After waiting a day, we successfully launched ransomware attacks against much than 100 ESXi hypervisors successful their situation connected September 11 aft trying to get successful touch but failing,” nan crime pack boasted, adding that MGM Resorts appeared unwilling to discuss pinch nan extortionists to extremity nan attack. And if a woody isn't reached, AlphaV whitethorn leak data, including individual information, stolen from nan corporation.

“We still proceed to person entree to immoderate of MGM's infrastructure. If a woody is not reached, we shall transportation retired further attacks,” nan connection read.

“We proceed to hold for MGM to turn a brace and scope retired arsenic they person intelligibly demonstrated that they cognize wherever to interaction us,” nan pack added, referring to its study of personification softly popping successful and retired of a chat room AlphaV group up to agent a colony pinch its victim.