BlackCat/ALPHV reportedly encrypted more than 100 MGM ESXi hypervisors

Two important pieces of news broke late Thursday on the MGM-Caesars breach that has plagued the two Las Vegas hotels all week.

BleepingComputer reported that the BlackCat/ALPHV ransomware group responsible for the attacks claimed they infiltrated MGM’s infrastructure since last Friday and encrypted more than 100 ESXi hypervisors.

BlackCat reportedly said that they exfiltrated data from the network and maintain access to some of MGM’s infrastructure, threatening to deploy new attacks unless MGM finally agrees to pay a ransom.

Reports earlier this week indicated that negotiations between MGM and BlackCat/ALPHV have been ongoing. It was also reported by Bloomberg that Caesars paid millions of dollars in ransom.

The hackers said that the only action they saw from MGM in response to the breach was that MGM disconnected their Okta Sync servers after learning that BlackCat/ALPHV had been lurking on their Okta Agent servers. Despite MGM shutting down the Okta servers, the hackers said in their statement they continue to be present on the MGM network.

Nick Hyatt, cyber practice leader at Optiv, explained that as major organizations have moved to virtualization over the past decade, more and more of their technology has moved from bare metal machines to virtualized servers. By encrypting ESXi servers, Hyatt said threat actors can cripple functionality — encrypting the host server essentially disables all the virtualized servers in one fell swoop.

“This is not a new tactic, but it’s efficient,” said Hyatt. “As we see threat actor groups like this focus more on efficiency and payouts rather than causing carnage, organizations must rely on defense-in-depth and ensuring mission-critical applications are protected by multiple layers of defense and redundancy. It’s an expensive problem, but in the long run results in a more secure environment.”

Callie Guenther, senior manager, cyber threat research at Critical Start, added that the evolving modus operandi of this group, particularly their use of social engineering attacks and the Bring Your Own Vulnerable Driver (BYOVD) strategy that gives them elevated Windows privileges, underlines the multifaceted nature of the cyber threat environment.

“This combination of data encryption and the threat of its release is a stark reminder of the multi-dimensional challenges businesses face when dealing with ransom attacks,” said Guenther. “The alleged continuous access the attackers claim to have, even after their initial breach, underscores the importance of thorough post-incident investigations. The supposed demographic profile of these threat actors — primarily young English-speakers — serves as a poignant reminder that cyber adversaries can emerge from virtually any quarter.”

Guenther said when her team analyzed the information about the Okta breaches, especially as it relates to MGM and Caesars, they saw a different, but connected, phase of the attack chain. Guenther said Okta's compromise appears centered around social engineering attacks against IT service desk personnel to reset MFA factors for highly-privileged users.

“Once attackers gain Super Administrator rights in Okta, they can potentially leverage these rights to further penetrate the organization's network,” explained Guenther. “This can include gaining escalated privileges on Windows systems. The ‘novel methods of lateral movement and defense evasion’ mentioned in the Okta report likely pertain to this. With the right permissions, they could gain access to critical systems, including those managing virtual environments like ESXi hypervisors.”

Guenther added that gaining control over ESXi hypervisors offers the attackers immense power over VMs. She said they could encrypt these VMs for ransom, as evidenced by the BlackCat/ALPHV ransomware attack on MGM.

“Most organizations run a significant number of their applications and databases on Windows-based VMs under ESXi hypervisors,” said Guenther. “If attackers exploit ESXi, and consequently the VMs, they essentially have control over these Windows systems. This can lead to further data theft, system disruptions, and other malicious activities. In essence, the Okta breaches can be viewed as an entry or pivot point. Once attackers gain significant privileges via tools like Okta, they can move laterally, escalate their privileges on critical systems like Windows servers, and then exploit high-value targets like ESXi hypervisors.”

BlackCat/ALPHV affiliate responsible for MGM attack?

For those confused over which groups are responsible for the MGM and Caesars attacks, SC Media covered this in Thursday’s report in which Michael Sikorski, vice president of engineering and CTO at Palo Alto Networks Unit 42, explained that BlackCat/ALPHV has made the group Unit 42 calls "Muddled Libra" (aka Scattered Spider/UNC3944) an affiliate.

To make life even murkier, in today’s BleepingComputer story, BlackCat/ALPHV did not directly confirm that Scattered Spider carried out the MGM attack, but they did confirm that it was one of their affiliates.

“BlackCat gives affiliates access to their “kit” which includes the ransomware, support, negotiations, and access to their leak site,” Sikorski told SC Media. “This also lets Muddled Libra put additional pressures on their targets, and continue to find new revenue streams.”

In other news around this story, Mandiant Google Cloud posted a detailed blog that explained the genesis of Scattered Spider, what Mandiant calls UNC3944. In the blog, Mandiant explained that UNC3944 is a financially-motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns to obtain credentials as means to gaining and escalating access to victim organization.

While thorough and informative, the Mandiant Google Cloud post does not make a direct connection to UNC3944 and the MGM-Caesars incidents.