The American casino Caesars Entertainment paid extortionists a huge ransom

[Carding]

Everything that happened in Vegas suddenly became public knowledge.

Caesars Entertainment paid "tens of millions of dollars" to hackers who broke into the company's systems and threatened to publish confidential customer data.

Caesars Entertainment is reportedly planning to disclose more details about the cyberattack in upcoming regulatory filings. It is noteworthy that the events unfolded right on the background of a similar attack on another giant of the entertainment industry in Las Vegas-MGM Resorts International.

Behind the attack, according to sources, is a hacker group known as Scattered Spider or UNC3944. Cybersecurity experts note that members of this group are proficient in social engineering techniques for accessing corporate networks. In the case of Caesars Entertainment, hackers allegedly first hacked into an external IT provider to gain access to the company's network.

Information that hackers attacked Caesars Entertainment, appeared on August 27. According to the researchers, the members of the hacker group responsible for hacking are young people aged 19 and over, living in the United States and the United Kingdom.

Ransomware groups often demand a cash ransom in cryptocurrency. But if earlier they simply blocked files on victims ' computers and provided a key to decrypt them after payment, now they are increasingly simply stealing data and demanding a ransom, threatening to publish them.

It is unlikely that an institution with large daily revenues and serious customers who are likely to want to remain anonymous needs such reputational risks, so the logic of the casino's actions can be understood.

Usually, cybersecurity experts do not recommend companies to pay ransom to hackers, as the latter may simply not keep their word, still leaking valuable data to third parties. Or a publicly reported case may attract other cybercriminals who may also try to attack this organization, knowing that it is willing to pay ransoms of any size.

 

[Carding]

Who to believe, even if the versions of gang representatives differ greatly.

Two criminal hacker groups were recently linked to attacks on two well-known Las Vegas hotel and casino operators, which resulted in one of them having to significantly tinker with restoring access to their systems, and the other even paying a multimillion-dollar ransom.

Who exactly is behind the attacks on MGM Resorts and Caesars Entertainment remains unclear for sure, but two hacking groups are definitely involved: ALPHV (aka BlackCat) and Scattered Spider (aka UNC3944).

A person claiming to be a member of Scattered Spider contacted the foreign publication CyberScoop and reported that their group was responsible for the attack on MGM, but denied responsibility for hacking Caesars.

In turn, the ALPHV group later also claimed responsibility for the attack on MGM, publishing a corresponding statement on its leak site.

A representative of Scattered Spider told CyberScoop that their group is actually a subgroup of ALPHV. Whether this information is reliable is difficult to judge, because ALPHV did not mention any child groups in its statement published by an independent security researcher on GitHub.

If the attack on MGM Resorts has now become more or less clear, then who attacked Caesars Entertainment is still unclear. Previously, sources close to the incident claimed that this was also the work of Scattered Spider, but why then did the representative of this group in communication with CyberScoop disown the incident?

In a report filed Thursday with regulators , Caesars confirmed that it had identified " suspicious activity on its network resulting from a social engineering attack on an outsourced IT support provider."

According to the company, the attackers obtained a copy of the loyalty program database, which includes driver's license numbers and / or social security numbers for a significant number of participants in the database."

Caesars said that it did everything possible to ensure that the stolen data was deleted by an unauthorized person, although the company cannot guarantee this. Most likely, we are talking about paying a ransom.

Neither Caesars nor MGM responded to multiple requests for comment. The FBI acknowledged that it is investigating both incidents, but also declined to comment further.

As of September 15, the MGM website is still down, suggesting that the company is still recovering its systems. And it is unlikely that MGM transferred the ransom to intruders, as Caesars did.

Meanwhile, MGM may yet change its mind, as a member of Scattered Spider who spoke with CyberScoop said that negotiations with MGM are still ongoing. The man claimed that the stolen data included customer information, sexual assault reports, and other corporate records. Again, if this information is true.

Whoever was actually responsible for both incidents, it is silly to deny that both groups are experienced associations with a rich history of ransomware attacks.

According to an analysis by cybersecurity firm Trellix, the Scattered Spider group has been active since May 2022 and until recently mainly attacked organizations involved in outsourcing telecommunications and business processes, and later began to attack other sectors, including critical infrastructure. ALPHV also became known even earlier and constantly flashes in numerous attacks.

Charles Karmakal, CTO of Mandiant, called Scattered Spider "one of the most widespread and aggressive cybercriminal gangs affecting organizations in the United States today."

Members of the group, Karmakal said, may be "less experienced and younger" than more established criminal hacking groups, but they are "native English speakers" and "are incredibly effective social engineers," the Mandiant director added, referring to the practice of deceiving or persuading a person with access to a particular company or network. grant access to someone who is not authorized to receive it.

The exact relationship between Scattered Spider and ALPHV is difficult to determine for sure, especially given the differences in what groups report publicly.

 

[Carding]

Hacked Las Vegas: what is the uniqueness of Scattered Spider and BlackCat

Everyone already knows about the attacks on MGM and Caesars, but how did the criminals manage it?

Two of the leading entertainment corporations in Las Vegas, MGM and Caesars, faced large-scale hacker attacks. MGM systems were disabled in all 31 resort complexes, while Caesars paid the attackers a multimillion-dollar sum to avoid a similar fate.

According to sources, the attacks were organized by the hacker group Scattered Spider (in partnership with ALPHV, also known as BlackCat). This group, which includes citizens of the United States and Great Britain, began its activity in May 2022.

"The social engineering methods they use are highly sophisticated. These hackers specialize in voice phishing, targeting support services, call centers, and even operational security centers, " said Stephen Erwin, senior consultant at TrustedSec.

Various methods of social engineering are another feature of Scattered Spider. Phishing campaigns are mainly conducted through Telegram, SMS, and SIM swapping.

Two-factor authentication (MFA) is used for initial penetration into the system. The victim is sent a lot of requests for confirmation of identity. Hackers expect that intrusive notifications will be annoying and the user will eventually agree to enter their data.

In addition, attackers exploit known vulnerabilities associated with Intel Ethernet card drivers to conduct DoS (denial of service) attacks. One of these vulnerabilities is CVE-2015-2291 .

After successfully entering the system, hackers are able to quickly move across the network, using stolen credentials or tokens to attack cloud resources.

"Once they are highly effective in their penetration techniques, they quickly move on to installing ransomware or compromising data," says Juan Perez, another researcher at TrustedSec.

The alliance of Scattered Spider and ALPHV / BlackCat allows them to expand their capabilities. There is information that Scattered Spider is a division of BlackCat, but experts have not yet been able to verify its authenticity.

The BlackCat ransomware was first detected in 2021. This group develops and sells malware in the extortion-as-a-service (RaaS) format. The Rust programming language is used to create it.

Some of the hackers are believed to be only 19 years old, but their activity and professionalism are causing serious concern among cybersecurity experts.

 

[Carding]

Final Giveaway: Caesars Entertainment faces legal action as a result of the leak

It seems that the company has finally lost in cybersecurity roulette.

Hotel and entertainment chain Caesars Entertainment is facing a class - action lawsuit the day after claiming a massive leak. Clients demand that management be held accountable for disclosing confidential information.

Miguel Rodriguez, the lead plaintiff, represents Caesars ' loyalty program participants. According to the statement, attackers can use data in the amount of 6 terabytes to apply for loans, file false tax returns and obtain forged documents. Victims will have to continuously monitor their financial accounts for a long time to come. Rodriguez is represented by Las Vegas attorney Miles Clark.

The statement reads: "The plaintiff wants to ensure that the defendant is responsible for creating risks caused by insufficiently effective security measures."

Rodriguez claims that Caesars Entertainment, which owns and operates many casinos and hotels under the Caesars, Eldorado and Harrah's brands, did not pay due attention to the security of its networks and software, as well as did not provide proper protection in interaction with technology partners, which made internal systems “easy prey” for cybercriminals.

He also notes that the company did not notify customers about the incident in a timely manner and did not report the actual scale of the incident: "The defendant deprived the plaintiff and other participants of the opportunity to quickly take measures to protect themselves and minimize damage."

The plaintiffs demand compensation for damages, fines for the organization in a tripled amount and the introduction of penalties. In addition, they insist on reimbursement of the funds they spent. Other requirements include taking legal action to improve protection systems, as well as conducting regular audits.

Caesars Entertainment itself has announced that it has taken all possible measures (including paying the ransom), but cannot guarantee a positive outcome.

 

[Carding]

404 comfort not found: How Vegas guests Survived Cyberattacks on MGM and Caesars

The story tells itself on platform X.

Last week, we watched ransomware attacks on two well-known Las Vegas hotel and entertainment chains-MGM and Caesars . Foreign media continuously covered both incidents.

Two groups are probably involved in the case : Scattered Spider and hackers from ALPHV (also known as BlackCat), who attacked the Caesars network.

Thanks to insider information from social media influencers, the story literally told itself on the X platform (formerly known as Twitter).

For example, user @NessieCakes (250 followers in total) decided to document her 6-day stay at the Bellagio Hotel after MGM systems were turned off, because, according to her, there was not enough information from official sources.

The girl told about the chaos that reigned in the hotel: how visitors were left to themselves, about the lack of hot water, about the long queues at the reception and how she was given the key to the room in which a man was already sleeping.

At one point, staff began handing out glasses of wine instead of free water bottles to calm down irritated guests. Videos with non-functioning slot machines and ATMs seem insignificant against this background.
The main difficulty for journalists was to keep up with the flow of news from eyewitnesses. Some major media outlets, including the Financial Times, have unfortunately learned that not everything can be trusted on the Internet.

Meanwhile, the ALPHV group posted a statement on its website titled "Setting the record straight". In it, hackers expressed dissatisfaction with misinformation from major media outlets.

They, in particular, criticized the Reuters news agency for publishing material based on an interview with the fake ALPHV account in Telegram:

"You were just fooled by a random user on Telegram. Idiots. But for the sake of sensational material, you're willing to believe anything, right?"

Some influencers tried to put forward the theory that the cyber attacks were somehow connected with the major cybersecurity conferences held in Vegas — Black Hat and DEF CON.

However, this assumption looks shaky, given that events have been held in the city every year since the 1990s, and gather thousands of experts in this field.

Over the course of a week, various messages appeared on social networks. For example, one user writes: "The best plot twist in the MGM cyberattack story: a man is said to have demanded $ 40 million from a Mandalay Bay clerk to stop a ransomware attack. He was detained."

Now the work of entertainment venues in Las Vegas is gradually returning to its usual course.