MGM Resorts International publicly acknowledged a “cybersecurity issue,” which allegedly disrupted slot machines, ATMs, credit card machines, online reservations, and the company’s official website. More than 24 hours after the incident began, the website remained unavailable, with customers directed to make reservations over the phone. Cybersixgill detected threat actors leveraging MGM Resorts customer data on the underground, in addition to ads on forums for stolen MGM data.
THE HEADLINE
On September 11, 2023, global hospitality and entertainment conglomerate MGM Resorts International[1] (MGM) announced on X (formerly Twitter) that a “cybersecurity issue” was “affecting some of the company's systems.” While MGM did not specify its disrupted assets, open source (OSINT) reports identified affected systems as casino slot machines, ATMs, credit card readers, online reservations, and MGM’s main website. As of the morning of September 12, 2023 (EST), the website remained offline, with a notice directing customers to make reservations at listed phone numbers.
MGM did not identify the attackers and Cybersixgill observed no underground chatter identifying potential perpetrators of the incident. OSINT reports indicated that MGM used manual operations to mitigate the attack’s effects, with local news reporting that certain guests’ room keys were disabled. While the MGM Rewards app was knocked offline, other MGM apps (MGM+, sportsbook BetMGM, etc.) remained operational.
A Nevada-based site called Vital Vegas said it broke news of the incident, reporting on X that a system-wide outage meant MGM’s Bellagio resort couldn’t accept room charges or credit card payments, requiring cash payments at restaurants. Vital Vegas also reported that MGM employees couldn’t access email accounts, with slot machines at MGM Grand Las Vegas displaying “temporarily unavailable” messages.
Without citing specific evidence, Vital Vegas claimed that MGM may have taken systems offline as a precautionary measure to prevent compromise after discovering initial signs of the attack. Vital Vegas also opined that in scenarios like the MGM attack, loyalty club databases are typically threat actors’ targets. In the past, Cybersixgill has observed threat actors targeting such databases, including a recent attack on the rewards[2] platform of U.S. retail chain Hot Topic[3]. Threat actors use stolen rewards/loyalty account credentials for such platforms in credential stuffing attacks,[4] which leverage the tendency to recycle passwords across multiple platforms and services.
The hospitality industry remains an attractive target for threat actors,[5] with casino-owning conglomerates like MGM perceived as well-capitalized entities concerned with their image and reputation. To that end, Vital Vegas claimed that MGM competitors’ Caesars Palace and Harrah's Las Vegas had also potentially been hit with undisclosed cyber attacks recently. Neither Caesars nor Harrah's publicly acknowledged any recent cyber incident as of September 12, 2023.
Prior to the cyber attack this week, MGM suffered multiple major data breaches, which resulted in the disclosure of personal information related to millions of customers. These incidents include a December 2022 data breach affecting BetMGM, with attackers reportedly acquiring customers’ names, social security numbers, and financial data. MGM also suffered an attack in 2019 that resulted in a massive leak of customers’ personal information, which continues to circulate on the underground, a topic discussed at greater length in further in this report. Taken as a whole, these attacks suggest less than optimal security hygiene on the part of MGM.
DIVING DEEPER
Cybersixgill detected threat actors targeting MGM Resorts on popular cybercrime forums, including the post below advertising “MGM Resorts config,” a reference to malicious configuration files for a malicious tool based on OpenBullet[6], a legitimate penetration testing and data scraping tool. Threat actors exploit OpenBullet for credential stuffing attacks and other illegal activities.
Traditionally, threat actors have used the aforementioned malicious tool to automate the entry of large volumes of stolen credentials into websites and services, with the goal of gaining unauthorized access to user accounts for data theft, financial fraud, and other malicious operations. The tool is frequently marketed as a more powerful, modified version of OpenBullet, and is sold on underground forums, marketplaces, and instant messaging platforms.
The post below offers the MGM Resorts config for free, with more gratis configs provided to those who follow the threat actor’s channel on a separate platform. The threat actor’s choice of MGM Resorts as the target of the config offered to attract subscribers suggests that threat actors may be highly interested in data related to the company’s customers. Such individuals patronized a leading vacation destination (an MGM Resort) and may thus be viewed as individuals worth targeting for financial fraud, identity theft, or other forms of cybercrime.
Cybersixgill observed other threat actors targeting MGM Resorts, including a member of a popular online black market who advertised allegedly stolen data from MGM. Two factors indicate that the advertised content is the same data stolen in 2019: (1) the volume of data (142,479,938 lines) matches descriptions of the previous leak, and (2) a link in the post leads to a February 2020 BBC report about the MGM breach.
The poster requested an asking price of $550, payable in cryptocurrency, and included in the post multiple lines of data as proof. Based on the description and sample, the data appears to include customers’ names, postal addresses (~4,000 from Russia), email addresses (24,839,708 unique), phone numbers (30,486,113 unique), and dates of birth. The ad for MGM data illustrates the lasting value of stolen information, even years after it was initially leaked.
TAKEAWAYS
The recent attack on MGM Resorts caused major disruptions and likely significant financial costs, preventing credit card payments and shutting down certain gambling operations. In view of the demand for sensitive information on underground markets and forums, and the threat that similar attacks pose, all organizations should instruct employees not to click on links or attachments in suspicious emails and double-check email senders’ identities before opening attachments or clicking links. They should also remain vigilant with regard to misspelled URLs to avoid entering credentials into fraudulent websites.
[1] MGM Resorts International (MGM) operates casinos, hotels, resorts, and entertainment complexes around the world, including its flagship location the MGM Grand Las Vegas. MGM posted profits of over $13 billion in 2022.
[2] Rewards/loyalty customer databases can include full names, email addresses, order histories, phone numbers, dates of birth, shipping addresses, and the last four digits of credit card numbers. Threat actors use this type of data for financial fraud, identity theft, and other criminal activities.
[3] Hot Topic stores sell band T-shirts and other music-related clothing and accessories in 675 retail locations throughout the U.S. Hot Topic also maintains an online outlet with close to 10 million monthly visitors.
[4] The reuse of passwords leaves individuals’ accounts vulnerable to infiltration when data breaches or leaks occur, after which threat actors check to see whether credentials grant access to other online platforms. When threat actors find a match, they can steal additional data for further malicious activity
[5] In June 2022, for example, the Marriott International hotel chain reported a data breach during which 20 GB of internal files were stolen, including credit card details and confidential customer information
[6] Threat actors exploit OpenBullet to automate delivery of large volumes of stolen credentials to websites for fraudulent activities