A tantalizing piece of information has surfaced on a dark web marketplace for the purchase and sale of stolen credentials as MGM Resorts International and the FBI look into a crippling hack at one of the largest casino operators in the world.
According to London-based Dynarisk, a cyber security firm, operators of the Spider Logs Telegram channel, which is manned by cybercriminals who harvest and resell logins, passwords, and other information from compromised computers, sold a data set on September 1 that contained the credentials of a mid-level IT engineer at MGM.
95 additional MGM employees had their login information stolen and sold in the same data dump, as did some employees of Caesars Entertainment, an MGM rival that reported on Thursday that it had also been hacked recently.
In contrast to, for example, a front-desk hotel employee, the credentials of an individual working in the IT division at MGM or Caesars would be more likely to permit access to the internal workings of the networks of the casino operator.
It was not possible to ascertain whether the hackers used credentials that were obtained to access MGM’s systems. But the prevalence of employee information on dark web forums highlights the danger that major businesses like MGM face from the various, ever-evolving techniques that hackers employ to access networks.
According to Andrew Martin, CEO of Dynarisk, “for such large and profitable companies like MGM and Caesars, they would have had the resources available to protect their data and customers.” “They could have taken steps to stop this breach that were relatively simple, including if they had been watching for the theft of these credentials and acted [promptly],” says the author.
According to Dynarisk, the login and passwords in the data set were probably taken from a machine infected with Redline malware, which conceals itself behind pirated versions of video games or other applications. The password used by an MGM IT employee to get in to the organization was “K@sper99!” whereas the password used by a Caesars IT employee was “W@lmart1”.
Redline also steals and packages recently stolen cookies, which browsers use to recognize repeat visits to websites so that users do not need to repeatedly enter their login information.
In a statement to the Financial Times on Thursday, a person claiming to speak for the hacker collective known as Scattered Spider claimed responsibility for the MGM hack, which included an attempt to tamper with the casino resort’s slot machines.
The organization is thought to be responsible for at least 100 attacks on significant US corporations and represents a serious danger to western businesses.
Its members, who are primarily English-speaking hackers from the US and Europe, are known to pretend to be a worker they have researched online when they call company help desks in an effort to create new passwords.
In this case, the person purporting to speak for Scattered Spider said that the company had also hijacked one of its employees’ phone numbers, enabling the hackers to receive texts carrying one-time passwords instead of the employee.
The compromised logins and passwords belonged to the San Francisco-based Okta identity management system, whose software is used by thousands of companies to confirm their employees’ identities before giving access to private company websites.
When MGM learned that Scattered Spider had been lurking on its Okta servers, it “made the hasty decision to shut down each and every one of their Okta servers,” according to a dark web site affiliated with an organization that Scattered Spider has occasionally collaborated with.
“Although we are unable to comment on the MGM event, we have seen social engineering attacks involving threat actors calling an organization’s help desk, posing as an employee, and convincing the help desk to reset multi-factor authentication for a highly privileged account,” said an Okta spokesperson, referring to the accounts of either senior employees at companies or people working in the IT departments whose accounts would have greater access to the rest of the company.
More businesses, according to Dynarisk’s Martin, are at risk. Other data sets he had recently seen exchanged contained employee credentials for more than 500 additional businesses, including those at Wells Fargo, WPP, Experian, Diageo, Wayfair, Epic Games, and Adobe.
“More of these hacks are coming,” he declared.