Crime Caesars Entertainment Paid Millions to Hackers in Attack

https://archive.md/8BCDb
S to spit on casinos.
Good riddance, the spirit of John Birges lives on.

• Hackers stole data, extorted company, people familiar said
• Caesars breach came in weeks before MGM announced cyberattack

Caesars Palace in Las Vegas, Nevada.
Photographer: Bridget Bennett/Bloomberg

By William Turton
14 September 2023 at 04:52 GMT+10
Updated on
14 September 2023 at 23:55 GMT+10

Caesars Entertainment Inc. paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data, according to two people familiar with the matter.
The disclosure of the alleged Caesars breach comes as another Las Vegas entertainment giant, MGM Resorts International, announced that it was hacked earlier this week.
Read More: Useless Slots, Cash Bars Annoy Casino Goers After MGM Hack
Caesars didn’t respond to requests for comment. On Thursday, after Bloomberg News reported that Caesars had been hit by a cyberattack, the company disclosed the hack in a regulatory filing. The company’s shares were relatively unchanged Thursday at 9:49 a.m. in New York after dropping 2.7% Wednesday to $52.35.
The group behind the attack is known as Scattered Spider or UNC 3944, according to the people. Its members are skilled at social engineering in order to gain access to large corporate networks, according to cybersecurity experts. In the case of Caesars, the hackers first breached an outside IT vendor before gaining access to the company’s network, according to the people.
Read More: MGM, Caesars Hacked by ‘Scattered Spider’ in Span of Weeks
The hackers began targeting Caesars as early as Aug. 27, according to one of the people.
Members of the hacking group are believed to be young adults, some as young as 19 years old, residing in the US and the UK, according to a person who has investigated multiple hacks by the group.
The attackers stole data including driver’s license and social security numbers from Caesars loyalty members, the company said in the filing Thursday.
Hacking gangs typically ask to be paid in cryptocurrency if they demand a ransom. Some attacks deploy ransomware that locks up computer files, and the hackers then provide a decryption key if the victim pays. More recently, however, hacking gangs have stolen data from companies and then demanded payment, threatening to publish the information unless they are paid.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,“ Caesars said in the filing.

(Updates with information from Caesars regulatory filing in third, seventh and ninth paragraphs)

 

[Mysterious Autist XX]

Ave, true to Caesar!

I have nothing of value to say.

 

[AnOminous]

We need to go back to when casinos were run by people who would break your arms and legs before burying you in the desert.

If I'd known these guys were such cowering pussies I'd have done this myself.

 

[bile demon]

Is this a TOTAL RALPHAMALE VICTORY or does he gamble elsewhere?

 

[The Backwards Man]

Is this a TOTAL RALPHAMALE VICTORY or does he gamble elsewhere?

He gambles his mind to Xanax.

 

[innocent jogger]

Gambling is for retards anyway.

 

[notorietus]

Some attacks deploy ransomware that locks up computer files, and the hackers then provide a decryption key if the victim pays

To add to this, AlphvVM/Alphv/Blackcat actually ransomed them as well. I believe they were the ones behind the attack. They released a statement on their onion website. (archive) [it's on the Community Driven Happenings but I am adding it here]

In this statement, they state that they did not deploy any ransomware in there, and they had super administrrator pvileges to their Okta platform. They made an attempt to evict them out, but it did no go according to plan. "After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident."

"The user has consistently been coming into the chat room every several hours, remaining for a few hours, and then leaving. About seven hours ago, we informed the chat user that if they do not respond by 11:59 PM Eastern Standard Time, we will post a statement. Even after the deadline passed, they continued to visit without responding. We are unsure if this activity is automated but would likely assume it is a human checking it.

We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner if he so chooses."

Then they said "We still continue to have access to some of MGM's infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us." They are still in MGM right now, which is very hilarious. So basically, they have some access to MGM right now, MGM did not respond but still viewed the chats.

Spoiler: Statement

We have made multiple attempts to reach out to MGM Resorts International, "MGM". As reported, MGM shutdown computers inside their network as a response to us. We intend to set the record straight.

No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.

MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment, but things did not go according to plan.

On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers' lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to "take offline" seemingly important components of their infrastructure on Sunday.

After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.

In our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed. As they were not responding to our emails with the special link provided (In order to prevent other IT Personnel from reading the chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be present.

We posted a link to download any and all exfiltrated materials up until September 12th, on September 13th in the same discussion. Since the individual in the conversation did not originate from the email but rather from the hypervisor note, as was already indicated, we were unable to confirm whether they had permission to be there.

To guard against any unneeded data leaking, we added a password to the data link we provided them. Two passwords belonging to senior executives were combined to create the password. Which was clearly hinted to them with asterisks on the bulk of the password characters so that the authorized individuals would be able to view the files. The employee ids were also provided for the two users for identification purposes.

The user has consistently been coming into the chat room every several hours, remaining for a few hours, and then leaving. About seven hours ago, we informed the chat user that if they do not respond by 11:59 PM Eastern Standard Time, we will post a statement. Even after the deadline passed, they continued to visit without responding. We are unsure if this activity is automated but would likely assume it is a human checking it.

We are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement with MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take the first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner if he so chooses.

We believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and well-being while visiting one of their resorts?

We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months, while 7 insiders have sold shares for a combined 33 MILLION dollars. (https://www.marketbeat.com/stocks/NYSE/MGM/insider-trades/). This corporation is riddled with greed, incompetence, and corruption.

We recognize that MGM is mistreating the hotel's customers and really regret that it has taken them five years to get their act together. Other lodging options, including casinos, are undoubtedly open and happy to assist you.

At this point, we have no choice but to criticize outlets such as The Financial Times for falsely reporting events that never happened. We did not attempt to tamper with MGM's slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal.

The rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We are waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing solid evidence to support it. Starting to the actors' identities as they are so well-versed in them.

The truth is that these specialists find it difficult to delineate between the actions of various threat groupings, therefore they have grouped them together. Two wrongs do not make a right, thus they chose to make false attribution claims and then leak them to the press when they are still unable to confirm attribution with high degrees of certainty after doing this. The Tactics, Techniques, and Procedures (TTPs) used by the people they blame for the attacks are known to the public and are relatively easy for anyone to imitate.

The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim that we had claimed responsibility for the attack before we had.

We still continue to have access to some of MGM's infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.

-------------------------------------------------
Updates:

Tech Crunch & others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next time, verify your sources more thoroughly, or at the very least, give some hint that you do.

Additional Edits:

Previously incorrect attribution for slot machine report has been changed to correctly identify The Financial Times as the source of the utterly false information.
Mehul Srivastava is the "journalist" who publishes false material without first verifying the accuracy of the content. Clickbait junk. There are so many respected journalists out in the world you think we would pick trash like you?

https://www.ft.com/content/a25d2897-b0ce-4ba7-92ed-ff5df09d1b47

More Updates on Fake News:

Zeba Siddiqui (Reuters) fails to confirm the credibility of sources before publishing items on Reuters that contain fake news, funnily enough naive individuals like this are the direct targets of social engineering schemes because they are so gullible. Find a new profession. You were actually made fun of by a random Telegram user. You idiot. But hey, anything for a story, right?

https://www.reuters.com/business/casino-giant-caesars-confirms-data-breach-2023-09-14/

------------------------------------------------------------------
Morons:

https://ransomwaresommelier.com/p/you-are-the-criminal-dumbass

The reason we write this way is because of reactions like this one:
"you need to accept that good organizations don’t want to deal with you."
everybody he just called MGM a "good organization". Keep in mind we wrote that we don't think they will pay us. Somehow we are supposed to accept that in a different way. You seem to take this very personally!
This man here thinks we don't know that we are the criminals and actually sits there and reacts to us so now we will react to him!

Sit there and type while you're breathing heavy fat fuck.
https://www.youtube.com/watch?v=VLPTJetLGuc
---------------------------------------------

As of September 16, 2023, we have not spoken with any journalists, news organizations, Twitter/X users, or anyone else. Any official updates are only available on this blog. You would think that after the tweet below, people would know better than to believe anything unreliable they would hear about this incident. If we talk to a reporter, we will share it here. We did not and most likely won't.

https://twitter.com/VitalVegas/status/1702017681963237410/photo/1

https://mgmresorts.com

 

[AltisticRight]

We need to go back to when casinos were run by people who would break your arms and legs before burying you in the desert.

Or when they slight a Jewish electrical engineer, they get delivered a total enigma which the FBI can't even do shit about, and turns their casino into a pile of rubble.

 

[Fruttasecca]

The attackers stole data including driver’s license and social security numbers from Caesars loyalty members, the company said in the filing Thursday.

There must be some seriously high tier Bossmans gambling away their fortunes at that Casino for it to have been worth paying 10 Million to protect their data.

 

[Your Starter for 10]

Anthony Cumia was at the MGM when this happened (and couldn't get money out to gamble). Coincidence? Yes, he's notoriously tech-retarded.

 

[oldTireWater]

Or when they slight a Jewish electrical engineer, they get delivered a total enigma which the FBI can't even do shit about, and turns their casino into a pile of rubble.

Give the guy some credit. He was a hungarian who fought for the Nazi's. Dude led a real life.

 

[AltisticRight]

There must be some seriously high tier Bossmans gambling away their fortunes at that Casino for it to have been worth paying 10 Million to protect their data.

There's definitely more. They're not just casinos, they're also one of the biggest and most powerful apolitical political interest groups.

Apolitical means they will donate to both parties to do their bidding.

These hackers likely found far worse information. Maybe insider trading, evidence of political corruption, protecting nonces, running paedophile rings, human trafficking, you name the crime, casinos who like to call themselves resorts are guilty.