 Over the past week, two major Las Vegas casinos, MGM and Caesars Entertainment were hit with ransomware attacks and data exfiltration attacks because of course any hacker that manages to penetrate your systems these days and deploy some ransomware is also going to try to steal your most sensitive data and then hold it hostage, get you to pay a ransom for it so that they won't publish it on the dark web for more nefarious people to use. But what's even crazier than these casinos getting hit in the first place? Cause I mean you gotta think casinos, they tend to have really top notch security. What's crazier than this incident happening is how it happened. Good old social engineering done via a phone call that was made to the casino's help desk to get access to an employee's account. Whoopsie, it looks like we did a password reset for the wrong person a little bit too quickly or perhaps the person that these hackers were impersonating in social engineering this help desk employee to get a reset for. Maybe that person had their security questions or answers to the security questions just written on their LinkedIn page or some other public social media profile. But one thing that is for sure is these casinos have a really messed up system in place for employees to recover their accounts. I mean the fact that an outsider can impersonate you and just make a quick 10 minute phone call to get access to your account then ultimately compromise the entire system of these multi-billion dollar companies is crazy. So let's actually get into what happened and the security response by these casinos slash hotels. So the hacking group that claims responsibility is going by the name of Scattered Spider but they have some other aliases such as UNC 3944, Scattered Swine and Muddled Libra. But they are actually a subgroup of another hacking group that goes by the name of Alf V or Black Cat. They're a pretty well-known and pretty well-established ransomware group at this point. They've been doing it for several years and they actually have a post on their dark web blog about MGM, which reads, we have made multiple attempts to reach out to MGM International, MGM as reported. MGM shut down computers inside their network as a response to us. We intend to set the record straight. No ransomware was deployed prior to the initial take down of their infrastructure by their internal teams. MGM made the hasty decision to shut down each and every one of their octa sync servers after learning that we have been lurking on their octa agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps resulting in their octa being completely locked out. Meanwhile, we continued having super administrator privileges to their octa, along with global administrator privileges to their Azure tenant. They made an attempt to evict us after discovering that we had access to their octa environment, but things did not go according to plan. On Sunday night, MGM implemented conditional restrictions that barred all access to their octa environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday due to their network engineer's lack of understanding of how the network functions. Network access was problematic on Saturday and they then made the decision to take offline seemingly important components of their infrastructure on Sunday. So they've been battling this all last weekend. After waiting a day, we successfully launched a ransomware attack against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch, but failing. This was after they brought in external firms for assistance in containing the incident. So it had already gotten out of hand at this point and they were looking for help elsewhere. In our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed as they were not responding to our emails with the special link provided in order to prevent other IT personnel from reading the chats. We could not actively identify if the user in the victim chat was authorized by MGM leadership to be present. We posted a link to download any and all exfiltrated materials up until September 12th on September 13th in the same discussion. Since the individual in the conversation did not originate from the email, but rather from the hypervisor note as was already indicated, we were unable to confirm whether they had permission to be there. To guard against any unneeded data leaking, we added a password to the data link we provided them. Two passwords belonging to senior executives were combined to create the password. So they had plain text passwords of their senior executives to just give you an idea of how badly they pwned their entire cloud infrastructure, which was clearly hinted to them with asterisk on the bulk of the password characters that the authorized individuals will be able to view the files. The employee IDs were also provided for the two user identification purposes. The user has consistently been coming into the chat room every several hours, remaining for a few hours, then leaving. And yeah, this just goes on to talk about how whatever person from MGM or whatever person had this link was basically not compliant with them and they didn't actually end up paying the ransom, or at least MGM didn't end up paying the ransom. So yeah, these hackers basically managed to get admin access to the resort's most important cloud infrastructure, like with the Okta access alone, that would let them control basically every employee's accounts for all of their apps on all of their devices, at least all the ones that are being managed through Okta. So the SEC had to come bail these guys out, the FBI got involved, all the King's horses and all the King's men come out whenever it's a major casino slash resort that gets hacked. Now MGM actually issued a statement on their website on September 12th, saying that they were conducting an investigation and that they had to take down some systems to try and protect data. That's probably the ineffective action that the hackers were talking about on their blog post. Now the end result for the customers, right? Because people are going to these hotels, people are going to these casinos, and the end result of all these system takedowns was that MGM and Caesars had to take their slot machines down, they had to take their video poker machines and their ATMs offline, and the hotel staff had to fall back to using pen and paper. I mean, imagine the huge pay loss that these casinos were feeling. I mean, obviously the hotels, they had long lines out the door, people are getting frustrated because they have to wait longer to check into their rooms and so the hotels are gonna have to comp people on rooms or on room service and things like that to take care of the customers. But the real money makers were offline. The real money makers are the slots in the video poker machines because those are completely rigged to just pay out whenever the casinos want them to. But people still get hypnotized by these machines, right? They sit down and they go and play them. They'll spend their whole paycheck or more likely their retirement checks or their disability checks at these slot machines all day. I mean, if you think about it, the casinos in Nevada, they're probably one of the biggest beneficiaries or one of the companies that's ultimately receiving the most welfare in the state because people go and gamble it away. And of course the ATMs being taken down, that just cuts off the entire money supply and this is probably why Caesars actually ended up paying half of the $30 million ransom that the hackers were asking for in order to prevent disclosure of the customer data that was stolen. Now in Caesar's SEC 8K form filing, they mentioned that their loyalty program database was stolen along with other files that contains a lot of private customer information like driver's license numbers and or social security numbers for a significant number of members in that loyalty database. So if you or a loved one are a Caesar's entertainment loyalty member, you better start taking some actions to lockdown and safeguard your accounts and your information because hackers probably have your data. You see the thing about these ransomware attacks and when it comes to your files getting locked down, they always tell you not to pay the ransom, okay? Or if your data is stolen, they tell you not to pay that ransom because you can't be 100% sure that the hackers are gonna be honest, especially when the data is stolen, okay? With ransomware, it's one thing, there's kind of a, it's a bit more time sensitive. So you know, if the hackers are gonna screw you over, they have to do it within a day or within whatever the countdown is, but if they just steal your data, they could say, oh yeah, sure, I pinky promise, I'm not gonna sell your data, but then they could just have it on a hard drive somewhere. I mean, data or hard drive space rather is so cheap these days. I wouldn't be surprised if these hacker groups like this that are able to get $15 million payouts from Caesars are not investing some of that in hard drive space. Like I wouldn't be surprised if these guys don't have hundreds or even thousands of terabytes of hard drive space for when they steal company's data and when they say they delete it, they're probably just hoarding it for, you know, when times get hard and they need to make some quick cash and they just go ahead and sell a, not necessarily new database, but it would still be a fresh database on the dark web, which they can get a whole lot of money for. Now, MGM does not appear to have paid any ransom, which is probably why there's a post about them and not Caesars Entertainment on Elf V's site. And based on what the hackers wrote about them and the rest of their blog posts, they seem pretty upset about not getting that ransom. We believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that this company is concerned for your privacy and wellbeing while visiting one of their resorts? We are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past 12 months while seven insiders have sold shares for a combined $33 million. This corporation is riddled with greed, incompetence, and corruption. We recognize that MGM is mistreating the hotel's customers and really regret that it has taken them five years to get their act together. Other lodging options, including casinos, are undoubtedly open and happy to assist you. At this point, we have no choice but to criticize outlets such as the Financial Times for falsely reporting events that never happened. We did not attempt to tamper with MGM slot machines to spit out money because doing so would not be to our benefit and would decrease the chances of any sort of deal. So we've got some pretty salty dark web hackers here who are in possession of MGM's private company data as well as personal information, customer records, and things like that. So I'm pretty sure we're gonna see a database of all of that information for sale on a dark web forum near you very soon. And good on the hackers for calling out that nonsense that some of these journalists at news publications are saying where they say they're hacking the slot machines and getting them to spit out money onto the ground. I mean, that's like some Mr. Robot shit, okay? That doesn't happen in real life. And I hope that these casino resorts will learn better security practices as a result of this incident because it's baffling how the game floor in a casino, the security there is like Fort Knox, but apparently their cloud infrastructure security has been a complete joke this whole time. And they probably will learn their lesson because this incident has finally affected their bottom line. They had to take the slot machines offline. They had to take the video poker machines offline. The ATMs were offline. And it wasn't just affecting the gamblers, the people at the hotels were affected. They couldn't check in without going through a pen and paper system because their point of sale systems were down. Last weekend, apparently MGM had gotten downgraded to something like an Amish bed and breakfast because they didn't practice good OpSec. Don't let the same thing happen to you. And if by some miracle, your credit card isn't stolen by dark web hackers in this database breach, use it to buy yourself a come and find it shirt on base.win. And I also accept your favorite cryptocurrency if you don't want to use Fiat. In fact, I give discount store wide to Monero users. So go ahead and check out my website, based on when today, like and share to hack the algorithm. Follow me on Odyssey. Have a great rest of your day.