MGM Resorts Hackers Claim That They Pwned The Company In Ten Minutes

This is one of those cases where it proves that the weakest part of your cybersecurity efforts are the humans. I say that because the MGM Resorts hack that I reported on was carried out via a simple 10 minute phone call:

The ALPHV/BlackCat ransomware group claimed responsibility for the MGM Resorts cyber outage on Tuesday, according to a post by malware archive vx-underground. The group claims to have used common social engineering tactics, or gaining trust from employees to get inside information, to try and get a ransom out of MGM Resorts, but the company reportedly refuses to pay. The conversation that granted initial access took just 10 minutes, according to the group.

“All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a post on X. Those details came from ALPHV, but have not been independently confirmed by security researchers.

If that’s true, then that’s very bad. And it highlights the need to train help desks and the like to be vigilant of social engineering like this. Because now that this is out there, it’s a safe bet that other threat actors will try the same thing to carry out similar attacks.

UPDATE: John Gunn, CEO, Token provided me with this comment:

It is beyond ridiculous that we continue to rely on humans as the core of our cyber-defense strategy and expect every employee in the entire organization to be able to identify and fend off sophisticated attacks from hackers using the most advanced tools and techniques. Humans, meaning everyday users, are simply not capable and we have to take this vulnerability out of the process by changing the way they login.

People are the weakest link in cyber security and their abilities to defend have improved extremely little in the past twenty years while attack methods and tools have raced forward in effectiveness and frequency. When cyber criminals fully implement AI, it will be a bloodbath as breaches and the losses accelerate seemingly unimpeded. We must stop relying on humans to defend our organizations against today’s cyber attacks.

One Response to “MGM Resorts Hackers Claim That They Pwned The Company In Ten Minutes”

  1. […] example of a social engineering attack leading to epic pwnage. Just like the MGM attack. Which isn’t a surprise given that the same threat actors are behind both attacks. And if you […]

Leave a Reply

%d bloggers like this: