Changelog: MGM outages mark new chapter of ransomware chaos

Krzysztof Hepner / Unsplash

Welcome to Changelog, published by Synack! README senior editor Nathaniel Mott here with the week's top infosec news.

The payload

You know a “cybersecurity issue” is serious when slot machines stop working—or at least that’s when I realized the MGM Resorts hack wasn’t being overhyped.

Let’s back up a bit. MGM is a hospitality juggernaut with a neary $15 billion market cap that operates casinos, hotels and resorts throughout the U.S. and internationally. The company announced on Sept. 11 that it had “recently identified a cybersecurity issue” that required it to shut down “certain systems.” It said that its resorts were “currently operational… and continue to deliver the experiences for which MGM is known,” too, despite the ongoing incident.

But the BBC reported on Sept. 12 that all was not well at some of MGM’s properties. “Customers have reported problems with slot machines and online room booking systems,” the BBC said, adding that “other people have taken to social media to complain about cancelled reservations, not being able to check in, make card payments or log in to their MGM accounts.” The attack was also said to have disrupted the electronic room key system at one property.

So how was this highly disruptive cyberattack pulled off? According to vx-underground, attackers claimed they only needed to have a 10-minute phone call with a member of MGM’s support team to sow chaos. vx-underground said it received this information about the hack directly from ALPHV/BlackCat, a ransomware gang that’s been active since at least November 2021. Other news outlets have tied the attackers to a Western ALPHV affiliate tracked as “Scattered Spider,” which is known for its devious social engineering prowess in part owing to its perfect English.

“We continue to work diligently to resolve our cybersecurity issue while addressing individual guest needs promptly,” MGM said this morning. “We couldn’t do this without the thousands of incredible employees who are committed to guest service and support from our loyal customers. Thank you for your continued patience.”

No word on when people will be able to play their favorite slots again, though.

The week, compiled

Apple wasn’t the only company responding to a zero-day vulnerability exploited by NSO Group this month. Google also released an update to its Chrome browser to address a heap buffer overflow in WebP, a web-optimized lossless image format the company introduced in 2010.

Google said the vulnerability was reported by Apple’s Security Engineering and Architecture team and Citizen Lab on Sept. 6. That’s one day before Citizen Lab revealed that it had “found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware” that “involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.” (Apple patched iOS and iPadOS that same day.)

Citizen Lab said at the time that it “expect[ed] to publish a more detailed discussion of the exploit chain in the future.” It seems likely that the group was waiting for Google to update Chrome before revealing more information about a vulnerability in the world’s most popular browser involving a common image format that most people couldn’t avoid if they tried. Maybe we’ll learn more after the update rolls out across Windows, macOS and Linux.


Growtika / Unsplash

Google previously published two reports into the FORCEDENTRY exploit chain NSO Group used to compromise target iPhones and iPads. That chain took advantage of the way iOS handled GIFs received via iMessage, so it’s clear the Israeli spyware company has a thing for breaking image processing tools. (And that Apple and Google should probably be giving every aspect of their operating systems that involves such processing a thorough review.)

Maybe this time we’ll get a few blog posts from Apple returning the favor.

Here are some of the other top stories of the week:

WaPo: Speaking of NSO Group, Citizen Lab and Access Now revealed this week that the infamous Pegasus spyware was found on the phone of Galina Timchenko, founder of independent Russian news site Meduza, which according to The Washington Post marks the first time the spyware has been discovered on the device of a Russian citizen.

BleepingComputer: Microsoft released fixes for “59 flaws, including two actively exploited zero-day vulnerabilities,” as part of its monthly Patch Tuesday release on Sept. 12. BleepingComputer’s coverage also includes information about patches released by Asus, Cisco and other companies in response to vulnerabilities within their offerings.

Ars Technica: How long can a website serve malware before someone notices? Well, it seems the answer is “at least three years,” because that’s exactly what happened over at freedownloadmanager[.]org. Ars Technica reported that the site started to redirect some users to a malicious domain that served infostealer malware some time in 2020.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

It’s hard to believe it’s been a year since Lapsus$ hacked Uber. (Personal note: That was the first story I wrote for README after coming on as senior editor. Oh, time flies.)

The most novel aspect of the Uber hack was that it demonstrated the ease with which a persistent—no “advanced” required—threat could bypass multi-factor authentication. I doubt many people had heard the phrase “MFA fatigue attack” before the Uber hack; I’m pretty sure at least some are probably tired of hearing or saying the phrase just 52 weeks later. (Incidentally, the “Scattered Spider” threat actor reportedly behind the attack on MGM this week is known for using MFA fatigue tactics.)

But I hope the peril of push-based MFA wasn’t the only takeaway from the Uber hack. The company had other problems, such as the reported presence of a script containing hard-coded credentials on a shared drive, that allowed Lapsus$ to use access to one employee’s account to make its way into places on the company’s network that should have been unreachable.

Of course, odds are that many companies still use push-based MFA, so it’s probably too much to expect that other lessons were learned from the Uber hack as well. It took years to convince most companies to use any form of MFA in the first place; now they’re supposed to start using even more complicated and costly implementations of these security measures within a year?

So it goes.

Local files

NSA: The NSA, FBI and Cybersecurity and Infrastructure Security Agency (CISA) published a joint report on deepfakes, which the agencies said “could present a cybersecurity challenge for National Security Systems (NSS), the Department of Defense (DoD), and DIB organizations.” The report (PDF) outlines the security implications of deepfake technology as well as guidance for organizations that have to be able to identify and mitigate the risks associated with them.

Bloomberg: MGM Resorts isn’t the only hospitality company targeted by ransomware gangs recently. Bloomberg reported that Caesars Entertainment “paid tens of millions of dollars to hackers who broke into the company’s systems in recent weeks and threatened to release the company’s data.” It seems ransomware operators’ gamble is – unfortunately for law-abiding gamblers – paying off.

CISA: CISA published its Open Source Software Security Roadmap on Sept. 12 to “[articulate] how the agency will enable the secure usage of open source software within the federal government and support a healthy, secure, and sustainable global open source software ecosystem” throughout 2024-2026. The full roadmap can be found on CISA’s website


I don’t think I’ve ever seen a company so thoroughly enrage all of its customers—as well as their downstream customers—as I did when Unity announced changes to its licensing model.

The company announced on Sept. 12 that on Jan. 1, 2024 it would be “introducing a Unity Runtime Fee that is based upon each time a qualifying game is downloaded by an end user.” This would require developers whose games pass a certain threshold (which varies based on which Unity subscription tier they have) to pay an additional fee for additional downloads.

Note that this fee doesn’t apply to purchases of a particular title—it applies to downloads. Unity originally said that someone buying a game made with Unity, uninstalling it to free up storage on their systems, then reinstalling it when they get the hankering to play the game later on would count as two separate downloads. The game devs wouldn’t be paid twice, but Unity would be! (The company has since said that reinstallations wouldn’t count as separate downloads.)


Daniel Herron / Unsplash

Everything about this is terrible. From the telemetry Unity has to collect about every player of every game made with its engine so it can enforce these fees to the punishment of game devs for making games people want to install on multiple devices, there isn’t a single aspect of this change that benefits anyone who doesn’t work for Unity. I’m as mad as I am impressed.

At least the company is living up to its namesake—I’m pretty sure every gamer and game dev who’s heard of this change is united in hating it. So that’s something!