Clorox breach group behind casino

July 14, 2025

The same cybercrime group behind the Clorox incident now targets the casino industry. An analysis of the attack TTPs connecting the breaches and the risks for operators.

Hackers Behind Clorox Breach Now Targeting Major Casino Operators =================================================================

Organizations must immediately re-evaluate their identity and access management (IAM) protocols, with a specific focus on social engineering vulnerabilities targeting IT help desks. This is the primary attack vector the Scattered Spider syndicate exploited in both the infiltration of the major consumer products corporation and the subsequent, high-profile incident at a Las Vegas hospitality conglomerate.

The cybercriminal operation's methodology relies on obtaining employee credentials through manipulative phone calls and SMS phishing (smishing). After gaining an initial foothold, the perpetrators leverage legitimate remote administration tools like ScreenConnect and AnyDesk to move laterally. Analysis of the entertainment enterprise's security failure reveals a strikingly similar pattern to the September 2023 intrusion at the publicly-traded cleaning supply company, indicating a consistent and repeatable playbook.

Forensic evidence shows the threat actor's success hinges on exploiting human trust, not complex software vulnerabilities. Security programs should prioritize continuous employee training that simulates these specific manipulation tactics. Implementing multi-factor authentication (MFA) resistant to prompt-bombing and SIM-swapping is a direct countermeasure to the techniques used by this prolific hacking entity to compromise major hospitality and consumer goods enterprises.

Scattered Spider: Connecting the Clorox Breach and the Casino Cyberattacks

The operational playbook of the threat actor known as Scattered Spider, or UNC3944, directly links the system compromise at the consumer goods corporation to the widespread disruption of major hospitality and entertainment corporations. The common thread is a refined social engineering methodology targeting IT help desks and employees, coupled with aggressive multi-factor authentication (MFA) fatigue tactics. https://madnixcasino7.casino to trick support staff into resetting credentials or adding new devices to an employee's MFA profile, granting initial network access.

Following initial entry, these operatives deploy legitimate remote management and monitoring (RMM) tools, such as AnyDesk and ScreenConnect, to establish persistence. They then perform lateral movement using native Windows utilities to avoid detection. The critical connection in these intrusions is the syndicate's affiliate relationship with the ALPHV (BlackCat) ransomware-as-a-service operation. Scattered Spider secures the initial foothold and escalates privileges; the ALPHV ransomware payload is then deployed for data exfiltration and encryption, maximizing financial extortion.

To counter this specific threat actor, organizations must enforce phishing-resistant MFA using FIDO2 or WebAuthn hardware keys, which are not susceptible to push-notification fatigue or adversary-in-the-middle attacks. Your IT help desk verification procedures require stringent, non-public validation steps before any password or MFA device reset. Implement strict application controls to block the execution of unauthorized RMM software. Monitoring for unusual Active Directory modifications, such as the creation of new administrator accounts or changes to domain federation trusts, provides an opportunity for early detection of their post-compromise activities.

Analyzing the Group's Tactics: Social Engineering, SIM Swapping, and MFA Fatigue

Organizations must immediately enforce number matching for all Multi-Factor Authentication (MFA) push notifications to counter the attack sequences favored by this syndicate. The operators demonstrate a methodical approach, chaining together multiple techniques to dismantle security layers, beginning with human-focused deception.

The threat actors' initial access relies heavily on sophisticated impersonation. Their primary methods include:

Help Desk Pretexting: The adversaries conduct reconnaissance to identify employees, often in non-technical roles. They then initiate contact, typically via a phone call, posing as corporate IT support personnel. They create a plausible scenario, such as a pending system update or a security alert, to persuade the employee to divulge their credentials.
Targeted Phishing: Instead of mass-mailing generic lures, the operators craft specific messages aimed at select individuals. These messages often direct targets to a credential harvesting page that perfectly mimics the organization's legitimate single sign-on (SSO) portal.
Information Gathering: The syndicate leverages professional networking sites and public data to build a convincing profile before making contact. They collect details like job titles, department names, and even recent corporate news to enhance their credibility during pretexting calls.

Circumventing Authentication with SIM Swapping

Once initial credentials are stolen, the operators move to neutralize SMS-based two-factor authentication. The process is direct:

Carrier Manipulation: An adversary contacts the target employee's mobile service provider. Using personal information acquired through social engineering or other data leaks, they convince the carrier's agent to transfer the victim's phone number to a SIM card under their control.
Intercepting Codes: With the phone number ported, all incoming calls and SMS messages, including one-time passcodes (OTPs) for account access, are rerouted to the attacker's device. This grants them the token needed to complete the login process.
Defense Measures: The defense against this is twofold. First, employees should request “port-out protection” or enhanced security PINs from their mobile carriers. Second, IT departments should phase out SMS and voice-call MFA in favor of more secure alternatives like TOTP-generating authenticator applications or FIDO2 hardware security keys.

Exploiting Human Behavior with MFA Fatigue

For systems protected by push-based MFA, the syndicate employs a brute-force psychological attack:

Notification Spam: After obtaining a valid username and password, the operators trigger a continuous flood of MFA push notifications to the target's legitimate mobile device.
Friction and Frustration: The attack, sometimes sustained for over an hour and often conducted outside of business hours, is designed to annoy or confuse the employee. The objective is for the target to eventually accept a prompt by mistake or out of a desire to stop the alerts.
Countermeasures: Implementing number matching in MFA prompts forces the user to correlate a number on their screen with the number in the app, preventing accidental approvals. Additionally, configuring authentication systems to rate-limit or temporarily lock an account after a small number of failed or ignored MFA requests can stop these barrages before they succeed. The infiltrations at hospitality giants demonstrated this exact pattern.

Deconstructing the Attack Timeline: From Initial Access at Clorox to Ransomware Deployment at MGM Resorts

Implement stringent identity verification protocols for all help desk interactions, especially those requesting password resets or multi-factor authentication (MFA) changes. The attackers' path demonstrates that a single successful social engineering call can initiate a catastrophic chain of events.

The campaign commenced with a vishing (voice phishing) attack targeting an employee at the cleaning products manufacturer. Posing as IT support, the operators convinced the target to visit a malicious portal, capturing their credentials and a one-time password token. This provided the initial foothold.

Once inside the consumer goods corporation's network, the adversaries spent weeks conducting reconnaissance and lateral movement. Their objective was not immediate disruption but the acquisition of high-privilege credentials. They successfully located and exfiltrated credentials for the company's Okta identity management platform, a pivotal access point to other federated services.

This compromised Okta access served as the bridge to the next set of targets. The syndicate, identified as Scattered Spider with ties to the ALPHV/BlackCat operation, used this knowledge to refine their tactics. They directed their social engineering efforts at the IT service desks of major Las Vegas resort operators, including MGM Resorts and Caesars Entertainment.

The infiltration of the hospitality giants followed a nearly identical pattern. The attackers, armed with specific employee names and internal knowledge potentially gleaned from the prior intrusion, successfully impersonated employees to IT staff. They persuaded help desk personnel to reset MFA for high-value accounts, including those with Okta Super Administrator privileges. This gave them control over the identity and access management system.

With administrative control of Okta, the attackers systematically locked out legitimate users at MGM Resorts. They then deployed the ALPHV/BlackCat ransomware across the network, encrypting ESXi hypervisors and causing widespread operational shutdowns. In a contrasting outcome, Caesars Entertainment detected the intrusion and opted to pay a multi-million dollar ransom to prevent data exfiltration and ransomware deployment.

Implementing Specific Security Controls to Mitigate Social Engineering-Centric Threats

Mandate the use of phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2 hardware security keys, for all employees and contractors. This method binds credentials to a physical device, neutralizing credential theft from phishing pages. For privileged accounts, combine this with Just-in-Time (JIT) access methodologies, granting elevated permissions for a limited duration–for example, a 30-minute window–which then automatically expire. Log all JIT activation and deactivation events for review.

Establish a rigid, non-bypassable verification protocol for IT help desk operations, especially for password resets or MFA device changes. This protocol must involve multi-channel confirmation. For instance, any request must be verified via a callback to a static, pre-registered human resources phone number and a separate challenge sent to a secondary, pre-approved email address. Forbid support agents from overriding security settings without an auditable, time-stamped approval from at least two separate managers.

Secure communication channels against impersonation. Configure Domain-based Message Authentication, Reporting & Conformance (DMARC) to a p=reject policy to block unauthorized email servers from sending messages using your domain. For internal collaboration tools like Microsoft Teams or Slack, configure rules to visually flag all communication from external or guest accounts and automatically scan all shared links with a remote browser isolation (RBI) service before a user can access them.

Conduct advanced, targeted attack simulations that replicate real-world adversary tactics. Go beyond simple email phishing tests. Execute periodic vishing (voice phishing) campaigns that mimic urgent requests from executives and smishing (SMS phishing) attempts targeting employee mobile devices. Use failure metrics from these simulations to assign targeted, role-specific training modules that directly address the tactics used in the failed test.

Deploy endpoint security rules that specifically target the tools used after a successful social engineering deception. Configure Endpoint Detection and Response (EDR) agents to block Office applications from launching command-line interpreters like PowerShell or `cmd.exe`. Implement network micro-segmentation to restrict lateral movement. A workstation in the marketing department, for example, should be technically prevented from initiating a connection to a database server in the production environment, even with valid credentials.