Full Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate […] The post 2nd March – Threat Intelligence Report appeared first on Check Point Research.
Analysis Summary
# Incident Report: Wynn Resorts Employee Data Breach
## Executive Summary
Wynn Resorts, a major casino and hotel operator, confirmed a data breach resulting from an extortion threat linked to the threat actor ShinyHunters. The compromise specifically targeted and accessed sensitive employee data, including HR records and contact details. Despite the data exfiltration, the company reported that its primary business operations remained undisrupted.
## Incident Details
- Discovery Date: Not explicitly disclosed, but reported during the week of March 2nd.
- Incident Date: Not explicitly disclosed, but confirmed in early March reporting.
- Affected Organization: Wynn Resorts
- Sector: Hospitality / Casino & Hotel Operator
- Geography: United States
## Timeline of Events
### Initial Access
- Date/Time: Unknown
- Vector: Extortion threat linked to ShinyHunters suggests initial network intrusion or unauthorized access facilitated by this threat actor.
- Details: The mechanism of initial access is not explicitly detailed in the summary, but it preceded the confirmed data access.
### Lateral Movement
- Details: Not detailed in the provided context.
### Data Exfiltration/Impact
- Details: Employee data was accessed and subsequently compromised. The stolen dataset includes HR-related information such as contact details and employment records for both current and former staff.
### Detection & Response
- Details: While the company has confirmed the breach following the demand, specific details on internal detection methods or notification timelines are not provided.
- Response Actions: Confirmation of the breach and communication regarding the scope (employee data access).
## Attack Methodology
- Initial Access: Implied successful intrusion leading to access to employee data stores.
- Persistence: Unknown.
- Privilege Escalation: Unknown.
- Defense Evasion: Unknown; success suggests evasion of standard security controls related to data access.
- Credential Access: Unknown.
- Discovery: Unknown, but was required to locate HR/employee data.
- Lateral Movement: Unknown.
- Collection: Focused on HR-related information for current and former staff.
- Exfiltration: Data wasexfiltrated leading to the extortion threat.
- Impact: Data theft/exposure, leading to extortion attempt.
## Impact Assessment
- Financial: Not disclosed, though costs associated with remediation, customer notification, and potential regulatory fines may be incurred.
- Data Breach: HR-related information, including contact details and employment records for current and former staff.
- Operational: Operations were **not disrupted**.
- Reputational: Potential negative impact due to publicized data breach associated with a known threat actor.
## Indicators of Compromise
- Network indicators: None provided (ShinyHunters affiliation only).
- File indicators: None provided.
- Behavioral indicators: Successful data access and exfiltration targeting employee records.
## Response Actions
- Containment measures: Not specified.
- Eradication steps: Not specified.
- Recovery actions: Not specified beyond operational continuity being maintained.
## Lessons Learned
- The importance of robust access controls and segmentation around human resources and employee PII/employment record databases, as these were a target regardless of operational status.
- Need for proactive monitoring to detect unauthorized access to sensitive employee data stores.
## Recommendations
- Immediately scope and conduct a forensic investigation to understand the full attack chain used by ShinyHunters.
- Review and harden infrastructure related to HR data storage and access.
- Enhance threat hunting capabilities specifically looking for patterns associated with known extortion actors like ShinyHunters.