IDMWORKS breaks down the recent high-stakes casino digital heist: navigating the MGM cyber attack – a pathway to enhanced cyber resilience.
The ALPHV/BlackCat group ransomware attack on MGM Resorts targeted the computer systems of the casino-hotel chain, causing extensive disruption to both their digital and physical operations. The breach, initiated via LinkedIn, affected various aspects including electronic payments, digital key cards, and the MGM Resorts website, leading to significant inconvenience for guests and staff. The attack highlights the vulnerability of even large-scale organizations and underscores the importance of robust cybersecurity measures.
Security has always been about mitigating risk and protecting data. As we’ve seen this past week, we are reminded that data breaches happen, exposing vulnerabilities in technology, people, and processes, or in some cases, revealing a lack thereof. Unfortunately, the MGM ransomware attack is another case of our world’s “new normal” and how simple mistakes can cause big attacks will unfold.
One thing is true: Casinos know security, mostly physical security – it’s kind of their thing. However when it comes to digital casinos their cybersecurity needs are very different, but not different than any other modern-day enterprise. It only takes one small mistake to start cascading a series of events, that can lead to full-fledged ransomware attacks. Combining this with modern environments, legacy systems, disparate security technologies, a user’s account is the answer to getting through the moat of the castle, into the environment. This saying is becoming all too normal, “Attackers don’t break in: They log in.”
The Plot Unfolds
MGM owns more than two dozen hotels and casinos with locations around the world as well as online sports betting. As we look at the sequence of events, it was reported on X (formerly Twitter) that on September 11th a ‘cybersecurity issue’ was affecting some of MGM’s systems. Naturally, the company decided to shut down their systems to protect their data. To calm the noise, an additional statement was released that the firm was diligently working on determining the nature and scope of severity.
On the 12th and 13th, customers reported several issues linked to this attack. Slot machines and online booking systems of several Las Vegas properties were impacted. Guests staying at hotels with their digital room keys were also affected as many were not able to access rooms. Check-ins were disrupted as credit card payments used to book rooms were canceled.
Ending on the 13th, MGM’s main websites for all 31 resorts were reportedly down as the site displayed error messages and urged customers to contact the resorts in question via a third party or to call the resort directly. The malicious actors behind the attack were identified as a ransomware gang known as ALPHV (also known as BlackCat). According to VX Underground, who reported the threat, the attack started with a successful vishing attempt as the attackers were able to gain access to networks, and personal information via a phone call to the Help Desk, where ALPHV, along with the alleged assistance Scattered Spider (aka Roasted 0ktapus, UNC3944 or Storm-0875) of posed as a trusted source.
The compelling result here is a company valued at $13B, was defeated by a 10-minute conversation.
How could this have happened?
While this is headline news with multiple reports of ‘how’ this breach occurred, a common theme of consistency of the actors involved remains the same; namely, “the casino” itself, Okta’s software, Microsoft Azure, 100 ESXI Hypervisors, a sub-group of the APLHV/BlackCat ransomware gang called Scattered Spider, and a “Help Desk Agent.”
APLHV claims they gained access through social engineering, while “the casino” was quick to shift blame to the “Help Desk Agent” as the entry point. For those of us who live in the IT/ Architecture/ Infrastructure/ Security/ Operations world, to simply place blame on the “Help Desk Agent,” while the APLHV had some basic social engineering that could bring MGM to its knees, is a bit obtuse.
APLHV provided a lengthy statement, and below is an estimated timeline as to how the alleged 10-minute phone conversation brought a F500 company to its knees:
- Friday 9/8 and into Saturday 9/9
- Threat actors profiled MGM SysAdmins on LinkedIn. The threat actor impersonated SysAdmins credentials, pretending to be locked out during a phone conversation. Utilizing social engineering, the Help Desk reset their password, and possibly MFA to allow the ‘user’ to access MGM resources.
- The threat actor gained privileges and potentially remote access to the network. Next, the attacker could attempt to escalate privileges or access basic company resources. Access to domain controllers was eventually reached and credentials were dumped. This level of access would allow the attacker to map the network and move laterally throughout the environment undetected. Utilizing AI, attackers cracked hashed passwords. They also claim to have intercepted passwords syncing between Okta and presumably Azure Active Directory.
- Threat actors obtained Okta super user access and Azure Global Admin access. This access would have given them the keys to the kingdom and complete control.
- MGM Resorts appears to have taken initial containment steps, though they were not effective.
Note: If the threat actors only compromised one user account, then how did they obtain subsequent access to an Okta Super User account & an Azure Global Admin access account? Hopefully, this single-user account wasn’t an Okta Super User and Azure Global admin. Threat actors stole data at some point, though it’s unclear as to the data theft. Attackers likely encrypted critical systems and endpoints throughout the environment.
- Sunday 9/10
- MGM Resorts implemented additional containment measures and attempted to kick the attacker out of the environment. This tactic was not successful.
- Monday 9/11
- The threat actors purportedly encrypted over 100 ESXi hypervisors (these run virtual machines, so the impacted number of servers is much higher).
- The threat actors provided a link to download (presumably) a sample of stolen data.
- Tuesday 9/12 and into Wednesday 9/13
- MGM continued its incident response, forensics, and recovery efforts with the help of outside experts.
- Threat actors monitored those monitoring users by lurking in their negotiation portal. Presumably, said hackers were upset that no one from MGM wanted to engage.
- Thursday 9/14
- The threat actor posted a 1,000+ word statement to “set the record straight.”
- The threat actor claims to still have access to the environment and is threatening to carry out additional attacks if MGM does not make contact.
Common sense, best practices, and logic would lead most security professionals down the path of the basics, where some checks & balances are required. In this case and given the number of employees at the Casino (i.e., lastly reported @ 74,500),
Land and expand:
Next, APLHV moved its way through the organization’s infrastructure and found the Okta Agent Sync Servers, which in essence, is an integration setup to push information between Okta and Microsoft Azure. They compromised those servers. Controls like Network Segmentation, Network Monitoring, Analysis Tools, and Intrusion Detection and intrusion Prevention Systems should all be in place to catch this type of unsanctioned behavior. MGM’s NOC/SOC Integrator appears to have missed as APLHV was able to move laterally undetected.
Additional business ramifications were reported on September 13th, as Moody’s (Financial Services Firm) stated that MGM’s cyber-attack may negatively impact their credit rating, as well as “key risks” in overall cyber resilience and technology.
What did we learn & what can we do?
It is being reported that the MGM cyber-attack is costing them about $8.4 MILLION daily. For those of us keeping track of the math: $8.4M losses x Day 10 (Sept 20th) = ~$84M+. As this story continues to unfold, it’s my interpretation that the loss of revenue, damage to image and brand, and loss of shareholder value will surpass this daily number by at least 10-20x when this is all said and done.
The multi-million-dollar question to ask: What would happen if there was a group(s) that targeted the Identity and Access Management manufacturers? What are the best-practices and thought-leadership to be utilized to mitigate against this type of threat?
This example lends a sense of urgency to every firm on the planet. It’s critical that all organizations start spending time utilizing security and identity experts to evaluate the current state of people, processes, and technology. Organizations NEED to be operating as ahead of the game, working with those who understand the industry trends, with the full spectrum of identity tools, to act as if they have been compromised and don’t know it.
Ask yourself: Do we know who has access to what? Do we have the best practices in place for if this happens to us? Are our identities, access, and authentication processes secure enough? How would you know? Well, from what we’ve learned, organizations need more than “an implementation.” They need a firm that can provide the following:
- Analyze the current-state people, processes, & technology
- Identify and prioritize risk, functional, and business impact
- Provide a detailed roadmap and strategy aligned to business outcomes – this is a journey!
- Align ongoing strategy to provide Board-Level planning to demonstrate TCO and ROI
- Finally, align with an implementation partner or with a trusted integrator who can provide operational excellence, deep domain expertise, with years of industry experience.
IDMWORKS: How to Stay Steps Ahead of Cyber Threats & Hackers
My firm has deep-domain expertise that can help mitigate against all these risks. IDMWORKS has been in the identity services business for 20+ years, and our approach is to provide a simple, yet sophisticated foundation to strengthen one’s identity program, covering core IAM value propositions of user lifecycle management, governance, CIAM, privileged access management (PAM), access and authentication to applications, services, and highly skilled resources.
IDMWORKS helps companies to understand their IAM programs along their individual journeys. Let’s face it: the pandemic changed the way we do things, the way we look at cyber security. After the burden rate of employees, some Executives may see their integrator expense as too large a contract and question the value of the spending. Is the juice worth the squeeze? There is no one-size-fits-all answer; it’s a game of risk. What can you put in place to lower your risk of an attack? What can you do to increase your chance of finding a breach at the earliest chance? NOC/SOC alone simply don’t work in today’s world.
Today’s companies need a strategic partner that possesses know-how, knowledge, and deep domain expertise to help guide them. That’s where IDMWORKS comes in. Face it, we have all seen how these narratives end… it may not be “if, but when,” and this most recent MGM example has reminded us that data breaches happen. We need to invest (and re-invest) to keep up with our responsibilities as a society as our organizations need to keep our people, systems, and data safe and secure.
In retrospect, the famous casino in this example is losing millions per day, whereas the cost to implement an identity strategy and access management framework may have been a small fraction of the damage caused. It is easier (and cheaper) to prevent a problem than it is to try and fix one.
We here at IDMWORKS wish MGM and their security structure all the best during this trying time. Most security professionals have been in the war room, lived in the war room, and have had to provide updates to the C-suite hourly. We get it. The most important takeaway from this entire situation is to be prepared. In this day and age, it’s imperative to have a fully mature, multi-layered, identity strategy in place. This overview isn’t meant to criticize; the industry as a whole should use this incident as an example to revisit their organization’s responses to improve Identity Security Processes across the board.
Author: Paul Bedi, IDMWORKS, CEO