Gambling is a timeless activity that involves taking chances and relying on probability to win big or lose everything. Similarly, cybersecurity is like gambling because it's highly probable that you will eventually fall victim to cybercrime. However, unlike gambling, you can take proactive measures to increase your chances of defending against and responding effectively to potential attacks.
The recent September 11th cyber-attack on MGM Resorts International exemplifies this point. The attack caused multiple establishments owned by the hospitality giant to shut down for 10 days due to the ransomware deployed in the environment and the incident response actions taken by the organization. In this blog post, we will discuss this cyber-attack in detail and share the lessons that can be learned by all organizations, regardless of their size, to improve their cybersecurity posture in today's ever-changing digital landscape.
Source: https://www.travelpulse.com/news/hotels-and-resorts/up-close-with-bruno-mars-at-mgm-resorts
Who is MGM? To give you a better idea about the organization we'll be discussing in this post, let's take a quick look at MGM Resorts International. MGM Resorts International is a leading American global hospitality and entertainment company that operates destination resorts in Las Vegas, Massachusetts, Michigan, Mississippi, Maryland, Ohio, and New Jersey. They employ 74,500 people to provide various services related to entertainment, accommodation, gambling, dining, spas, and salons, among others.
Source: https://www.travelpulse.com/find-a-supplier/hotels-and-resorts/mgm-resorts-international
From the information available about the cyber-attack suffered by MGM Resorts International, it has been determined that their attack surface includes the utilization of Okta as their Identity Provider (IdP) along with cloud-based infrastructure that utilizes VMWare ESXi environments and Microsoft Azure. In this post, we will discuss how the cyber threat actors attacked and maintained persistence within this attack surface.
What happened in the MGM Cyber Attack? Timeline of attack:
September 10: Initial breach detected by MGM Resorts International’s cybersecurity team.
September 11: MGM Resorts International announces via an official statement on X (formerly known as Twitter) that a “cybersecurity incident” was discovered and affecting some of its systems. They assured customers that the relevant authorities had been contacted and that they were launching an investigation.
September 12: MGM Resorts International makes a second statement reporting that all “resorts including dining, entertainment and gaming are still operational” and that its guests “continue to be able to access their hotel room and [its] Front Desk is ready to assist our guests as needed”.
However, from this day forward, numerous customers report a number of issues with MGM Resorts’ online booking system at several of MGM’s Las Vegas properties meaning guests could not check in, make card payments or cancel their reservations along with Digital keys reportedly not working, leaving guests with physical keys instead. Additionally, many of the slot machines, ATM machines and other digitally reliant services were unavailable to guests and customers. Many of MGM’s properties resorted to pen-and-paper IOU notes for guests' gambling wins and manual Excel spreadsheets were used for tracking room occupancy and allocations.
September 13: MGM Resorts International’s main website (www.mgmresorts.com), used by customers to book at all MGM properties, goes down. The site displayed an error message and urged customers to contact the resort either via third-party sites or a phone call.
Source: https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/
On the same day, VX Underground, a website that hosts one of the largest collections of malware source code, samples, and papers on the internet, announced on X (formerly known as Twitter) that the MGM cyber attack was the result of a vishing attack. The threat actors allegedly utilized LinkedIn to gather information, contacted the helpdesk and successfully compromised a company with a valuation of $33 billion through a 10-minute conversation. According to VX Underground, the ransomware group ALPHV was identified as the perpetrator, although sources close to the incident suggest that the hacking group Scattered Spider may have been involved.
September 14: The ransomware group ALPHV (also known as BlackCat) released a public statement claiming responsibility for the cyber-attack. They also detail how they had established persistence on MGM’s Okta Sync servers after gaining access to a privileged Okta user account using social engineering and vishing to gain a new OTP (One-Time Password) and were using the access to sniff passwords of other users on the network. They also boasted that they had Global Administrator privileges to MGM’s Azure tenant whilst openly admitting that they had deployed ransomware on more than 100 ESXi hypervisors in MGM’s cloud environment.
Source: https://www.malwarebytes.com/blog/personal/2023/09/ransomware-group-steps-up-issues-statement-over-mgm-resorts-compromise
September 18: Cybersecurity experts suggest that ALPHV and Scattered Spider worked together to launch the attack and IT service management company Okta confirms that five of its clients, including MGM and Caesars' Entertainment, have been the victims of hacking groups ALPHV and Scattered Spider since August of this year. The companies affected have not been named, but they are allegedly within the manufacturing, retail, and technology sectors.
September 20: MGM Resorts International restores all systems from backup to effective working order.
How did the cyber attack happen?
Source: https://www.cyberark.com/resources/blog/the-mgm-resorts-attack-initial-analysis
Scattered Spider, also known as Octo Tempest, 0ktapus and UNC3944, is a group of threat actors that acted as an affiliate of the ransomware group ALPHV, also known as BlackCat. The group used Open-Source Intelligence (OSINT) to research and build profiles on employees of MGM Resorts International through publicly available resources such as Facebook, Instagram, and LinkedIn.
According to Microsoft’s Incident Response and Threat Intelligence team, Scattered Spider targeted technical administrators at the company with social engineering attacks, hoping to gain access to accounts. The group impersonated victims by mimicking speech and writing patterns, using personally identifiable information obtained through OSINT and data from previous data breaches and leaks to deceive technical administrators into performing password resets and resetting multifactor authentication (MFA) methods.
During their attack on MGM Resorts International, Scattered Spider built a profile on a network administrator employed by the company and targeted them with SMS phishing, resulting in the ability to do a SIM swap. The group then contacted Okta’s Level 1 helpdesk, impersonating this privileged administrator, and successfully requested a password and MFA reset, thereby gaining access to MGM’s cloud environment.
Once they gained initial access to the environment, the group quickly created an additional Identity Provider (IdP) in the Okta tenant to increase their control of the network and maintain elevated privileges. Additionally, they gained control of a super user account on MGM’s Microsoft Azure cloud environment, through which they traversed laterally to dump and exfiltrate multiple terabytes of Domain Controller hashes and PII, to attempt to gain access to even more user accounts.
After gaining control, ALPHV's ransomware was deployed, encrypting hundreds of MGM’s VMWare ESXi servers which hosted thousands of virtual machines supporting hundreds of systems widely used in the hospitality industry by MGM. This caused chaos that employees and customers experienced for the next 10 days.
This demonstrates the potential impact that an organised and skilled threat actor can have on an organisation as large as MGM Resorts International, traversing from Identity and Access Management (IAM) and cloud infrastructure to the final destination of the company's brick-and-mortar operations.
How did MGM Respond and Recover?
Source: https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/
After the initial detection of a cybersecurity incident on September 10th, MGM Resorts International promptly notified the authorities and launched an investigation into their network. Although not much is known about the actions taken by MGM’s incident response team after the breach, we do know that they shut down all Okta Sync servers in response to the threat actor's control of a privileged Okta account. The aim of this move was to restrict the access of the attackers. However, it caused disruptions to essential services across the network.
MGM attempted to restore services by restoring from backups while the servers were offline, but they faced a new challenge with hundreds of encrypted VMWare hypervisors in their cloud environment. The shutdown of essential services forced employees at their establishments to resort to handwritten IOU notes for gambling transactions, manually managed Excel spreadsheets for room occupancy management, and the distribution of physical keys.
Source: https://www.thrillist.com.au/news/nation/mgm-resorts-cyber-attack-explained-what-to-do
During this time, MGM communicated with the public mainly through their X (formerly known as Twitter) profile. They provided few official communications to affected customers. MGM did offer to waive change and cancellation fees for tickets to shows and other events for guests arriving between September 13th and 17th as well as stating that they will reach out to impacted consumers via email to offer free identity protection and credit monitoring services. MGM Resorts International were able to restore full operability to their services after ten days and is currently reportedly reviewing and improving its cybersecurity procedures but no further information has been publicly disclosed.
What did MGM lose?
Source: https://www.thebalancemoney.com/how-to-deal-with-losses-in-the-stock-market-3141314
This cyber-attack resulted in an estimated $8 million loss of revenue every day the systems were affected. The total cost of recovery and cybersecurity consulting is estimated to be $10 million, and the company could face a total loss of $110 million due to the attack. The organization may also face several class action lawsuits for their handling of the incident, which could further increase the monetary penalty they face. However, MGM reportedly has a $200 million cybersecurity insurance policy that could help absorb much of the financial cost.
The reputational damage incurred by MGM could be more significant than the financial loss. Many customers and public relations advisors criticized the company's handling of the incident, noting that the threat actors were more communicative and transparent about the attack than MGM itself. This could fuel class action lawsuits and have lasting repercussions on the brand’s strength in the future.
Most importantly, MGM potentially lost the trust of millions of customers. The breach compromised the Personally Identifiable Information (PII) of customers who conducted business with MGM before March 2019. The stolen information includes contact details, gender, date of birth, and driver’s license numbers. An undisclosed number of customers also had their Social Security or passport numbers affected by the breach.
What can we learn from MGM’s Misfortune?
Source: https://www.cybsafe.com/blog/7-reasons-why-security-awareness-training-is-important/
1. Prioritise Employee Training and Awareness
A recent study conducted in January 2023 by Hornetsecurity, a leading cybersecurity provider, has found that 33% of companies are not offering any cybersecurity awareness training to their remote workers. This means that one in three organizations is not providing any cybersecurity training to their employees. It's often thought that cybersecurity is all about technology and networks, but the biggest risk factor is always people.
Regardless of the size of your organization, it's essential to prioritize employee cybersecurity training and awareness. The MGM cyber attack is a perfect example of how a Level 1 helpdesk exploitation led to a significant breach. Therefore, it's crucial to train employees, across all departments, to recognize suspicious behavior and familiarize themselves with various threat vectors, such as vishing, to identify potential threat actors early. This proactive step can add significant value to your layered cybersecurity defences.
2. Review and Improve Identity Verification Processes
A significant lesson we can learn from this cyber attack is how the attackers bypassed multi-factor authentication (MFA) through social engineering. They tricked a Level 1 Helpdesk team member into granting them initial access with escalated privileges. Unfortunately, we don't know how MGM authenticates users when they request access changes. Therefore, it is crucial to refine the internal identity verification processes and ensure rigorous testing and a clear understanding of service level agreements when seeking help from third-party IT vendors such as Okta.
To improve security, multi-factor authentication should have better visibility into any device changes and provide access to logging for keeping records of account usage. In addition, it is recommended to limit help desks to only reset passwords once and preferably after a user has verified their identity through a pre-existing enrollment factor. This helps prevent malicious parties from creating and validating their own means of authentication.
3. Build an Incident Response Plan
It is important to learn from MGM's experience of shutting down its Okta sync servers and other cloud infrastructure in response to a cyber attack. This action alone would cause much of the chaos and frustration experienced by customers, guests and employees over the ten days of the incident. Yet reportedly, according to the threat actors (taken with a grain of salt), this shutdown did not remove their access and foothold in the environment.
Consider how your organization would respond to a similar incident. Which key infrastructure would you remove from the network, if any? How would you handle a ransomware incident? Do you have regular backups to restore all data in case of total encryption? As a decision-maker, at what point would you decide to pay or not pay a ransom?
Considering these points and many more is crucial for planning an appropriate response plan with your key business objectives in mind to get through a cybersecurity incident.
4. Build a Business Continuity Plan
Having a Business Continuity Plan is an additional level of planning that is vital for any business. The cyber attack faced by MGM showed how employees of multiple establishments were left struggling to manage services manually which were usually completely digital. It seems that MGM did not consider how they could continue to run their business and maintain revenue when their digital options were removed or inhibited.
To avoid such a situation, it is essential to consider the potential risks and scenarios that could prevent your business from running. Plan how you can continue to operate under these scenarios, whether it is something as complex as a system-wide ransomware incident or as simple as a faulty breaker at the office. Moreover, consider when you will stop any business for the safety of your employees and yourself like in the case of natural disasters, for example. Don't be like MGM--take proactive steps to prepare for unexpected events!
5. Practice those plans! Tabletop exercises
Once you have created your Incident Response and Business Continuity plans, it's essential to schedule a time with all the key members of those plans and practice them. Tabletop exercises are an excellent way to visualize and understand your workflow and processes. It will also help you identify any flaws or oversights and identify each team member's role in case of an incident. Just like any other drills, practising incident response and business continuity plans is crucial to achieving perfection (or as close as you can get).
6. Ensure Regular Backups.
Finally, it is crucial to regularly perform backups of your critical information and assets. Especially if you have limited resources. Make sure to schedule, maintain and review your backups regularly, and ensure that you can restore your files within a timeframe that guarantees optimal business continuity. There's no use in backing up your data if you find out at the worst possible time that the files won't restore!
Carefully consider what systems and data are business critical and must be backed up more regularly and then prioritise the frequency and type of backups for the rest of your systems and data. Apply, review and improve your procedures and processes in an iterative manner with re-assessment as often as is practical. Be sure to consider on-site as well as off-site backup options to diversify your redundancy.
Conclusion
In the world of cyber threats, it's clear that cybersecurity is akin to a high-stakes game, much like gambling. The 2023 MGM cyber attacks vividly illustrate this comparison. This incident, involving the renowned MGM Resorts International, highlights the significant impact that cybercrime can have on even the most established organizations.
The MGM cyber attacks, initiated by threat actors Scattered Spider and affiliated ransomware group ALPHV, demonstrated the critical need for proactive cybersecurity measures. The attackers used a combination of social engineering, vishing, and OSINT to infiltrate MGM's systems. Their actions resulted in the exfiltration of customer PII data, internal user data and the deployment of ransomware, encrypting hundreds of VMWare ESXi servers and wreaking havoc on MGM's operations for ten days.
MGM's response, while swift, caused significant disruptions, revealing the importance of having a well-defined incident response plan and business continuity strategies in place. The attack also highlighted the necessity of thorough employee training in recognizing suspicious behaviour, improving identity verification processes and testing the procedures of external IT vendors. Furthermore, it emphasized the significance of regular backups and tabletop exercises to practice response plans for effective response and recovery in the face of an attack.
In conclusion, the MGM cyber attacks serve as a stark reminder of the ever-present cyber threats in today's digital landscape. Organizations of all sizes should take heed of the lessons learned from this incident to bolster their cybersecurity posture and protect themselves from potential cyber risks. Following the key lessons presented in this analysis will prepare your organisation/business to better defend against the ever-shifting cyber risks faced by all in today's high-stakes game of cybersecurity.
Remember that experiencing a cyber attack is not a matter of "if" but rather "when".
Source: https://www.gettyimages.com.au/photos/thank-you
Thank you for taking the time to read this case study analysis of the 2023 MGM Cyber Attack! This is a sample of the detailed case studies and analysis that will be provided with the upcoming SecuriKiwi subscription services, which will be available soon. Please keep an eye out for more free articles that will provide you with insight into the technical analysis and coverage of the latest cybersecurity trends.
Resources:
https://www.reuters.com/business/mgm-expects-cybersecurity-issue-negatively-impact-third-quarter-earnings-2023-10-05/ https://www.itsasap.com/blog/mgm-ransomware-attack-takeaways
https://builtin.com/cybersecurity/lessons-from-mgm-caesars-cyberattacks https://www.hornetsecurity.com/en/press-releases/1-in-3-organizations-does-not-provide-any-cybersecurity-training-to-remote-workers/
https://www.reddit.com/r/hacking/comments/16iuiy2/alphv_blackcat_just_released_an_annoucement_about/
Comments