The cyberattack on MGM Resorts in September 2023 provides a vivid example of the effects these types of attacks can have in today’s complex and interconnected IT environments. MGM estimates the incident-related costs at upwards of $100 million, after the attack left guests locked out of rooms, reservation systems crippled, and gamblers handed paper IOUs.
The casinos and hotels giant experienced a prior high-profile cyberattack back in 2019, when it suffered a data breach involving the personal information of millions of guests. However, the latest incident was different. It incorporated an old trick in which attackers target access to privileged accounts with the unwitting assistance of company help desks.
One key difference now is that the attackers are targeting the core of identity access and management systems to gain full control over all the user accounts in an organization. Identity management company Okta, which counts MGM as one of its customers, confirmed this trend. In a late August blog it reported that social engineering attacks against IT help desk personnel had become a “consistent pattern” among multiple customers.
Group in Casino Hacks Skilled at Duping Workers for Access
Identity access management (IAM) solutions are designed to manage user accounts and the applications they have access to. A big part of these solutions is to incorporate security controls to protect against unauthorized access. While more convenient for organizations to manage access, these accounts are the new “front door” into a corporation’s IT environment, as attackers need only gain access to one privileged account to then gain access to the rest of an organization’s systems and data.
For example, the use of single-sign-on (SSO) technologies, which allow users access to key company resources across multiple applications with a single login, are more convenient. However, SSOs also allow a single point of failure that attackers can target. If hackers compromise one account and can get access to an untold number of critical applications and data.
Where once a perpetrator’s typical tactics may have involved exploiting external vulnerabilities or sending a phishing email followed by the installation of malware, now entry via this one access point has become a popular modus operandi. In the era of remote working and cloud technology, identity is the key to the front door. As the saying goes, attackers don’t hack in, they log in.
The social engineering attack on MGM was striking in its simplicity. As criminals have done since the dawn of time, this attack form involves tricking a human into taking action that will be beneficial to the perpetrator.
Using Public Information
In MGM’s case, canny use of public information – in this case from LinkedIn, according to security research group vx-underground – combined with a convincing “vishing” call to the IT help desk got the attackers through the door. It is believed that they impersonated an MGM employee and look likely to have tricked the help desk into resetting the password and the multi-factor authentication (MFA) on the account. From here, they ultimately gained control of MGM IT environment. LinkedIn can be used to identify employees of the target company who may have administrative privileges. This can be as basic as doing a search for all employees at the company and searching titles for people in specific roles who are most likely to have the desired level of access.
A group known as Scattered Spider was reported to be responsible for the MGM attack, in which they used the ALPHV/BlackCat ransomware to encrypt systems. MGM responded by shutting down certain systems. That’s a logical move from a tried-and-tested incident response playbook that could make the difference between an outage lasting a few hours and one paralyzing a business for days on end.
However, with third-party systems in the mix and increasingly complex technology environments, it’s hard to know which systems to take down first and extremely difficult to determine when you’ve actually contained the incident and kicked the attacker out of the environment.
MGM’s actions didn’t prevent, and may have contributed to, widespread operational issues for over a week. As with many ransomware attacks today, the attackers also gained access to customer names, contact details, gender, dates of birth, driver’s license numbers, and, in some cases, social security and passport numbers, according to an October SEC filing.
In all, MGM has said in the SEC filing that the attack will shave $100 million off EBITDAR and generate $10 million in one-time fees. The company said hotel occupancy rates fell as website and mobile booking systems came down and stood at 88% in September, compared with 93% in the prior-year period. It’s noteworthy that MGM did not pay any ransom. However, attack victims who opt to pay won’t necessarily save on response costs as a result.
Rival Caesars Entertainment had fallen victim to a social engineering attack on its help desk a month earlier, also by Scattered Spider. Similarly to the MGM attack, a hacker posing as an employee contacted the IT help desk to change a password, according to the Wall Street Journal, which said it paid a $15 million ransom. Caesars said in a September SEC filing that the attackers targeted an “outsourced IT support vendor” used by the company and acquired data including its loyalty programme database, involving driver’s license and/or social security numbers for a “significant” number of members. It didn’t comment on the ransom figure the Wall Street Journal reported.
The rise in help desk attacks is in part because of the efficacy of MFA in protecting account takeovers, especially phishing-resistant solutions. Unfortunately, human beings are significantly more porous, so attackers are turning to social engineering to have existing MFAs removed from existing accounts or get their own MFA device added to the account they are targeting. A simple call to a help desk from someone claiming to be locked out of their account doesn’t even require the planning or infrastructure needed for phishing attacks. It has repeatedly proven to be an extremely fast, highly effective way to breach a company’s defenses.
Heightened Security Needed
While it is unclear how long the current vogue for help desk attacks will endure, organizations should act now to shore up their security.
Firstly, IT departments should implement phishing-resistant MFA to all users in their organization. This will help mitigate the theft of credentials and prevent certain MFA bypass attacks. Second, IT teams should reduce session timeouts to the lowest possible level for the individual business to narrow the window of opportunity for attackers. This helps mitigate the threat of session cookies being stolen that an attacker could use to impersonate a user.
Lastly, IT teams should update their help desk protocols to verify the identity of a user requesting password or MFA changes. This should be thorough enough to prevent an attacker from impersonating the targeted user.
While cyberattackers’ techniques are constantly evolving and adapting to targets’ changing vulnerabilities, a roll-out of these simple measures will make your organization significantly less likely to fall prey to a help desk attack.
Was this article valuable?
Here are more articles you may enjoy.