MGM Resorts hackers deceived IT service desk with just a phone call
Okta issued a warning about hackers employing similar tactics
An online attack, which disrupted resorts and casinos operated by MGM Resorts International across the United States last week, is believed to have been orchestrated by a cybercrime group skilled in impersonation and malware deployment.
According to a cybersecurity executive familiar with the investigation, the attack commenced with a social engineering breach of the company's IT help desk.
The cybercriminal group "Scattered Spider" - which is thought to be behind the attack - employs deceptive phone calls to target both employees and help desks as part of their phishing operations to obtain login credentials.
The group has reportedly targeted MGM and numerous other companies in recent months, aiming to extort ransom payments from them.
David Bradbury, the Chief Security Officer at the identity and access management firm Okta, said his company had issued a threat advisory in August regarding similar attacks targeting some of its customers.
In the advisory, Okta noted that they had observed attacks in which a threat actor employed social engineering tactics to acquire a highly privileged role within an Okta customer organisation.
After initial infiltration, the threat actor exhibited innovative techniques for lateral movement and evading defensive measures.
According to Okta, several US-based customers reported a recurring pattern of attacks targeting their IT service desk staff.
In these incidents, the caller's approach involved persuading the service desk personnel to reset all Multi-factor Authentication (MFA) factors associated with highly privileged users.
Subsequently, the attackers used their compromise of Okta Super Administrator accounts to exploit legitimate identity federation features, enabling them to impersonate users within the compromised organisation.
Bradbury said that Okta has been actively supporting MGM, one of its customers, in its efforts to address and respond to the cyberattack.
A representative for the cybercrime gang Scattered Spider (or UNC3944) told TechCrunch that they were responsible for the cyberattack on MGM.
The group reportedly employed ransomware developed by ALPHV, also known as BlackCat, which is a ransomware-as-a-service operation.
MGM, the owner of over two dozen hotel and casino establishments worldwide, as well as an online sports betting division, disclosed on Monday that it had encountered a "cybersecurity issue" that had impacted certain systems.
As a precautionary measure, the company temporarily shut down these systems to safeguard its infrastructure and data.
During the subsequent days, reports said various services, ranging from hotel room digital keys to slot machines, were rendered inoperable.
Additionally, the websites for numerous MGM properties experienced downtime for a period.
Brian Ahern, a spokesperson for MGM Resorts, told Bloomberg that the company has been collaborating with the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) since the breach occurred.
Members of the Scattered Spider group are believed to be in their late teens and early 20s, located in Europe and possibly the United States.
They are proficient in English, which enhances the credibility of their voice phishing attempts compared to calls from individuals with Russian accents and limited English proficiency.
Scattered Spider is also suspected of hacking Caesars Entertainment Inc. in recent weeks.
According to The Wall Street Journal, Caesars paid approximately half of the $30 million ransom demanded by the hackers to prevent the exposure of stolen data.
Caesars acknowledged the breach in an 8-K filing with federal regulators last week, disclosing that the hackers had targeted and obtained its loyalty programme database.
Bradbury expressed the importance of raising awareness about these hackers and their tactics so that customers can enhance their cybersecurity measures.
He characterised the hackers as highly proficient in identity technology, suggesting that we should anticipate more frequent and sophisticated attacks from them in the future.