MGM Resort (one of the leading casinos in the world) was hit by a cyberattack in Sept’2023, resulting in approx. $100 Mn loss for the company. We interviewed Arun Mamgai, a cybersecurity and data science specialist working with a large open-source enterprise organization, on this topic. Arun’s experience in cybersecurity, along with his ISACA articles (Generative-ai-with-cybersecurity-friend-or-foe-of-digital-transformation) and “How-cisos-can-take-advantage-of-the-balanced-scorecard-method” have provided extremely valuable inputs.
According to him, the Scattered Spider/UNC3944 (believed to be the subgroup of ALPHV BlackCat ransomware group) has taken responsibility for this attack. It’s an English speaking group with multiple social engineering attacks in the past. He has analyzed primary causes and key events as below–
- Vishing call (Voice Phishing) to the secure service desk –
- A possible mistake of password reuse led to the user’s password from previous data breaches being easily accessible
- The hackers called the MGM IT service desk, posing as an employee based on public information available on LinkedIn.
- Hackers requested the service desk to turn off the 2FA (Two Factor Authentication). A question was asked to complete the request, which was provided by hackers based on employee’s LinkedIn public page
- The call lasted for approx. 10 mins, and the hackers were able to gain administrator privileges to MGM’s OKTA and Azure Kubernetes environment
- After the access was granted –
- Hackers started looking for passwords in OKTA’s identify access management (agent servers). Attackers deployed their own identity provider (IDP) and user database into the Okta System after securing super administrative privileges
- The situation worsened after MGM management hastily decided to shut down all identity access management control (OKTA’s Sync servers).
- It allowed hackers to bypass restrictive identity access practices and attack 1,000+ ESXi hypervisors (a critical backbone of all their slot machines, digital room keys, reservations etc)
- Initial discussion with Hackers didn’t yield any result, resulting in the shutting down of the entire MGM operation
- Impact –
- Hackers claimed to steal data from the MGM loyalty database, including driver’s license, address, first name, last name, age, and social security numbers of MGM’s customers, employees, and vendors
- Several issues with hotel facilities, including digital keys and online booking systems, were reported. The slot machines were also not functioning, and the main MGM website was also down for a couple of days
- It’s been estimated that the MGM resort paid approximately $100 Mn ransom
- Multiple class action suits have been filed against MGM Resorts
Recommendations
Security can never be 100% achievable because bad actors are continuously making new attempts by leveraging unique approaches. Based on the expert opinion of Arun Mamgai, the following recommendations are identified to better address such issues in future –
- Training and enablement – no technology can secure the organization’s assets unless employees are trained to follow secure processes. A continuous training and enablement framework is important. A few organizations conduct a security drill with phishing emails or calls. Employees who respond to these attacks are asked to go through a stringent training program,
- The lack of multi-factor authentication and caller ID verification resulted in the service desk granting access to Hackers. The process must be set up to ensure exceptions aren’t granted without additional approvals.
- Okta warned of a possible social engineering attack of this type on August 31st, but MGM didn’t take any action. It’s critical to act on vendor notifications promptly and immediately patch and upgrade to the latest version because attackers will exploit the weakness as soon as the information is public. Organizations can automate the upgrade process and build a seamless pipeline to expedite the upgrade process timeline.
- Leverage AI tool to identify the caller as well as assess pattern to block attacks before it’s expanded across the data-center. The automated workflows, alerts, and real-time responses are required to defend in real-time, and immediately shut down a system or user account if anomalous activity is detected.
- Prepare a balanced scorecard as proposed by Arun Mamgai earlier. This can provide a comprehensive assessment of current state and proactively identify the threats.