In a world where digital threats are more prevalent than ever, the recent International cyber attack at MGM Resorts serves as a glaring illustration of the potential pitfalls organizations face if they don’t prioritize cybersecurity. What started as a basic act of spoofing became a masterclass of social engineering. Compromising the entire digital infrastructure of over 29 hotels and casinos in Las Vegas, this attack forced essential operations to shut down, switch to manual processing, placing the customers’ personal information at risk.
This cyberattack resulted in consumer frustration due to 10 days of no answers, lack of room access, random charges, and casino shutdowns.
A group of US and UK-based cybersecurity experts known as Scattered Spider used social engineering to trick MGM help desk employees into resetting the passwords and multi-factor authentication (MFA) codes of high-value MGM employees. This gave Scattered Spider access to the social media accounts of these employees. Using this sensitive information, these malicious users were able to obtain access to MGM’s Managed IT Service, Okta, to install an identity provider to create SSOs (Single Sign On) for themselves. This technology is available for Okta users to expedite user access during mergers of companies. Alongside the compromise of Okta, the Microsoft Azure cloud environment became compromised, jeopardizing not only the managed applications, but all assets stored on the digital cloud. This resulted in multiple system vulnerabilities, exposure of customer data, and more access to MGM’s critical assets.
MGM’s immediate response was to terminate the servers that sync with Okta, eventually doing away with the platform altogether as well as the threat actor’s accounts that had initial access. But, by this time, the threat actors had already copied over terabytes of data with a key to the cloud platform for entry anytime they saw fit.
The social engineering attack method employed in this incident is termed “spoofing.” It’s executed by impersonating someone and leveraging their credentials to gain unauthorized access. Organizations’ susceptibility to such attacks intensifies when they permit contractors to utilize their own devices, known as the Bring Your Own Device (BYOD) approach, where contract employees can access internal servers and information through their own devices. This strategy gained traction during the COVID era, primarily due to the cost savings it presents to companies. However, the trade-off often leads to heightened risks of data access breaches and potential compromises.
ThriveDX Cybersecurity Instructor Asal Gibson, former IT Strategist and Program Manager for the United States Department of Defense, opines, “The Bring Your Own Device (BYOD) model isn’t the gold standard for security. Yet, numerous companies adopt this model primarily for its economic benefits rather than provisioning dedicated devices for every contractor.”
The potential ramifications are profound, especially when services like Microsoft Azure and Okta are accessible via Single Sign-On (SSO). This ease of access can be highly detrimental in a breach. Organizations should invest in robust IT management and cybersecurity measures to fortify security. Such measures include blacklisting suspicious websites, mandating the use of a VPN or whitelisted IP addresses, and deploying defenses against man-in-the-middle attacks to prevent sensitive data interception. Moreover, IT managers might consider implementing a zero-trust policy, ensuring that only assets and resources within the network are trusted while maintaining skepticism for external entities.
While incorporating these security practices might increase operational costs in the short term, Gibson argues that the expense is inconsequential. “When you compare it to the potential legal ramifications, the initial investment seems minuscule,” Gibson remarked, referencing the announcement of five new lawsuits against MGM Resorts.
Defining the vulnerabilities
Throughout the cyberattack, MGM Resorts International lost an estimated $100 Million. The hotel and casino operator, with a portfolio of 29 locations alongside one of the largest online betting sports books, took to social channels to address a “cybersecurity issue.” The explanation, though vague, promised their guests that they were staying open and making progress on resolving the issue. For several days, devices ranging from hotel room key cards to slot machines were not functional. Some of the brightest spots on the strip had their guests waiting hours longer than average to check into their rooms and casino winners receiving handwritten receipts as many of their facilities switched to manual processes to “protect our systems and data,” as MGM wrote in another now-deleted post.
When bad actors become the narrative
Outside of technology, this proved to be a point of failure for MGM’s credibility. Not only was their vulnerable infrastructure exposed, so was their consumer trust. With the actors sending out more information to the public than MGM to their guests, trust and transparency with management data for MGM is in great doubt, with more lawsuits and greater liabilities on the horizon for the hospitality empire. With a lack of protocol for disaster management and recovery of this degree, actions from this attack can help to seed future breaches and attacks.
ThriveDX Cybersecurity Instructor, Oliver Tran, is a former Endpoint Security Operations Engineer at TikTok who discussed the dangers of enterprise security without controls, saying, “The worst part of a credit card is that they have your first and last name. Now with the resources hackers have at their disposal, quicker data processing and AI, bad actors can create new data as they see fit.”
Alongside the lack of public transparency, damage can be better contained if help desk and organizational contractors had the least privilege to do job function. “Level 1 support should not be able to compromise every system.” Explains Tran. Without privilege management and continuous monitoring, you’re setting the stage for negligence—a catalyst for cyber attacks to grow in scale.
Is “Spoofing” a new form of Cyberattack? Absolutely not. The inspiration for social engineering dates back to the deception of the Trojan Horse from The Odyssey. The term “social engineering” came millennia later when a famous hacker from the 1990s, Kevin Mitnick manipulated early cellular phone providers into giving away sensitive information, including the source code for devices. Three decades later, the legacy of social engineering lives on, nearly costing MGM Resorts 8 million dollars a day for one and a half weeks.
Social engineering can be successful without technical sophistication. All it takes is a lack of training and resources for the employees to recognize and respond to these bad actors. Social engineering attacks the most critical piece– the human element. When bad actors gain an avenue towards resetting MFA devices, the limitations as to what they can and cannot do are significantly lifted, allowing for less mitigated access to internal systems and data. If the human element is not adequately trained with cybersecurity awareness, a falling domino slowly casts its shadow over a soon-to-collapse infrastructure.
What Could’ve Been Done Differently?
Social engineering attacks from a service desk are heightened when the service desk is outsourced to a third party. This increases the need for monitoring and compliance. ThriveDX Cybersecurity Instructor Kenneth Bradberry, former CTO of Xerox and current CISO of SecureBOT explained, “My biggest challenge as a CISO is third-party management, maintaining compliance, having managed services you depend on to make sure the policies and procedures are upheld.”
It’s critical for those who manage or oversee a service desk to do testing. Bradberry emphasized that even if there is a response plan and quality standards as outlined within a statement of work, a lack of brand awareness, education, and compliance awareness can make it difficult to maintain integrity. Service desk managers must understand service-level agreements and ensure they align with an organization’s requirements. The next step is for providers to apply immediate and accurate remediation, creating a Multi-Factor Authentication process that is more authentic and takes into account geographical and other factors to identify and deny bad actors.
Creating Discussion, Proactive Recommendations
- Regardless of your business’s industry, these incidents should warrant a conversation within the workplace. In the wake of a cyberattack, creating a conversation about protecting your data and growing a positive security culture is imperative. When it comes to cybersecurity, an ounce of prevention is exponentially worth more than a pound of cure. It is best to be proactive in the way of these events. Professionals and business owners must discuss the safety of their information and infrastructure.
- To best minimize the damage and prevent data from being further compromised, having a strategy to automatically contain the impact of leaked information can prove critical. Using privileged access management or zero standing privilege will contain fires should malicious actors gain visibility.
- Multi-factor authentication must have greater visibility into the device changes as well as access to logging to keep records of account usage. Taking it one step further, employ measures such as limiting help desks to only reset a password once and preferably when a user has verified their identity through a pre-existing enrollment factor–this prevents malicious parties from creating and validating their own means of authentication.
- Create protocols to ensure compliance with the devices of employees and contractors. Demand great due diligence and awareness from your videos, ensuring the right actions can be taken across multiple parties.
- Create a response plan. Not just with technology, but communications as well. Own the matter; don’t let the bad actors control the narrative due to unclear and unprepared responses from affected parties. Create the proper means of action to ensure confidence amongst guests and staff.
- Implement social engineering training. Your employees must understand the human factor of cybersecurity and how delicate this element can be. Add cybersecurity awareness to all stages of help desk training. You and all employees must be vigilant in recognizing where attacks may be coming from and what information is being targeted.
The MGM Cyberattack illustrates how even the most routine of social engineering efforts can cause catastrophic effects, ranging from a company losing $4-$8 million a day for over a week to hotel guests waiting hours for manual access to their rooms, while their personal data and credit card information is sold to bidders on the black market. From the infrastructure to the public response, varying points of failure put countless guests at risk. By only requiring basic information to gain privileged access, the full extent of all devices affected by this attack beyond slot machines and restaurant ordering systems is unknown. With attackers becoming more empowered and sophisticated, without proper training and integrity across all channels, it doesn’t take much for the next disaster to snowball and impact a more significant population sample of data.
ThriveDX is a trusted partner for academic institutions as well as enterprises in reskilling talent pools and upskilling in cybersecurity and digital skills.
For more information, visit https://thrivedx.com/