What Everyone Got Wrong About the MGM Hack
It was a scene straight out of a casino heist movie, but without George Clooneyâs suavity to soften the chaos. Various systems at MGM Casinosâranging from slot machines, to hotel key cards, to escalatorsâhad been shut down. Guests were locked out of their rooms, while hotel staff scrambled to compensate, taking food orders with pen and paper and cashing out gambling winnings from a fanny pack. One customer said, âI asked them how long this was gonna be, and they said it could be one day, it could be three weeks.â
MGM Resorts, proprietors of some of the most famous hotels and casinos on the Vegas strip, had been hacked. And what happens in Vegas certainly didnât stay there this time; all of MGM Grandâs Hotels and Casino properties saw outages. Systems as far-flung as New York, Ohio, and Michigan were affected by one breach.
An attack that hinged on a simple vishing call (thatâs phishing over the phone) to MGMâs IT desk had snowballed into one of the most notorious ransomware attacks of 2023. Cybersecurity journalists immediately started predicting that the MGM hack would be spoken of in the same breath as the disastrous Uber and Marriott data breaches before it.
In a story this bombastic, in which both the hackers and victims pulled some headline-worthy shenanigans, it can be genuinely hard to know where to focus our attention. But when we look past the sequins and neon, we see that the MGM hack isnât unique; in fact, it sits at the nexus of several emerging trends.
For one thing, hackers are increasingly gaining access to corporate networks through calls to the help desk, and theyâre getting better at it all the time. But we shouldnât be too quick to blame IT workers. Instead, we need to look at the security gaps that set them up to fail. (And when it comes to MGMâs security, weâre about to find a lot of gaps.)
How The MGM Hack Happened
As with almost every hack, the full details of what happened to MGM will likely never be knownâthe company has a vested interest in ahem keeping its cards close to the chest.
Even the reporting we do have contains conflicting reports on the incident and the groups and methods involved. Adding to the confusion is the fact that Caesars, another famous casino, suffered a very similar attack at almost the same time, though not necessarily by the same hackers.
As such, weâll explore both the knowns and unknowns of the MGM attack in order to piece together what seems like a likelyâalbeit uncertainâtimeline of events.
Weâll begin with a behind-the-scenes look at the hack itself. Much of this is drawn from a statement published by alleged members of notorious ransomware group ALPHV (also known as BlackCat), in which they take credit for the hack, explain their actions, and take several potshots at MGMâs security team and corporate leadership.
Of course, we have to take any report claiming to be from a group of cybercriminals with several grains of salt. For one thing, thereâs no confirmation that this statement is actually from ALPHVâthis was a high profile crime, and more than one statement has tried to take credit. For another thing, these groups are, you know, criminals who lie for a living, and who likely want to protect their trade secrets. (Itâs worth saying that weâll also be treating statements from MGM with a healthy dose of skepticism).
However, the statement is at least realistic in terms of how it describes the process of hacking MGM. Regardless of veracity, then, it can still provide some useful insight into one version of events.
This is a surprisingly difficult question to answer, partly because thereâs no standardized naming system for hacking groups. The MGM attack has commonly been attributed to the hacker groups Scattered Spider (which sometimes goes by UNC3944, Muddled LIbra, and StarFraud) and ALPHV (which is sometimes known as BlackCat and Noberus). To complicate things further, itâs not clear if the two groups collaborated on this hack, if Scattered Spider merely used ALPHVâs ransomware, or if one group attacked MGM while the other hacked Caesars. Weâll go into a little more detail on them later, but for now, in this timeline, weâre citing a report attributed to ALPHV specifically; when weâre referencing that source, weâll be referring to them as such.
Part one: The vishing call
The MGM attack began when social engineers called MGMâs help desk. They impersonated an employee using information likely sourced from social media and the company website.
Itâs unclear what the attacker asked the help desk forâlikely a password or MFA resetâbut it worked, and they were granted access to the account of a super administrator with advanced privileges across MGMâs systems. (Hence the countrywide shutdowns, and why MGM needed to âtake offlineâ so many disparate components of their own infrastructure to contain the scope of the attack.)
This phone call should have triggered some tough user verification, but according to Bloomberg, MGM was basically using the honor system:
ââA former MGM employee who was familiar with the companyâs cybersecurity policiesâŚsaid that to obtain a password reset, employees would only have to disclose basic information about themselvesâtheir name, employee identification number and date of birthâdetails that would be trivial to obtain for a criminal hacking gang.ââ
Andrew Martin, Ryan Gallagher, and Katrina MansonâBloomberg, Sep 15, 2023
Part two: MGM tries to shut out the hackers
According to the purported ALPHV statement, MGM noticed something was amiss when the hackers were âlurking their Okta Agent servers, sniffing passwords.â
MGMâs initial response was to shut down their Okta sync servers, which connected their Okta and Azure systems. But it was too late, and the bad actors âcontinued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant.â
In an effort to evict the hackers, MGM next began taking down its own infrastructure, causing chaos for its guests.
The hackers deploy ransomware
The ALPHV statement claims that âNo ransomware was deployed prior to the initial take down of [MGMâs] infrastructure by their internal teams.â When MGM failed to communicate with the hackers, they used ransomware to encrypt, âmore than 100 ESXi hypervisors in [MGMâs] environment.â
Whether or not that sequence of events is perfectly accurate, whatâs not disputed is that MGM refused to pay the ransom. Their competitor Caesars made the opposite choice when they were attacked a week or so earlier, and reported paying $15 million to bad actors to ensure that their customer data wasnât leaked.
ALPHVâs statement claims that MGM refused to pay not out of a principled stance, but because of âinsider tradingâ that ensured no one at the top would lose money. Weâll let the financial press assess that particular claim, but regardless, the MGM and Caesars hacks have certainly stoked the ongoing debate over whether itâs ethical to pay up in a ransomware attack.
Public fallout and MGMâs losses
After ten days of consistent outages, MGM announced that âall of our hotels and casinos are operating normally.â This is contradicted by a regulatory filing they made 25 days after the initial breach, in which they admitted they were still restoring client-facing systems.
And after 3 weeks, MGM Resorts International CEO Bill Hornbuckle still reported that the whole incident was âtotally behind us.â
Unfortunately, the same couldnât be said for their customers. MGM confirmed that breached customer data included: names, driverâs license numbers, dates of birth, and for a âlimited number of customers,â social security numbers and passport numbers. The company offered credit monitoring and identity protection to the people impacted.
It seems MGMâs employees may also have been victimized by this attack. A Nevada-based blogger also reported an MGM employee telling him that the hackers had gotten all of their employment records, from social security numbers to bank info.
The situation for MGM Employees is worse than most of us realize pic.twitter.com/x2Vpy4xGT0
â Jacob Orth (@JacobsVegasLife) September 20, 2023
Without yet accounting for the many lawsuits being levied against them, MGM anticipates around $100 million in revenue loss from this incident, but expects cybersecurity insurance to cover most of that. âI can only imagine what next yearâs bill will be,â Hornbuckle quipped in a panel at G2E.
(He later complained about the âstaggeringâ rise in cybersecurity insurance costs).
This attitude, of course, is a big part of the problem. Companies focus more on guarding revenue than client data. They rely on insurance rather than proactively investing in security.
Sara Morrison at Vox asked, âDid prominent casino chain MGM Resorts gamble with its customersâ data?â More and more, it seems like we have an affirmative answer. But the bigger question is whether this hack will have a long-term impact on MGM'sâor other companiesâ-behavior.
Scattered Spider and ALPHV: The Hackers Behind the MGM Attack
Itâs worth taking a slight detour to talk about the bad actors behind the MGM and Caesars hacks, since these groups bear a lot of responsibility for the current wave of help desk attacks.
While various reports say it âonly took a 10-minute phone call to shut down MGM Resort,â thatâs seriously underselling the sophistication of this attack, which combined social engineering and ransomware into a scarily effective combo.
The threat actors known as âScattered Spiderâ (also known by, or associated with: Scattered Swine, Oktapus, Octo Tempest, and a variety of other monikers) have been widely blamed for the MGM hack. Theyâre a versatile and prolific English-speaking group known for their skill in social engineering and SIM-swapping attacks.
Side note: hacker groups donât name themselves. Instead, they get their names from security vendors who study them, much like viruses or distant stars. The question being, why give your enemies cool nicknames? Arenât they intimidating enough without adding sunglasses and a leather jacket?
As we already said, ALPHV/BlackCat have also been linked to the attack. Theyâre a notorious Eastern European ransomware group that have targeted hundreds of organizations worldwide (including Reddit). Their RaaS (ransomware as a service) software is one of the most used ransomware families observed by IBM.
Scattered Spider and ALPHV bring rather disparate skillsets to the table, so the idea that they might be collaborating is concerning to security experts.
Microsoft recently reported on a spate of recent attacks in which hackers use sophisticated social engineering techniques to get a foothold in a network, then use subtle techniques to establish persistence, and finally use their targetsâ own EDR and MDM tools to deploy devastating ransomware.
Microsoft theorized that this new combo attack is the result of some type of partnership between members of Scattered Spider and ALPHV. Reuters reported that the specific members involved in the casino jobs call their team âStar Fraudâ (the result we get when hacker groups do name themselves).
Regardless of the exact nature of their partnership, as Joseph Cox of 404 Media puts it, âThe unlikely bedfellows make powerful partners in crime.â
The Growing Pattern of Help Desk Attacks
One of the most damning aspects of the casino attacks is that the victims were warned ahead of time. Shortly before the MGM attack, Okta reported on âa consistent pattern of social engineering attacks against IT service desk personnelâŚâ
And indeed, this type of attack has been behind a lot of recent high-profile breaches:
Caesars confirmed that their attack started with their third-party IT desk. It then escalated to ransomware, and their payout of $15 million.
The 2021 source code leak at Electronic Arts took place when attackers âmimicked an already-logged-in EA employeeâs accountâŚand then tricked an EA IT support staffer into granting them access to the companyâs internal network.â
Itâs suspected that the recent Clorox hack (a mess even bleach couldnât clean up) also began with social engineering-and may have been the work of the same group that hit MGM.
IT service desks make a lot of sense as a target for social engineering attacks. The very nature of their job means that they have incredible access and power.
Most importantly, they hold the keys to authenticationâover 40% of all help desk tickets are related to password resets. And while passwords are widely acknowledged as insecure, IT can get hackers past tougher authentication methods as well. Okta observed that attackers would ask IT to âreset all Multi-factor Authentication (MFA) factorsâ for the accounts they wanted to breach.
Itâs easy to hear these stories and ask why IT workers werenât more suspicious. But vishing attackers can be extremely convincing (and theyâre getting more convincing all the time), and in a massive company, itâs not as though the person on help desk duty knows everyone else on a first name basis. On top of that, IT desks are often under pressure to solve problems quickly, they arenât always afforded the luxury of taking things slow when someone calls for help.
The actual problem goes much deeper than IT help desk workers trying to do their jobs, since the judgment of a single person simply shouldnât be the only failsafe. And, when it comes to preventing these types of attacks, companies are securing the wrong vulnerabilities entirely.
The Conventional Wisdom on Preventing Phishing Attacks
A lot of observers have laid the blame for the MGM hack on poor identity verification methods. In the case of MGM, thatâs a fair critique, since it seems like their only verification came in the form of easily-phished information. To learn what a more secure flow looks like, we reached out to an engineer for a third party IT help desk service.
âFor anything like password resets, permission changes, or access to sensitive data, we require verification. I wrote an integration with DUO so that we can use Duo push verification if the user has that. If not, we go to SMS (all of our users have contacts that include their cell phone numbers). If neither of those options are available, we generally reach out to the point of contact and have them contact the user and reach back out to us. We document how we verified the userâs identity in the ticket.â
Ryan W, Security Automation Engineer
This is certainly better, but itâs still far from perfect. It defaults back to SMS (âwe still canât get away from that,â Ryan laments), which is vulnerable to SIM-swaps and other man-in-the-middle (MITM) attacks. These are both known tactics of the threat actors that hit MGM.
Okta and Microsoft both recommend a long list of methods to better verify employee IDs. Among others, they suggest:
Implement multi-factor authentication. This is good advice, even if itâs just table stakes for a secure organization. If possible, donât enable weak factors like security questions or SMS.
Explore passwordless authentication options. Passwords are one of the least secure authentication methods, and are due for retirement. Even if you canât get rid of them for your entire company, require that super administrators use more secure methods like biometrics or a YubiKey.
Limit the number of super administrators. Microsoft also suggests âReducing the number of users with permanently assigned critical roles.â Continually updating permissions to practice the principle of least access isnât easy, but it is a core requirement for Zero Trust security.
Use tougher authentication for highly sensitive data. Okta recommends that âprivileged applicationsâ should require re-authentication at every sign in.
Itâs unsurprising that a lot of these recommendations concern user identification and authentication. At Kolide, we are very much of the opinion that accessing super admin accounts should require more verification than knowing the personâs birthday.
However, these attacks have breached a lot of companies, many of whom did have more strenuous security, like MFA.
As Paul Martini put it on DarkReading:
âMany analysts have become fixated on the idea that MGM could have prevented the incident if only it had been using better identity solutions or stronger methods of verifying user identitiesâŚthe reality is that identity products alone would not have prevented this attack.â
Paul MartiniâDarkReading, Nov 07, 2023
The conversation around the MGM hack is part of a long tradition of security pros focusing on user identity and missing another crucial angle: the userâs device.
How Device Trust Prevents Phishing
Itâs clear that bad actors are very good at impersonating employees, using their names, their personal information, and even their voices. But theyâre still stuck using their own devices. Thatâs where device trust comes in.
Device trust is the idea that a userâs device has to be known and in a secure state before it can access a companyâs sensitive resources.
Letâs break down that definition. Since Kolide is a device trust company, weâll use ourselves as an example:
âKnownâ means that when you install the Kolide agent, you register your device with it. When you do that, the Kolide service and device agent set up a secret and unique way to identify each other whenever you log in. Crucially, this identifier is unspoofable, so hackers canât phish it or fake it. (For a more technical explanation of how this works, check out our docs.)
âIn a secure state,â means that the device meets an organizationâs security requirements. This could include being enrolled in the companyâs MDM, having EDR installed, and a host of other things that are difficult for a hacker to fake.
âAccess to a companyâs sensitive resourcesâ is controlled by making Kolide part of user authentication. If their device doesnât have Kolide or canât pass its posture checks, it canât authenticate.
Thus, if MGM had Kolide, the attack would have happened something like this:
The bad actors call the IT help desk. They get a password reset or an MFA reset. (So far, so bad.)
When they try to log into the vished account, though, theyâre stopped. Their device doesnât have Kolide installed, so it canât authenticate.
They try to install the agent, but their device canât register with Kolide without approval from IT.
Even assuming the hacker is able to install Kolide on their device, they then have to pass Kolideâs compliance checks. This will be a time-consuming process, in which every minute increases the chance that someone (likely the end user being impersonated) notices this suspicious activity.
Both Microsoft and Okta briefly mention device trust in their list of suggestions on preventing MGM-style attacks. Microsoft makes two device-related suggestions:
âEnforce MFA registration from trusted locations from a device that also meets organizational requirements.â
âReview recently registered device identities.â
Okta, meanwhile, devotes one sentence:
- âTurn on and test New Device and Suspicious Activity end-user notifications.â
These are both steps in the right direction, but donât go far enough in preventing intrusions, instead of just responding to them.
For one thing, maintaining a list of âtrusted locationsâ can be hard for a sprawling remote organization, and itâs especially flawed when bad actors are known to use VPNs to mask their location.
End-user notifications for new devices are worth having. But by the time someone checks their email, it might be too late. If youâre reviewing already registered devices, then itâs definitely too late.
To put it in the simplest terms possible: an unknown device shouldnât be able to authenticate in the first place.
Microsoft and Oktaâs offhand mentions of device trust among a sea of user verification suggestions indicates how badly overlooked this aspect of security is. Device trust is way more than a helpful asterisk or something thatâs âworth a mention.â Itâs a crucial factor in a multi-factor authentication flow.
And itâs the missing key that could have prevented many of the attacks weâve mentioned, including MGMâs.
Place Your Bets on Device Trust
Social engineers, stage magicians, and corporate CEOs all share one key tactic: misdirection.
They want audiences and victims to look at the shiny race car, the rosy profit report, or the âurgent phone callâ from a high-ranking employeeâanything except their own sleight of hand.
In the case of the MGM hack, the attention has focused on the phone call and the hapless help desk worker. But the deeper story is about a company that didnât give its own IT department the tools to identify a hacker, or to limit the damage once one was inside.
Lackluster ID verification isnât at the core of every social engineering attack. If you refocus your vision away from the headlines, you can notice that theyâre missing something obviousâthe very device youâre reading them on.
Want to read more security stories like this one? Subscribe to the Kolidescope newsletter!