MGM Resorts hackers deceived IT service desk with just a phone call

Okta issued a warning about hackers employing similar tactics

clock • 3 min read
MGM Resorts hackers deceived IT service desk with just a phone call to gain unauthorised access
Image:

MGM Resorts hackers deceived IT service desk with just a phone call to gain unauthorised access

An online attack, which disrupted resorts and casinos operated by MGM Resorts International across the United States last week, is believed to have been orchestrated by a cybercrime group skilled in impersonation and malware deployment.

According to a cybersecurity executive familiar with the investigation, the attack commenced with a social engineering breach of the company's IT help desk.

The cybercriminal group "Scattered Spider" - which is thought to be behind the attack - employs deceptive phone calls to target both employees and help desks as part of their phishing operations to obtain login credentials.

The group has reportedly targeted MGM and numerous other companies in recent months, aiming to extort ransom payments from them.

David Bradbury, the Chief Security Officer at the identity and access management firm Okta, said his company had issued a threat advisory in August regarding similar attacks targeting some of its customers.

In the advisory, Okta noted that they had observed attacks in which a threat actor employed social engineering tactics to acquire a highly privileged role within an Okta customer organisation.

After initial infiltration, the threat actor exhibited innovative techniques for lateral movement and evading defensive measures.

According to Okta, several US-based customers reported a recurring pattern of attacks targeting their IT service desk staff.

In these incidents, the caller's approach involved persuading the service desk personnel to reset all Multi-factor Authentication (MFA) factors associated with highly privileged users.

Subsequently, the attackers used their compromise of Okta Super Administrator accounts to exploit legitimate identity federation features, enabling them to impersonate users within the compromised organisation.

Bradbury said that Okta has been actively supporting MGM, one of its customers, in its efforts to address and respond to the cyberattack.

A representative for the cybercrime gang Scattered Spider (or UNC3944) told TechCrunch that they were responsible for the cyberattack on MGM.

The group reportedly employed ransomware developed by ALPHV, also known as BlackCat, which is a ransomware-as-a-service operation.

MGM, the owner of over two dozen hotel and casino establishments worldwide, as well as an online sports betting division, disclosed on Monday that it had encountered a "cybersecurity issue" that had impacted certain systems.

As a precautionary measure, the company temporarily shut down these systems to safeguard its infrastructure and data.

During the subsequent days, reports said various services, ranging from hotel room digital keys to slot machines, were rendered inoperable.

Additionally, the websites for numerous MGM properties experienced downtime for a period.

Brian Ahern, a spokesperson for MGM Resorts, told Bloomberg that the company has been collaborating with the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) since the breach occurred.

Members of the Scattered Spider group are believed to be in their late teens and early 20s, located in Europe and possibly the United States.

They are proficient in English, which enhances the credibility of their voice phishing attempts compared to calls from individuals with Russian accents and limited English proficiency.

Scattered Spider is also suspected of hacking Caesars Entertainment Inc. in recent weeks.

According to The Wall Street Journal, Caesars paid approximately half of the $30 million ransom demanded by the hackers to prevent the exposure of stolen data.

Caesars acknowledged the breach in an 8-K filing with federal regulators last week, disclosing that the hackers had targeted and obtained its loyalty programme database.

Bradbury expressed the importance of raising awareness about these hackers and their tactics so that customers can enhance their cybersecurity measures.

He characterised the hackers as highly proficient in identity technology, suggesting that we should anticipate more frequent and sophisticated attacks from them in the future.

You may also like
Microsoft exposes state-backed hackers using AI tools for espionage

Threats and Risks

Hackers linked to Russian military intelligence have been using LLMs to delve into satellite communication protocols relevant to military operations in Ukraine

clock 15 February 2024 • 3 min read
UK joins allies in action against mercenary hackers

Government

The Pall Mall Process targets the business of cybercrime

clock 06 February 2024 • 2 min read
Cloudflare's estate breached by suspected state-sponsored threat actors

Hacking

The attackers exploited unrotated access token and service account credentials obtained from an Okta breach in October

clock 05 February 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Hacking

Cambridge University hit by DDoS attack

Cambridge University hit by DDoS attack

Anonyous Sudan claims it also hit the University of Manchester

John Leonard
clock 20 February 2024 • 1 min read
Southern Water confirms customer data breach

Southern Water confirms customer data breach

Stems from Black Basta attack last month

clock 14 February 2024 • 2 min read
Cloudflare's estate breached by suspected state-sponsored threat actors

Cloudflare's estate breached by suspected state-sponsored threat actors

The attackers exploited unrotated access token and service account credentials obtained from an Okta breach in October

clock 05 February 2024 • 2 min read