Ep12: The MGM Resorts Breach: Lessons Learned and Future Implications (Extended)

Marc: 00:00:00

Hello everyone and welcome back to Byte Sized Security.

2

: 00:00:03

I'm your host, Marc David, and today

we have a special guest with us,

3

: 00:00:06

Savvy Sharma, a cybersecurity expert.

4

: 00:00:09

We're going to delve into the MGM Resorts

Attack, a cyber incident that has raised

5

: 00:00:12

serious concerns about data security

and organizational vulnerabilities.

6

: 00:00:17

Savvy, welcome to the show.

7

: 00:00:18

Carla: Thank you Marc.

8

: 00:00:19

It's a pleasure to be here.

9

: 00:00:21

Marc: Let's jump right in.

10

: 00:00:22

Can you give us an overview of what

happened in the MGM Resorts Attack?

11

: 00:00:25

Carla: Certainly.

12

: 00:00:26

The attack was allegedly initiated by a

criminal gang known as Scattered Spider.

13

: 00:00:30

They used social engineering tactics

to gain a foothold in MGM's network.

14

: 00:00:34

They were successful in duping the

helpdesk into resetting a high-value

15

: 00:00:37

user's multi-factor authentication,

which led to a near shutdown

16

: 00:00:41

of MGM Resorts International.

17

: 00:00:43

Marc: That's alarming.

18

: 00:00:44

How did the attackers escalate

their access within the network?

19

: 00:00:47

Carla: They exploited a common mistake

of password reuse and gathered additional

20

: 00:00:51

information from LinkedIn profiles.

21

: 00:00:53

They then configured an entirely

additional Identity Provider in

22

: 00:00:56

the Okta tenant using a feature

called "inbound federation."

23

: 00:00:59

This gave them control not only

over Okta but also over MGM's

24

: 00:01:03

Microsoft Azure cloud environment.

25

: 00:01:05

Marc: What was the impact of gaining

control over these platforms?

26

: 00:01:08

Carla: It was catastrophic.

27

: 00:01:09

They deployed BlackCat/ALPHV

ransomware, which encrypted several

28

: 00:01:13

hundred of MGM's ESXi servers.

29

: 00:01:15

This led to a cascade of failures,

affecting hotel room keys,

30

: 00:01:19

dinner reservation systems,

point-of-sale systems, and more.

31

: 00:01:22

MGM was losing as much as $8.4

million in revenue every day

32

: 00:01:26

until the problems were fixed.

33

: 00:01:28

Marc: Can you elaborate on the role of

BlackCat/ALPHV ransomware in this attack?

34

: 00:01:33

Carla: Certainly.

35

: 00:01:33

BlackCat/ALPHV is part of

a Ransomware-as-a-Service

36

: 00:01:36

(RaaS) business model.

37

: 00:01:38

They provide professional services

that Scattered Spider lacks, such as

38

: 00:01:41

malware creation, back-end command and

control, and even negotiation services.

39

: 00:01:46

This collaboration amplified the

impact of the attack, causing cascading

40

: 00:01:50

chaos across MGM's operations.

41

: 00:01:52

Marc: That's a staggering amount.

42

: 00:01:54

What could have been done to prevent this?

43

: 00:01:55

Carla: One of the key chokepoints

was the MFA device reset.

44

: 00:01:58

If that had been detected or not possible,

the attack could have been limited.

45

: 00:02:02

Also, IAM infrastructure should be

considered Tier 0 assets, and their

46

: 00:02:06

compromise could lead to a significant

portion of a network being paralyzed.

47

: 00:02:10

Marc: What are some of the lessons

learned and mitigation strategies

48

: 00:02:13

that organizations can adopt?

49

: 00:02:15

Carla: Firstly, minimizing exposure

of privileged accounts is vital.

50

: 00:02:18

Implementing privileged access management

(PAM) solutions can reduce the risk.

51

: 00:02:22

Secondly, improving MFA control

by creating visibility into MFA

52

: 00:02:26

device changes is essential.

53

: 00:02:28

Lastly, protecting Tier 0 assets

and adopting Identity Provider

54

: 00:02:31

(IdP) best practices can go a long

way in securing an organization.

55

: 00:02:35

Marc: Could you share some of the

critical initial takeaways from

56

: 00:02:38

CyberArk Labs regarding this attack?

57

: 00:02:40

Carla: Absolutely.

58

: 00:02:41

Attacking IAM platforms is a common

tactic that threat actors use.

59

: 00:02:45

It gives them persistent access to an

organization and extends their privileges

60

: 00:02:49

into more systems, causing more damage.

61

: 00:02:51

The worst part of this breach was

that MGM’s IdP was configured in a

62

: 00:02:55

way that allowed Scattered Spider to

pivot into their VMware infrastructure.

63

: 00:02:58

This is where BlackCat/ALPHV

became involved.

64

: 00:03:02

Marc: Those are invaluable insights Savvy.

65

: 00:03:04

Before we wrap up, any final thoughts?

66

: 00:03:06

Carla: A series of mistakes ultimately

led to one of the most visible and

67

: 00:03:10

brand-damaging attacks in years.

68

: 00:03:11

To mitigate similar attacks, organizations

should focus on minimizing the exposure

69

: 00:03:16

of privileged accounts, implementing

strong authentication measures such

70

: 00:03:20

as MFA, protecting Tier 0 assets,

monitoring trust changes, and staying

71

: 00:03:24

updated on evolving cyber threats.

72

: 00:03:26

It’s a lot to do, but it’s crucial

for organizations to continuously

73

: 00:03:30

improve their security measures and

follow best practices to protect

74

: 00:03:33

themselves in today’s digital landscape.

75

: 00:03:35

Marc: Absolutely.

76

: 00:03:36

Savvy, thank you for joining us

today and sharing your expertise.

77

: 00:03:40

Carla: It was my pleasure Marc.

78

: 00:03:41

Thank you for having me.

79

: 00:03:42

Marc: And to our listeners, thank

you for tuning in to another

80

: 00:03:45

episode of Byte Sized Security.

81

: 00:03:47

Stay safe and stay informed.