MGM Ransomware Attack: Hard Down, Hard Lessons

Written By Shay Colson

9–18–2023 (Monday)

Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, September 18, 2023, and it feels like all the attention in the last week as either been on Deion Sanders and the Colorado Buffaloes or the ransomware attack against MGM. We’ll see how the Buffs do at Oregon this weekend and whether or not they still deserve our attention - so for today, let’s focus on MGM, the lessons we can learn from what we already know, and what we should keep an eye out for in the days and weeks ahead.

MGM: Hard Down, Hard Lessons

If you haven’t been following or even aware of this story, MGM Casinos was the victim of a ransomware attack that started manifesting in slot machines and ATMs being off line on this past Wednesday, September 13th.

As a reminder of scale, MGM is the largest employer in the state of Nevada, and the MGM portfolio includes 10 Vegas-based properties like Luxor, the Bellagio, Mandalay Bay, Cosmopolitan and more - of course - the MGM Grand, but also facilities in Atlantic City, New Jersey, National Harbor, Maryland, and other locations.

What we’ve come to learn from the supposed threat actors themselves, is that it was a social engineering attack that led to this breach.

Additional reporting indicates that ALPHV/BlackCat have specifically leveraged identity provider Okta as the entry point, something that Okta themselves have been warning customers about recently.

In short, attackers are pretending to be employees with elevated privileges (e.g. Administrators) and convincing IT help desk staff to reset their MFA factors, then abusing this access to carry out their attacks.

This attack pattern, however, isn’t unique to Okta, or any multi-factor authentication solution, and is an indicator that enterprises will need to continue to step up their defenses - particularly for users with elevated permissions - to include things like:

  • Phishing resistant MFA capabilities (e.g. hardware keys);

  • Additional controls around device enrollment and management;

  • Defined workflows and additional approvals for reset capabilities

  • Additional conditional access controls that can identify and limit novel sign ins.

Meanwhile, CISA and their friends at the FBI and NSA released a joint advisory on deepfakes specifically noting the use of deepfake voices for “impersonation to gain access” - reaching back as far as 2022, but also implicated in this latest round of attacks.

At the same time, we’re seeing other reports of additional casinos being attacked, including Caesar’s Entertainment and other, smaller players, indicating the potential of a targeted effort by these threat actors.

A bungled incident response by MGM - and the threat actors throwing shade their way - isn’t helping matters.

The takeaway for all of us should be a renewed focus on ransomware prevention, anomaly detection, and a focus on understanding the people and systems that are critical to our business, and building robust defenses against the ways they may be manipulated.

It can feel like a tall order, but given the analysis that MGM is losing up to 20% of cashflow and revenue daily, it’s worth it.

Fundraising

Fundraising volumes are back after their summer vacation, with more than $15B in newly committed capital over the past week, including a new joint venture between Brookfield Asset Management and Societe Generale with $2.5B for “high quality private debt fund” and HIG Capital posting $6B for their fourth US mid-market buyout fund - both of which seem well-timed in a macro sense.

You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.

Links

https://www.reviewjournal.com/business/casinos-gaming/russian-hackers-claim-mgm-resorts-breach-irritating-visitors-2903998/

https://www.reviewjournal.com/business/casinos-gaming/social-engineering-proves-powerful-tool-in-casino-cyberattacks-experts-say-2906016/

https://www.darkreading.com/application-security/okta-flaw-involved-mgm-resorts-breach-attackers-claim

https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

https://media.defense.gov/2023/Sep/12/2003298925/-1/-1/0/CSI-DEEPFAKE-THREATS.PDF

https://www.wired.com/story/mgm-ceasars-hack-ransomware/

https://twitter.com/BrettCallow/status/1702415605612331061/photo/1

https://www.reviewjournal.com/business/casinos-gaming/analyst-mgm-losing-4-2m-8-4m-a-day-because-of-cyberattack-2906379/

Shay Colson
Previous

Governments Square Up on Cyber
Next

Rethinking Disclosure as a Common Good