Vorlon Blog

Betting Against the House: MGM's Unlucky Cyber Streak | Vorlon Blog: Bite sized breaches

Written by Lauren Lee | Sep 22, 2023 7:00:00 AM

Introduction

Las Vegas, the city of lights and dreams, experienced a digital nightmare in September 2023. MGM Resorts, a titan in the entertainment industry, faced a cyber onslaught that sent shockwaves across the sector. Let's delve deeper into this!

The Scene is Set: A Brief Introduction

Early September 2023 wasn't kind to the entertainment giants of Las Vegas. On September 10th, MGM Resorts' digital infrastructure faced a crippling cyberattack, leading to a 10-day computer shutdown. This disruption wasn't just about lost reservations; it spanned credit card processing, guest services, and more. And as if to add to the city's woes, Caesars Entertainment, another entertainment giant, was hit by a similar attack just three days earlier on September 7th. 

Meet the Culprits: Who's Behind the Curtain?

By mid-September, the digital detectives had a lead. The group pulling the strings was identified as Scattered Spider, sometimes going by the intriguing moniker, Roasted 0ktapus or UNC3944. 

Scattered Spider is known for social engineering schemes tricking users to give up their login credentials. They are also known to overwhelm their targets with MFA requests.

Scattered Spider isn't a standalone entity; they're believed to have worked with the larger, Russia-based operation known as ALPHV or BlackCat. ALPHV was identified as the ransomware as a service (RaaS) provider who provided Scattered Spider with the malware and support to carry out the casino cyber attacks. 

The Plot Twist: The Okta Exploit

The attackers claim they breached MGM by getting into the company's Okta platform and grabbing passwords from high-level admins. After about a day of snooping around, they went ahead with ransomware attacks on 1,000 ESXi hypervisors. ESXi hypervisors are like special gates that control access to different parts of a computer, and if someone takes control of them, they can disrupt what's happening inside.

According to David Bradbury, Okta's CISO, these attackers were even able to set up their own identity provider (IDP) and user database within Okta's system.

In the weeks leading up to this incident, Okta had actually sent out a warning. They'd noticed a pattern of social engineering attacks aimed at their IT service desk folks. These attackers were really keen on Okta. They went as far as impersonating employees convincingly, fooling IT help desks into granting unauthorized access. This showed a high level of sophistication they'd been working on for quite some time. Additionally, it's important to mention that Caesars may have faced a similar breach through its Okta system, though the details are still a bit unclear.

The Fallout: Consequences of the Attack

The ripples of the attack were felt far and wide. While MGM displayed resilience by quickly restoring its public-facing website, the depth of the breach's impact remained shrouded in uncertainty. It is estimated that the 10-day computer shutdown could have cost MGM up to $8 million per day, which would have added up to $80 million in total, but there has been no official word on this. 

Caesars Entertainment, on the other hand, found itself in a tight spot. They reportedly parted with a staggering $15 million, half of the $30 million ransom demanded by Scattered Spider, to secure their compromised data. This raised pressing questions: What data was accessed? How would this impact the company's reputation and bottom line?

Conclusion

The cyber attacks carried out on these entertainment giants are reminders of the challenges and risks that exist out there. We must be wary of the lurking shadows of cyber threats. It's a call for businesses and individuals alike to stay informed, remain vigilant, and ensure that in the realm of cybersecurity, we're always one step ahead. Because despite these pitfalls, the show, indeed, must go on.