Episode 12

full
Published on:

25th Sep 2023

Ep12: The MGM Resorts Breach: Lessons Learned and Future Implications (Extended)

Episode Overview:

In this extended episode, host Marc David and cybersecurity expert Savvy Sharma delve deep into the recent cyberattack on MGM Resorts International. They discuss the tactics used by the attackers, the vulnerabilities exploited, and the cascading impact of the breach on MGM's operations.

Key Discussion Points:

Introduction to the MGM Resorts Attack

  • Overview of the attack and its significance in the cybersecurity landscape.

The Attackers and Their Tactics

  • The role of Scattered Spider and their use of social engineering.
  • The exploitation of password reuse and the significance of multi-factor authentication.

The Impact and Aftermath

  • The deployment of BlackCat/ALPHV ransomware and its consequences.
  • The financial and operational repercussions for MGM Resorts.

Lessons Learned and Mitigation Strategies

  • The importance of privileged access management (PAM) solutions.
  • Strategies for improving multi-factor authentication (MFA) control.
  • The significance of protecting Tier 0 assets and adopting best Identity Provider (IdP) practices.

CyberArk Labs' Takeaways

  • The commonality of attacking IAM platforms.
  • The role of BlackCat/ALPHV in the attack.
  • The importance of monitoring trust changes and staying updated on evolving cyber threats.

Episode Highlights:

  • "A series of mistakes ultimately led to one of the most visible and brand-damaging attacks in years." - Savvy Sharma
  • "It’s crucial for organizations to continuously improve their security measures and follow best practices to protect themselves in today’s digital landscape." - Savvy Sharma

---

I do hope you enjoyed this episode of the podcast. Here's some helpful resources including any sites that were mentioned in this episode.

--

Sites Mentioned in this Episode

--

Find subscriber links on my site, add to your podcast player, or listen on the web players on my site:

Listen to Byte Sized Security

--

Support this Podcast with a Tip:

Support Byte Sized Security

Transcript
Marc:

Hello everyone and welcome back to Byte Sized Security.

2

:

I'm your host, Marc David, and today

we have a special guest with us,

3

:

Savvy Sharma, a cybersecurity expert.

4

:

We're going to delve into the MGM Resorts

Attack, a cyber incident that has raised

5

:

serious concerns about data security

and organizational vulnerabilities.

6

:

Savvy, welcome to the show.

7

:

Carla: Thank you Marc.

8

:

It's a pleasure to be here.

9

:

Marc: Let's jump right in.

10

:

Can you give us an overview of what

happened in the MGM Resorts Attack?

11

:

Carla: Certainly.

12

:

The attack was allegedly initiated by a

criminal gang known as Scattered Spider.

13

:

They used social engineering tactics

to gain a foothold in MGM's network.

14

:

They were successful in duping the

helpdesk into resetting a high-value

15

:

user's multi-factor authentication,

which led to a near shutdown

16

:

of MGM Resorts International.

17

:

Marc: That's alarming.

18

:

How did the attackers escalate

their access within the network?

19

:

Carla: They exploited a common mistake

of password reuse and gathered additional

20

:

information from LinkedIn profiles.

21

:

They then configured an entirely

additional Identity Provider in

22

:

the Okta tenant using a feature

called "inbound federation."

23

:

This gave them control not only

over Okta but also over MGM's

24

:

Microsoft Azure cloud environment.

25

:

Marc: What was the impact of gaining

control over these platforms?

26

:

Carla: It was catastrophic.

27

:

They deployed BlackCat/ALPHV

ransomware, which encrypted several

28

:

hundred of MGM's ESXi servers.

29

:

This led to a cascade of failures,

affecting hotel room keys,

30

:

dinner reservation systems,

point-of-sale systems, and more.

31

:

MGM was losing as much as $8.4

million in revenue every day

32

:

until the problems were fixed.

33

:

Marc: Can you elaborate on the role of

BlackCat/ALPHV ransomware in this attack?

34

:

Carla: Certainly.

35

:

BlackCat/ALPHV is part of

a Ransomware-as-a-Service

36

:

(RaaS) business model.

37

:

They provide professional services

that Scattered Spider lacks, such as

38

:

malware creation, back-end command and

control, and even negotiation services.

39

:

This collaboration amplified the

impact of the attack, causing cascading

40

:

chaos across MGM's operations.

41

:

Marc: That's a staggering amount.

42

:

What could have been done to prevent this?

43

:

Carla: One of the key chokepoints

was the MFA device reset.

44

:

If that had been detected or not possible,

the attack could have been limited.

45

:

Also, IAM infrastructure should be

considered Tier 0 assets, and their

46

:

compromise could lead to a significant

portion of a network being paralyzed.

47

:

Marc: What are some of the lessons

learned and mitigation strategies

48

:

that organizations can adopt?

49

:

Carla: Firstly, minimizing exposure

of privileged accounts is vital.

50

:

Implementing privileged access management

(PAM) solutions can reduce the risk.

51

:

Secondly, improving MFA control

by creating visibility into MFA

52

:

device changes is essential.

53

:

Lastly, protecting Tier 0 assets

and adopting Identity Provider

54

:

(IdP) best practices can go a long

way in securing an organization.

55

:

Marc: Could you share some of the

critical initial takeaways from

56

:

CyberArk Labs regarding this attack?

57

:

Carla: Absolutely.

58

:

Attacking IAM platforms is a common

tactic that threat actors use.

59

:

It gives them persistent access to an

organization and extends their privileges

60

:

into more systems, causing more damage.

61

:

The worst part of this breach was

that MGM’s IdP was configured in a

62

:

way that allowed Scattered Spider to

pivot into their VMware infrastructure.

63

:

This is where BlackCat/ALPHV

became involved.

64

:

Marc: Those are invaluable insights Savvy.

65

:

Before we wrap up, any final thoughts?

66

:

Carla: A series of mistakes ultimately

led to one of the most visible and

67

:

brand-damaging attacks in years.

68

:

To mitigate similar attacks, organizations

should focus on minimizing the exposure

69

:

of privileged accounts, implementing

strong authentication measures such

70

:

as MFA, protecting Tier 0 assets,

monitoring trust changes, and staying

71

:

updated on evolving cyber threats.

72

:

It’s a lot to do, but it’s crucial

for organizations to continuously

73

:

improve their security measures and

follow best practices to protect

74

:

themselves in today’s digital landscape.

75

:

Marc: Absolutely.

76

:

Savvy, thank you for joining us

today and sharing your expertise.

77

:

Carla: It was my pleasure Marc.

78

:

Thank you for having me.

79

:

Marc: And to our listeners, thank

you for tuning in to another

80

:

episode of Byte Sized Security.

81

:

Stay safe and stay informed.

Support the Podcast with a Tip

If you're enjoying Byte-Sized Security and finding these practical tips useful, please consider supporting the podcast with a small contribution. It costs $17 per month just to cover podcast hosting fees, and your support helps offset the costs of producing this security resource and keeping episodes free. Even a tip of $1-5 per month from loyal listeners adds up and allows me to continue providing great cybersecurity info. Please considering a donation. I appreciate you helping sustain Byte-Sized Security! Now back to the security tips..
Support the Podcast
A
We haven’t had any Tips yet :( Maybe you could be the first!
Show artwork for Byte Sized Security

About the Podcast

Byte Sized Security
Snackable advice on cyber security best practices tailored for professionals on the go
In a world where cyberattacks are becoming more commonplace, we all need to be vigilant about protecting our digital lives, whether at home or at work. Byte Sized Security is the podcast that provides snackable advice on cybersecurity best practices tailored for professionals on the go.

Hosted by information security expert, Marc David, each 15-20 minute episode provides actionable guidance to help listeners safeguard their devices, data, and organizations against online threats. With new episodes released every Monday, Byte Sized Security covers topics like social engineering, password management, multi-factor authentication, security awareness training, regulatory compliance, incident response, and more.

Whether you're an IT professional, small business owner, developer, or just someone interested in learning more about cybersecurity, Byte Sized Security is the quick, easy way to pick up useful tips and insights you can immediately put into practice. The clear, jargon-free advice is perfect for listening on your commute, during a lunch break, or working out.

Visit bytesizedsecurity.com to access episodes and show notes with key takeaways and links to useful resources mentioned in each episode. Don't let cybercriminals catch you off guard - get smart, fast with Byte Sized Security! Tune in to boost your cybersecurity knowledge and help secure your part of cyberspace.
Support This Show

About your host

Profile picture for Marc David

Marc David

Marc David is a Certified Information Systems Security Professional (CISSP) and the host of the cybersecurity podcast, Byte-Sized Security. He has over 15 years of experience in the information security field, specializing in network security, cloud security, and security awareness training. Marc is an engaging speaker and teacher with a passion for demystifying complex security topics. He got his start in security as a software developer for encrypted messaging platforms. Over his career, Marc has held security leadership roles at tech companies like Radius Networks and Vanco Payment Solutions. He now runs his own cybersecurity consulting and training firm helping businesses and individuals implement practical security controls. When he’s not hosting his popular security podcast, you can find Marc speaking at industry conferences or volunteering to teach kids cyber safety. Marc lives with his family outside of Boston where he also enjoys running, reading, and hiking.