MGM Resorts, one of the world's largest hotel and casino operators, is on the road to recovery following a high-profile cyber attack that disrupted its operations. Okta Chief Information Security Officer (CISO) David Bradbury has confirmed that the cybercriminals responsible for the attack exploited Okta's services, shedding light on the details of the breach. This revelation comes after days of speculation surrounding the incident.
In a recent interview with Reuters, Bradbury disclosed that MGM Resorts, along with Caesars Entertainment, were among five Okta clients targeted by a threat actor known as UNC3944, also referred to as Scattered Spider, Scatter Swine, or 0ktapus. This group is suspected to be an affiliate of the ALPHV/BlackCat ransomware operation. Bradbury emphasized that Okta is actively collaborating with law enforcement agencies and cooperating with official investigations.
UNC3944 Using Social Engineering Attacks
UNC3944 had been targeting Okta for over a year, with a notable increase in social engineering attacks against its customers in the past year. These attacks often involved duping victims' IT helpdesks into granting unauthorized access. While Bradbury did not disclose the names of the other victims, a scan of data by London-based security consultancy DynaRisk suggested that UNC3944 might possess stolen Okta credentials linked to over 500 other companies, including tech firm Adobe, drinks giant Diageo, and games developer Epic Games.
The cyber attack on MGM Resorts drew significant attention after the ALPHV/BlackCat ransomware operation issued a statement on September 14. The statement indicated that MGM Resorts had detected the intrusion into its Okta servers and took action to shut down its systems. However, the attackers managed to retain super administrator privileges, as well as global admin rights to MGM Resorts' Microsoft Azure tenant. The attackers later launched ransomware attacks on over 100 ESXi hypervisors.
MGM Resorts has made significant progress in recovering from the cyber attack. Its public-facing website is now operational, and the company assured guests that the majority of its property offerings remain unaffected. While mobile check-in and digital room key services are still offline as of Wednesday, the organization is waiving cancellation fees for guests with reservations through September 24. The organization remains committed to providing a safe and enjoyable experience for its visitors.
Caesars Entertainment, which also fell victim to the attack, appears to have experienced less disruption after some reports suggest they paid a significant ransom, however this has not been confirmed.
Preventing Social Engineering Attacks
The disclosure of how organization’s customers have been hit by large number of social engineering attacks has highlighted the significant role that social engineering plays in many successful cyber breaches. These deceptive tactics often involve duping victims' IT helpdesks into granting unauthorized access. To fortify your organization against such attacks, it's critical to focus on specific strategies and practices:
- Security Awareness Training
- Phishing Simulations
- Prevent Scam Emails Using Gateways
- Have a Good Social Media Policy on Privacy and Posting
- Multi-Factor Authentication
