Lessons Learned From the MGM Cyberattack

By TraceSecurity
May 21, 2024

There is no corporation or business that is immune to a cyberattack. Even a massive company like MGM Resort International can be hit with ransomware. One small slip in an employee’s decision making can lead to catastrophic results. Bad actors used social engineering to gain access to MGM’s network, causing them to shut down for multiple days, leading to losses of millions of dollars.

Human error is one of the biggest causes of cybersecurity failures across the world. With a bit of research and vishing, a hacker group brought down one of the biggest resort and casino companies in the world. The mishandling of an administration account caused many other accounts to be hacked, leading to disruption of servers and services that ran on those servers.

With lack of knowledge of how these attacks worked, MGM attempted to deny access to their servers by shutting them down. Unfortunately, the hackers were still able to get in and lock down crucial files and access, leading to installing ransomware, which led to MGM losing services for days. The cyberattack lasted a matter of 10 days, leading to many losses, due to shutting down slot machines, their keycard system, and more.

How Did the MGM Cyberattack Happen?

As said above, humans are the easiest things to exploit when it comes to cybersecurity. With lack of knowledge and training, even by a small amount, one wrong access can bring a whole company down for days. The bad actors, ALPHV and Scattered Spiders, used relatively simple methods to get into a super admin’s account and it snowballed from there.

Reconnaissance

In September of 2023, the hacker groups began researching employees on LinkedIn. This is something that many businesses don’t realize – employee information can easily be found on the Internet. It’s not simply LinkedIn, either. This sort of information can easily be obtained through Google or other search engines. There are dedicated services that acquire this information as well.

Using these services, the groups were able to target specific individuals. Whenever bad actors look for these types of employees, they will usually go for higher-ranking people like C-levels or directors. With these names and titles in hand, they moved onto the next step of their attack.

Social Engineering

After the information and targets had been acquired, the bad actors proceeded to use social engineering to get access to these high-level accounts. The hackers simply used vishing, which is a method of phishing that uses voice calls, to get into contact with MGM’s IT department. Using the identity of these high-level employees, they began to work their manipulation into the call.

Likely using presumed old usernames and passwords from other data breaches, the bad actors managed to get into the accounts. However, they were soon met with a multi-factor authenticator, which should have been enough to stop them. As expected, though, the bad actors managed to get the IT employees to reset their MFA, granting them complete access to a high-level account.

Compromising Accounts

Given access to these accounts, the bad actors didn’t have to worry about much else. Their next goal was to get into other accounts in case they were found and locked out. Using various methods and programs, they made an additional account for themselves, or Identity Provider, to their Otka servers. This allowed them to move freely through the servers, acting as super users themselves.

With this new identity and the main super account, the bad actors went through not only the Otka servers, but MGM’s Microsoft Azure cloud environment as well. This was extremely problematic, because this gave them access to many other admin accounts on these servers. They were getting as much information as they wanted and would soon lock crucial data behind an encryption program.

Attempted Response

After a bit of time, MGM finally saw that there was strange activity on their servers. There was obvious password sniffing happening, meaning that the bad actors were looking for additional passwords, which they stated themselves. This caused MGM to go into panic mode, quickly shutting down their servers and disrupting services like digital key cards, slots, their reservation systems, and more.

However, because of their lack of knowledge on this type of attack, this did not inhibit the hacker group from progressing their attack. Despite the servers being inactive, the bad actors were able to make their way in and exfiltrate server files and various other important data. With this locked behind encryption, the hackers were put in a position of power to demand ransom for these files and access to the network.

Exfiltration

The hacker group known as ALPHV and Scattered Spiders managed to get deep into the network and, despite the servers being shut down, managed to put encryption on many important server files. However, that’s not all they did – they also exfiltrated sensitive data from the company’s systems.

The groups did not say if the files had information on customers or employees, but it is certain that they got something. MGM says that no customer data had been obtained, but it’s hard to say who or what it was they had gotten. Unfortunately, we may never know exactly what information got exfiltrated.

Aftermath

After the dust had settled from the 10-day cyberattack on MGM, it was easy to see that the company was not up to date with their cybersecurity defenses. Because of this, the huge corporation has been under fire from many class-action lawsuits, which have said that MGM did not take proper care in protecting their company or their customers.

Not only that, but MGM had already lost tens of millions of dollars from the downtime they had to go through. The inability to use their systems really hurt their wallets. However, in addition to all of that, many customers have become distrusting of MGM’s systems, which lost them customers over the past half year.

As you can see, it was quite easy for MGM to get brought down by these hacker groups. Because of their poor cybersecurity posture, they lost access to their servers for days and suffered a massive data breach. It was a matter of human error that started this entire thing, which could have been stopped by a bit of security awareness training. However, it is more than that – there are plenty of things that they could have done to prevent this from happening.

Read part two of this series. 

Connect with TraceSecurity to learn more.

About TraceSecurity

TraceSecurity has provided over 30,000 examiner approved reports, helping credit unions of all sizes maintain compliance year after year. A CUNA Strategic Services provider since 2006, TraceSecurity helps credit unions with a range of cybersecurity services, including risk assessments, penetration testing and IT audits. With a combination of software and services, TraceSecurity can help credit unions manage their information security program and supplement it with third-party validation.