Lessons Learned from the MGM Cyberattack

Introduction

There is no corporation or business that is immune to a cyber attack. Even a massive company like MGM Resort International can be hit with ransomware. One small slip in an employee’s decision making can lead to catastrophic results. Bad actors used social engineering to gain access to MGM’s network, causing them to shut down for multiple days, leading to losses of millions of dollars.

Human error is one of the biggest causes of cybersecurity failures across the world. With a bit of research and vishing, a hacker group brought down one of the biggest resort and casino companies in the world. The mishandling of an administration account caused many other accounts to be hacked, leading to disruption of servers and services that ran on those servers.

With lack of knowledge of how these attacks worked, MGM attempted to deny access to their servers by shutting them down. Unfortunately, the hackers were still able to get in and lock down crucial files and access, leading to installing ransomware, which led to MGM losing services for days. The cyber attack lasted a matter of 10 days, leading to many losses, due to shutting down slot machines, their keycard system, and more.

How did the MGM cyber attack happen?

As said above, humans are the easiest things to exploit when it comes to cybersecurity. With lack of knowledge and training, even by a small amount, one wrong access can bring a whole company down for days. The bad actors, ALPHV and Scattered Spiders, used relatively simple methods to get into a super admin’s account and it snowballed from there.

Reconnaissance

In September of 2023, the hacker groups began researching employees on LinkedIn. This is something that many businesses don’t realize—employee information can easily be found on the Internet. It’s not simply LinkedIn, either. This sort of information can easily be obtained through Google or other search engines. There are dedicated services that acquire this information as well.

Using these services, the groups were able to target specific individuals. Whenever bad actors look for these types of employees, they will usually go for higher-ranking people like C-levels or directors. With these names and titles in hand, they moved onto the next step of their attack.

Social Engineering

After the information and targets had been acquired, the bad actors proceeded to use social engineering to get access to these high-level accounts. The hackers simply used vishing, which is a method of phishing that uses voice calls, to get into contact with MGM’s IT department. Using the identity of these high-level employees, they began to work their manipulation into the call.

Likely using presumed old usernames and passwords from other data breaches, the bad actors managed to get into the accounts. However, they were soon met with a multi-factor authenticator, which should have been enough to stop them. As expected, though, the bad actors managed to get the IT employees to reset their MFA, granting them complete access to a high-level account.

Compromising Accounts

Given access to these accounts, the bad actors didn’t have to worry about much else. Their next goal was to get into other accounts in case they were found and locked out. Using various methods and programs, they made an additional account for themselves, or Identity Provider, to their Otka servers. This allowed them to move freely through the servers, acting as super users themselves.

With this new identity and the main super account, the bad actors went through not only the Otka servers, but MGM’s Microsoft Azure cloud environment as well. This was extremely problematic, because this gave them access to many other admin accounts on these servers. They were getting as much information as they wanted and would soon lock crucial data behind an encryption program.

Attempted Response

After a bit of time, MGM finally saw that there was strange activity on their servers. There was obvious password sniffing happening, meaning that the bad actors were looking for additional passwords, which they stated themselves. This caused MGM to go into panic mode, quickly shutting down their servers and disrupting services like digital key cards, slots, their reservation systems, and more.

However, because of their lack of knowledge on this type of attack, this did not inhibit the hacker group from progressing their attack. Despite the servers being inactive, the bad actors were able to make their way in and exfiltrate server files and various other important data. With this locked behind encryption, the hackers were put in a position of power to demand ransom for these files and access to the network.

Exfiltration

The hacker group known as ALPHV and Scattered Spiders managed to get deep into the network and, despite the servers being shut down, managed to put encryption on many important server files. However, that’s not all they did—they also exfiltrated sensitive data from the company’s systems.

The groups did not say if the files had information on customers or employees, but it is certain that they got something. MGM says that no customer data had been obtained, but it’s hard to say who or what it was they had gotten. Unfortunately, we may never know exactly what information got exfiltrated.

Aftermath

After the dust had settled from the 10-day cyber attack on MGM, it was easy to see that the company was not up to date with their cybersecurity defenses. Because of this, the huge corporation has been under fire from many class-action lawsuits, which have said that MGM did not take proper care in protecting their company or their customers.

Not only that, but MGM had already lost tens of millions of dollars from the downtime they had to go through. The inability to use their systems really hurt their wallets. However, in addition to all of that, many customers have become distrusting of MGM’s systems, which lost them customers over the past half year.

As you can see, it was quite easy for MGM to get brought down by these hacker groups. Because of their poor cybersecurity posture, they lost access to their servers for days and suffered a massive data breach. It was a matter of human error that started this entire thing, which could have been stopped by a bit of security awareness training. However, it is more than that—there are plenty of things that they could have done to prevent this from happening.

What could have stopped the MGM cyber attack?

With proper cybersecurity methods in place, it is very difficult for a hacker group to get access to any sort of business or server. A third-party cybersecurity firm can assist in this, which is sometimes necessary due to government regulations. However, even the bare minimum can save a lot of money and time in the long run.

Security Awareness Training

As said previously, the number one cause of cybersecurity incidents is human error. We’re all human and we all make mistakes, but these mistakes can cost a company millions and millions of dollars—this is what happened to MGM. A single 10-minute call to an IT person led to the multi-billion-dollar company to shutting down for multiple days.

Security awareness training is something that both small and large businesses can take advantage of. There is no reason to put these programs on the back burner, considering it’s one of the most important things a business can do. It is a constant reminder to employees to always be vigilant, trust nothing, and scrutinize everything. With the increasing rate of technology and the skill of bad actors, it’s more important than ever before to build awareness.

Many cybersecurity firms offer these sorts of things to companies. With the assistance of security analysts, they will help a business bring together proper procedures and training sessions on cybersecurity. However, going farther than that, a cybersecurity firm may also have simulated social engineering to assist with these procedures. These include:

• Phishing: Sending fake emails and other fraudulent information in an attempt to get an employee to click on a malicious link or enter sensitive information to a bad actor.
• Smishing: Using SMS, or short message service, to send fake or fraudulent text messages to victims in an attempt to lead them to a malicious site or enter sensitive information.
• Vishing: Using telephone calls or voicemail to contact a person, posing as a professional or some various employee to get sensitive information.

There are many other methods, especially physical security awareness training. A security analyst can come to the physical location of the business and attempt to perform a number of different tests, including visitor policy, document security, and more. Everything is simulated, of course, so results will be able to inform a company where it is weakest and strongest in their employees’ awareness.

Another method of security awareness training is quizzes. While it may seem a bit juvenile to add something like that to a business’s cybersecurity procedures, it has been proven to be more effective for employees who go through these educational courses.

In these simulated social engineering attacks, a cybersecurity firm may attach educational courses to the phishing that they do. If an employee clicks on one of them, they will be entered into an informational education course to let them know how to improve on their mistake. After they read or listen, they must usually verify it by answering questions at the end.

There are plenty of other ways for employees to partake in security awareness training. This includes remote and in-person sessions that a security analyst can lead and inform people about. It is a good rule of thumb to do this two to four times a year, depending on the size and assets of the business. Some even do it once a month.

Vulnerability Assessments

While it isn’t the leading cause of cybersecurity incidents, another large factor for failures is vulnerability in a network. There are many reasons a network can fall to a bad actor’s attack, including misconfigured firewalls, unpatched threats that have been discovered, and more. A vulnerability assessment tells you exactly what might cause something to get through.

With a thorough examination, either through a security analyst or a scanner, a cybersecurity firm can give you the information on most threatening vulnerabilities that could cause a network to malfunction or be brought down with an attack from a hacker. With these scans, a manual examination is usually required afterward to make sure there are no false positives.

While a simple scan might seem like it’s enough, further testing may be needed. A vulnerability assessment is helpful, but it won’t tell you as much as something like a penetration test, which goes through exploiting these vulnerabilities for access.

Penetration Testing

Often the bread and butter of many different cybersecurity firms, penetration testing is becoming more and more important among financial and non-financial institutions alike. Banks and credit unions usually have to get these sorts of tests done due to government compliance, but these should be done regardless.

Like the security awareness training, penetration tests revolve around simulated attacks. There are many different pen tests that can be done, including internal pen tests, external pen tests, red team tests, and more. Social engineering is sometimes taken into consideration, where the security analyst will attempt to gather information to get into the network. There are also tests that will simply allow the security analyst in to find expoits from an “inside” view.

Penetration tests are thorough examinations of a network, as well as exploitation of vulnerabilities. The simulated attacks use real world methods that hackers and bad actors use, so it gives the most accurate and most detailed information on a network and its security. Usually, the reports created from this test are valuable and are widely accepted by examiners that may come in.

IT Audit

IT audits are an important part of any cybersecurity posture. Despite many businesses using the term for various things, an IT audit is a basic test of accessible points, or controls, in a network. This can range from computers and mobile devices to things like printers or fax machines. Any access point can be a point of entry for a bad actor or hacker if not secure. An IT audit tests the security of these controls.

These IT audits are usually combined with things like risk assessments, ransomware preparedness assessments, and smaller tests like tabletop testing. Even smaller institutions can take advantage of this sort of thing, considering it is one of the easier ways for a bad actor to get into a system. One small missed patch or unknown vulnerability can cause heavy damage, or worse, complete destruction of a business.

No Business is Immune to Cyber Attacks

There’s no mystery that MGM Resorts International is a massive multi-billion dollar corporation. They should have had a massive cybersecurity effort to protect their employees and customers. Because they had grown complacent and careless with it, bad actors were able to shut them down and cost them tens of millions of dollars.

Despite that, however, this is just one big example. The truth of the matter is that no business is immune to cyber attacks or data breaches. Small businesses and non-profits are also prime targets for these sorts of things. Bad actors have no sympathy and will take what they can get, no matter who or what they hurt. Many businesses have already been bankrupted because of cyber attacks, so it’s important to keep cybersecurity in mind.

Even small non-profits like Water for People, a $20 million organization that provides clean drinking water for various countries, was hit by a ransomware attack. This is simply more proof that these bad actors have targeted both small and large organizations. Without proper security policies and procedures, there is a strong possibility that a bad actor will get into your network and disrupt your business.

For some businesses like MGM, it can be easy to fix. There are plenty of insurance options out there that will cover any losses that might come with these things. However, insurance is a response rather than a method of prevention. Once information is taken, no amount of insurance is going to get it back. If a business has customer information stolen, then customers should not do business with them unless they make an effort to remediate such things.

Conclusion

The MGM International Resort cyber attack was an unfortunate series of events. From previous data breaches, bad actors were able to pick up enough information to get into an account that had permission to access many things. It was a simple phone call to an IT employee that allowed them in, impersonating the account owner and getting access through a multi-factor authentication reset.

Upon the reset, the hackers were able to get into the account and steal more accounts. All of this could have been prevented with security awareness training and some vulnerability assessment. With the lack of training, MGM International Resort was brought down. Servers were shut off for multiple days, disrupting their reservation systems, their digital keycard network, and more.

It’s always a good idea to get proper cybersecurity into place. When it comes to cyber attacks, it doesn’t matter if you have a big company or a small one, no one is immune to them. The only big difference is the way that some businesses can bounce back from such an attack. Smaller businesses may have a hard time with remediation, so a good rule of thumb is to stop cyber attacks before they start.