Okta, the identity management vendor, has confirmed that two of its major customers, Caesars Entertainment and MGM Resorts, fell victim to social engineering attacks. The cyberattack on MGM Resorts caused significant disruptions to its hotels and casinos in Las Vegas, prompting the company to issue a statement acknowledging a “cybersecurity issue affecting some of the Company’s systems.” However, MGM Resorts later stated that its gaming floors and resort services were operating normally.
Caesars Entertainment also confirmed an attack through an 8-K filing, in which it revealed that an unauthorized actor had stolen data in a social engineering attack targeting an outsourced IT support vendor. The breach occurred on September 7th, with threat actors gaining access to a loyalty program database containing members’ Social Security and driver’s license numbers.
VX-Underground, a cybersecurity research collective, attributed the MGM attack to the Alphv/BlackCat ransomware gang and a threat actor known as Scattered Spider. They claimed that the attackers used vishing, a form of social engineering that involves voice calls, to compromise the company. Alphv later took responsibility for the attack and claimed that MGM’s Okta super administrator accounts had been compromised.
While no threat actors have publicly claimed responsibility for the attack on Caesars, The Wall Street Journal reported that the company paid a $15 million ransom to the attackers. Ransomware gangs typically do not disclose the names of victim organizations that pay the ransom.
Recently, Reuters reported that both Caesars and MGM were Okta customers. Okta confirmed that both companies were compromised in social engineering attacks, which were detailed in a blog post published last month. Okta reported that four unnamed customers were attacked by a threat actor attempting to gain highly privileged roles in each customer tenant’s environment.
A spokesperson from Okta confirmed that Caesars was among the four victims mentioned in the blog post, while MGM was the fifth victim in the social engineering campaign. The other three victims remain unidentified.
According to Okta’s August blog post, the attack chain began with vishing calls aimed at convincing IT service desk personnel to reset Multi-factor Authentication (MFA) factors enrolled by highly privileged users. The threat actors either obtained passwords to privileged user accounts or manipulated authentication flows in the victims’ Active Directory. They then called the IT service desk and requested a reset of MFA factors for Okta super administrator accounts, gaining access to these accounts and using them to reset authenticators and assign higher privileges to other accounts.
Okta also revealed that the threat actors used “novel methods of lateral movement and defense evasion.” They configured a second identity provider controlled by the threat actors to serve as an “impersonation app,” granting other users single sign-on access to the victim organizations’ applications.
While Okta did not explicitly attribute the attack to Scattered Spider, a spokesperson mentioned that the observed behavior was consistent with their activity, citing third-party threat intelligence reports from Trellix, CrowdStrike, and Mandiant.
Media outlets, including Reuters, reported that Scattered Spider was responsible for the MGM attack. Mandiant also stated that Scattered Spider has deployed Alphv ransomware in its recent threat activity.
TechTarget Editorial has reached out to MGM Resorts and Caesars Entertainment for additional comments on the attacks.
In conclusion, both Caesars Entertainment and MGM Resorts fell victim to social engineering attacks, compromising their systems and customer data. The attacks utilized vishing calls and targeted privileged user accounts to gain access to sensitive information. The responsible threat actors, including the Alphv/BlackCat ransomware gang and Scattered Spider, exploited weaknesses in the companies’ security measures. The incident highlights the importance of robust cybersecurity protocols to protect against social engineering attacks.