In a recent cyberattack on MGM Resorts and Caesars Entertainment, the threat actors responsible claim to have breached MGM’s systems by gaining access to the company’s Okta platform. Okta is a widely used identity and access management (IAM) provider for cloud-based services. The attackers targeted the Okta Agent, a lightweight client that connects to an organization’s Active Directory.
According to a statement posted on a leak site by the threat group ALPHV, they were able to intercept passwords from MGM’s Okta Agent servers. This forced MGM to shut down all of its Okta Sync servers, resulting in the complete shutdown of their Okta system. ALPHV stated that after obtaining the passwords, they proceeded to launch ransomware cyberattacks against over 1,000 ESXi hypervisors on September 11th.
The ransomware group has made it clear that MGM Resorts has not engaged in negotiations with them, and they are threatening further action if a financial arrangement is not made. The group claims to still have access to some of MGM’s infrastructure and will carry out additional attacks if no deal is reached. They also mentioned the possibility of releasing the exfiltrated data to Troy Hunt of Have I Been Pwned for responsible disclosure.
ALPHV, also known as BlackCat, is the ransomware-as-a-service (RaaS) operator that provided the malware and support services to the threat group Scattered Spider for the casino cyberattacks.
David Bradbury, the chief security officer of Okta, confirmed that the cyberattack on MGM involved social engineering tactics. He explained that the threat actors were sophisticated enough to deploy their own identity provider (IDP) and user database into the Okta system. Bradbury emphasized the importance of adding a visual verification step at the helpdesk for users with high access privileges to prevent such cyberattacks.
In an alert issued on August 31st, Okta warned of potential social engineering attacks targeting its systems. The alert mentioned attempts to gain highly privileged access through social engineering tactics and the abuse of identity federation features to impersonate users within compromised organizations.
Okta has been transparent about its relationship with MGM, working with the hospitality company to provide the necessary tools for the guest experience.
The recent cyberattack on MGM could potentially mark the beginning of a new wave of attacks targeting high-privilege users. Cybersecurity experts warn that Okta, being a popular IAM provider, is an appealing target for cybercriminals. The key is to focus on robust security measures, continuous monitoring, and the prompt sharing of threat intelligence.
According to Aaron Painter, the CEO of Nametag, the real issue lies in the fundamental design of multi-factor authentication (MFA). MFA is intended to verify devices rather than people, leading to vulnerabilities during enrollment and recovery processes. Painter emphasizes that MFA was not built to address these human authentication challenges.
Okta will continue to work with both MGM and Caesars on response and recovery efforts following the cyberattacks.
The situation is still unfolding, and further developments are expected.