Episode Overview:

In this extended episode, host Marc David and cybersecurity expert Savvy Sharma delve deep into the recent cyberattack on MGM Resorts International. They discuss the tactics used by the attackers, the vulnerabilities exploited, and the cascading impact of the breach on MGM's operations.

Key Discussion Points:

Introduction to the MGM Resorts Attack

• Overview of the attack and its significance in the cybersecurity landscape.

The Attackers and Their Tactics

• The role of Scattered Spider and their use of social engineering.
• The exploitation of password reuse and the significance of multi-factor authentication.

The Impact and Aftermath

• The deployment of BlackCat/ALPHV ransomware and its consequences.
• The financial and operational repercussions for MGM Resorts.

Lessons Learned and Mitigation Strategies

• The importance of privileged access management (PAM) solutions.
• Strategies for improving multi-factor authentication (MFA) control.
• The significance of protecting Tier 0 assets and adopting best Identity Provider (IdP) practices.

CyberArk Labs' Takeaways

• The commonality of attacking IAM platforms.
• The role of BlackCat/ALPHV in the attack.
• The importance of monitoring trust changes and staying updated on evolving cyber threats.

Episode Highlights:

• "A series of mistakes ultimately led to one of the most visible and brand-damaging attacks in years." - Savvy Sharma
• "It’s crucial for organizations to continuously improve their security measures and follow best practices to protect themselves in today’s digital landscape." - Savvy Sharma

---

I do hope you enjoyed this episode of the podcast. Here's some helpful resources including any sites that were mentioned in this episode.

--

Sites Mentioned in this Episode

• The MGM Resorts Attack: Initial Analysis

--

Find subscriber links on my site, add to your podcast player, or listen on the web players on my site:

Listen to Byte Sized Security

--

Support this Podcast with a Tip:

Support Byte Sized Security

Marc: 00:00:00

Hello everyone and welcome back to Byte Sized Security.

2

: 00:00:03

I'm your host, Marc David, and today

we have a special guest with us,

3

: 00:00:06

Savvy Sharma, a cybersecurity expert.

4

: 00:00:09

We're going to delve into the MGM Resorts

Attack, a cyber incident that has raised

5

: 00:00:12

serious concerns about data security

and organizational vulnerabilities.

6

: 00:00:17

Savvy, welcome to the show.

7

: 00:00:18

Carla: Thank you Marc.

8

: 00:00:19

It's a pleasure to be here.

9

: 00:00:21

Marc: Let's jump right in.

10

: 00:00:22

Can you give us an overview of what

happened in the MGM Resorts Attack?

11

: 00:00:25

Carla: Certainly.

12

: 00:00:26

The attack was allegedly initiated by a

criminal gang known as Scattered Spider.

13

: 00:00:30

They used social engineering tactics

to gain a foothold in MGM's network.

14

: 00:00:34

They were successful in duping the

helpdesk into resetting a high-value

15

: 00:00:37

user's multi-factor authentication,

which led to a near shutdown

16

: 00:00:41

of MGM Resorts International.

17

: 00:00:43

Marc: That's alarming.

18

: 00:00:44

How did the attackers escalate

their access within the network?

19

: 00:00:47

Carla: They exploited a common mistake

of password reuse and gathered additional

20

: 00:00:51

information from LinkedIn profiles.

21

: 00:00:53

They then configured an entirely

additional Identity Provider in

22

: 00:00:56

the Okta tenant using a feature

called "inbound federation."

23

: 00:00:59

This gave them control not only

over Okta but also over MGM's

24

: 00:01:03

Microsoft Azure cloud environment.

25

: 00:01:05

Marc: What was the impact of gaining

control over these platforms?

26

: 00:01:08

Carla: It was catastrophic.

27

: 00:01:09

They deployed BlackCat/ALPHV

ransomware, which encrypted several

28

: 00:01:13

hundred of MGM's ESXi servers.

29

: 00:01:15

This led to a cascade of failures,

affecting hotel room keys,

30

: 00:01:19

dinner reservation systems,

point-of-sale systems, and more.

31

: 00:01:22

MGM was losing as much as $8.4

million in revenue every day

32

: 00:01:26

until the problems were fixed.

33

: 00:01:28

Marc: Can you elaborate on the role of

BlackCat/ALPHV ransomware in this attack?

34

: 00:01:33

Carla: Certainly.

35

: 00:01:33

BlackCat/ALPHV is part of

a Ransomware-as-a-Service

36

: 00:01:36

(RaaS) business model.

37

: 00:01:38

They provide professional services

that Scattered Spider lacks, such as

38

: 00:01:41

malware creation, back-end command and

control, and even negotiation services.

39

: 00:01:46

This collaboration amplified the

impact of the attack, causing cascading

40

: 00:01:50

chaos across MGM's operations.

41

: 00:01:52

Marc: That's a staggering amount.

42

: 00:01:54

What could have been done to prevent this?

43

: 00:01:55

Carla: One of the key chokepoints

was the MFA device reset.

44

: 00:01:58

If that had been detected or not possible,

the attack could have been limited.

45

: 00:02:02

Also, IAM infrastructure should be

considered Tier 0 assets, and their

46

: 00:02:06

compromise could lead to a significant

portion of a network being paralyzed.

47

: 00:02:10

Marc: What are some of the lessons

learned and mitigation strategies

48

: 00:02:13

that organizations can adopt?

49

: 00:02:15

Carla: Firstly, minimizing exposure

of privileged accounts is vital.

50

: 00:02:18

Implementing privileged access management

(PAM) solutions can reduce the risk.

51

: 00:02:22

Secondly, improving MFA control

by creating visibility into MFA

52

: 00:02:26

device changes is essential.

53

: 00:02:28

Lastly, protecting Tier 0 assets

and adopting Identity Provider

54

: 00:02:31

(IdP) best practices can go a long

way in securing an organization.

55

: 00:02:35

Marc: Could you share some of the

critical initial takeaways from

56

: 00:02:38

CyberArk Labs regarding this attack?

57

: 00:02:40

Carla: Absolutely.

58

: 00:02:41

Attacking IAM platforms is a common

tactic that threat actors use.

59

: 00:02:45

It gives them persistent access to an

organization and extends their privileges

60

: 00:02:49

into more systems, causing more damage.

61

: 00:02:51

The worst part of this breach was

that MGM’s IdP was configured in a

62

: 00:02:55

way that allowed Scattered Spider to

pivot into their VMware infrastructure.

63

: 00:02:58

This is where BlackCat/ALPHV

became involved.

64

: 00:03:02

Marc: Those are invaluable insights Savvy.

65

: 00:03:04

Before we wrap up, any final thoughts?

66

: 00:03:06

Carla: A series of mistakes ultimately

led to one of the most visible and

67

: 00:03:10

brand-damaging attacks in years.

68

: 00:03:11

To mitigate similar attacks, organizations

should focus on minimizing the exposure

69

: 00:03:16

of privileged accounts, implementing

strong authentication measures such

70

: 00:03:20

as MFA, protecting Tier 0 assets,

monitoring trust changes, and staying

71

: 00:03:24

updated on evolving cyber threats.

72

: 00:03:26

It’s a lot to do, but it’s crucial

for organizations to continuously

73

: 00:03:30

improve their security measures and

follow best practices to protect

74

: 00:03:33

themselves in today’s digital landscape.

75

: 00:03:35

Marc: Absolutely.

76

: 00:03:36

Savvy, thank you for joining us

today and sharing your expertise.

77

: 00:03:40

Carla: It was my pleasure Marc.

78

: 00:03:41

Thank you for having me.

79

: 00:03:42

Marc: And to our listeners, thank

you for tuning in to another

80

: 00:03:45

episode of Byte Sized Security.

81

: 00:03:47

Stay safe and stay informed.