Vegas Under Cyber Attack: What Went Wrong

By now, most are aware of the recent and ultra-destructive cyber attacks that have crippled the popular Las Vegas properties, MGM Resorts and Caesars, and other large companies. But what happened during this historic attack, and how can companies position themselves to protect and recover from this type of breach?

What was the cost of the attack?

While cyberattacks are increasingly prevalent and costly, the MGM attack was a case study in how wide of a reach a cyber breach can have. The breach – which lasted ten days – impacted almost every aspect of the customer experience in a very real way:

• The MGM website went down, impacting their ability to book new reservations and manage existing ones.  
• Many of the electronic slot machines were non-operational.
• TV and entertainment systems inside hotel rooms went down.
• Corporate emails were inaccessible.
• Sensitive customer information may or may not have been compromised.

All in all, some estimate the breach cost MGM around $80 million.  

How did it happen?

While not everything is yet known about this hack, there are certain details that are becoming clear.  

Most experts are attributing this attack to a US and UK-based group called “Scattered Spider”. The group is known to gain access to sensitive information and systems through sophisticated social engineering tactics. In this case, those tactics granted the attackers access to MGM and Caeser’s Okta tenants, allowing them to harvest sensitive data and to ultimately jeopardize a plethora of critical applications. Ultimately, the attackers deployed a ransomware attack.  

But this is an isolated incident, right?

Unfortunately, the type of attack orchestrated here is all too common. While not all attacks are as highly publicized, they can be just as damaging to the target businesses.

Okta recently reported an increase in social-engineering-based attacks that targeted Super Administrator accounts to gain high levels of access. In these situations, attackers have targeted IT helpdesk personnel inside organizations, convincing them to reset Multi-Factor Authentication settings and allow them to access Super Administrator accounts. That highly privileged access then allows the intruder to steal sensitive data and take down various applications.  

Why is this happening now?

The way businesses are structured around their IAM environments has created a perfect storm of risk and damage for today’s organizations.  

“IAM vendors today serve a critical business function,” says Jerry Miller, Product Director at MightyID.  “Everything is integrated with these systems which makes them more complex, more subject to more and bigger changes, and more difficult to detect when there are unauthorized changes.”

The ubiquity of IAM systems and their ingrained nature in basic operational functions make them a juicy target for bad actors. “The recent breaches and the resulting outages show that attacks are becoming more sophisticated, more common, and more tailored to identity services,” says Miller.  

How can an organization prepare for this type of attack?

It has become apparent that for any enterprise, protecting your IAM environment is protecting your business. And with cyberattackers becoming bolder and more aggressive, it is increasingly unacceptable to operate without a strong business continuity/disaster plan in place that is practically useful.  

MightyID offers critical features that can help prevent and contain the damage of threats like those experienced by recent victims.  

1. MFA or Super Admin Change Alerts

Identity Security platforms like MightyID add tools for faster detection of questionable changes, such as reducing controls for privileged users, allowing you to react to threats before they become business disasters. MightyID can trigger alerts on changes to MFA policies or to users in an admin, executive, or other privileged group.  

2. Scope Investigations

When a malicious act is detected, MightyID helps you understand the extent of any damage by determining what changed since the breach. MightyID also provides tools and reports to help you review your Okta or Azure AD configuration against known-good configurations to find changes done by bad actors so that they can be reverted.  

3. Recovery

Through a targeted backup recovery, MightyID helps you quickly restore any changes made by the hackers to a previous good state without impacting unaffected users or settings.

4. Migrate to a Good Tenant

If necessary, MightyID can copy the known-good identities and configuration from your corrupted tenant to a new one. This allows you to keep your business running.  

5. Failover to another IdP  

If the entire IdP account is unusable, MightyID is one of the only solutions that helps to migrate identities and memberships between two different IdPs to greatly reduce the time to switch to a backup IdP without incurring the cost of a fully licensed backup IdP until it’s needed.

Hindsight is 20/20

No one has a crystal ball, and it’s easy to sit on the sidelines and critique a disaster. But as cyberattacks increase in scale, frequency, and scope, it is important for businesses to assess their security posture and put themselves in the best position for success. Lack of action is no longer a viable path forward. But with proper preparation and tools, you can minimize the damage and ensure your business stays out of the headlines.  

Interested in learning more? Reach out to MightyID for a free trial.

‍