What Happened?
MGM Resorts recently suffered a cyber attack that severely impacted its business operations.
This attack was discovered on September 11, when MGM Resorts put out a statement via X (formerly Twitter) that a cyber security incident was impacting some of its systems. MGM Resorts reassured customers that it had contacted law enforcement regarding the cyber attack, and that an investigation into it had been launched. The company also said it was “working diligently to determine the nature and scope of the matter.”
Understanding the Threat
The ALPHV ransomware group, which launched the cyber attack on MGM Resorts, recently released a statement where they impersonated an MGM employee based on their social media presence, and called MGM’s help desk to get access to the employee’s accounts and MGM’s infrastructure.
According to the ALPHV group’s statement, all they [ALPHV Ransomware Group] did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.” This infection vector indicates that MGM Resorts did not have sufficient end user verification measures in place to deter fraudulent callers.
Once they gained their foothold, the ALPHV ransomware group gained administrator access and deployed ransomware across their environments. They also exploited unpatched vulnerabilities in the network, allowing them to move laterally and gain access to sensitive systems. Subsequently, they harvested sensitive data, including customer names, addresses, phone numbers, and email addresses.
Significance of the Threat
This breach highlights an attack surface that has been proven over time to be the most vulnerable point in any business: its people. Due to a lack of identity and access management (IAM) at the help desk level, these threat actors were able to achieve complete access to MGM Resorts’ networks and devices with ease, all with one simple password reset. By impersonating a high-level employee, their infiltration also went undetected without raising red flags with MGM’s security team.
Unfortunately, customers also experienced the impact of this breach across September 12-13, 2023. The attack disabled slot machines and online booking systems across several MGM Las Vegas properties. With guests unable to check in, make card payments to book rooms, cancel reservations, or even log into their MGM account, operations came to a standstill.
Digital keys were also reported to not be working, leading to staff having to hand out physical keys. Other guests said they were unable to log into their MGM accounts.
The main websites for all 31 resorts that MGM manages were reportedly down as of September 13. The sites displayed an error message and urged customers to contact the resort either via third-party sites or via a phone call.
How This Matters to MSPs
Despite a billion-dollar cybersecurity budget and several concentric rings of protection around crucial information and data, threat actors were still able to access MGM Resorts’ privileged information and disrupt their operations.
While MGM is a larger target, CyberQP recommends that MSPs prioritize securing their people first, for both their employees and their end users. Specifically, they need an Identity and Access Management (IAM) solution to complement existing security solutions and security awareness training, to protect your help desk from malicious vishing attempts, phone spoofing, and impersonation attacks. This solution should be capable of offering biometric identity verification, so that an end user is who they claim to be.
CyberQP’s Recommendations
At CyberQP, we’re developing solutions to support MSP help desk technicians against threat actors launching impersonation attacks, and offering a scalable way to secure their clients’ environments. Our Q Desk solution allows MSP partners to implement a Zero Trust Help Desk that protects your MSP from internal and external threats, an essential part of your cybersecurity. Anytime a user contacts the help desk or attempts to reset their password, they must verify their identity. MSPs with CyberQP can automatically log permissions and changes in their platform natively or into your PSA, so you have full transparency into all account activity.
Are you interested in learning how you can protect your MSP from attacks just like this, before it is too late? Book time with a product specialist below to review our end-user identity verification solution, Q Desk.
References:
- https://www.cshub.com/attacks/news/a-full-timeline-of-the-mgm-resorts-cyber-attack
- https://gizmodo.com/mgm-grand-cyberattack-caused-by-10-minute-phone-call-1850834558
- https://cybernews.com/security/mgm-cyberattack-claimed-alphv-blackcat-ransomware-group/
- https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware
