David Bradbury, chief information security officer (CISO) at identity and access management (IAM) specialist Okta, has confirmed that two cyber attacks targeting Las Vegas casino operators MGM Resorts and Caesars Entertainment appeared to exploit the company’s technology as an access vector, providing a clue as to how the concurrent cyber attacks began.
In a newly published interview with news agency Reuters, Bradbury revealed that both MGM Resorts and Caesars Entertainment were among five Okta clients to have fallen victim to the threat actor known as UNC3944 – aka Scattered Spider, Scatter Swine, 0ktapus – likely acting as an affiliate of the ALPHV/BlackCat ransomware operation, in the past few weeks.
He said Okta was working with law enforcement and cooperating with official investigations.
Okta has been a persistent focus of UNC3944’s interest for well over a year. In 2022, the cyber criminal operation leveraged its brand in a series of attacks on the technology industry, and just a fortnight ago it warned that a new wave of social engineering attacks was targeting its customers.
Bradbury told Reuters he had seen “a ramp up” in social engineering attacks against Okta customers in the past year, and spoke of a consistent pattern of social engineering attacks that duped victims’ IT helpdesks into granting them access.
Bradbury did not reveal the identities of the other victims. However, researchers at London-based security consultancy DynaRisk earlier published information based on a scan of its data that suggests UNC3944 – or others – may be in possession of stolen Okta credentials linked to over 500 other companies.
DynaRisk claimed these organisations include tech firm Adobe, drinks giant Diageo and games developer Epic Games.
Ransomware gang: ‘We did it, and here’s how’
Okta’s admission goes some way to addressing the speculation that followed the release of a statement by the ALPHV/BlackCat ransomware operation on 14 September.
In the statement, the gang said MGM Resorts’ IT team shut down its systems after detecting the gang had compromised its Okta servers and, in its words, was “sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps”.
This supposedly resulted in MGM Resorts being locked out of its Okta tenant, while its attackers were able to retain super administrator privileges – exactly the scenario Okta had warned about – as well as global admin rights to MGM Resorts’ Microsoft Azure tenant.
The gang said the IT team had attempted to evict it after discovering it had accessed MGM’s Okta tenant, but “things did not go according to plan”.
Shortly after, on 11 September, the gang said it was able to launch ransomware attacks against more than 100 ESXi hypervisors after having tried to contact the victim, but failing.
Ariel Parnes, co-founder and chief operating officer for cloud incident response specialist Mitiga and a former Israeli cyber intelligence specialist, warned that the gang’s statements should not necessarily be taken as accurate.
“The veracity of the information released by MGM’s attacker remains uncertain. It is entirely possible that this disclosure is part of a calculated psychological campaign aimed at exerting added pressure on MGM. Such tactics can be employed to sow doubt, create internal discord and further the attacker’s agenda, making it imperative to approach such claims with caution and scepticism,” said Parnes.
“Even if the statement does not describe the true story, it sheds some light on how attackers can leverage the inherent complexity of hybrid environments with on-premises datacentres, cloud and SaaS [software as a service],” he told Computer Weekly in emailed comments.
Christopher Budd, director of the Sophos X-Ops team, said: “This is the Ocean’s Eleven of the cyber age.”
Budd said it was clear that threat actors were “extending their game into the information warfare space” and attempting to control the overall narrative. But he cautioned that this risks making it harder for incident responders to operate effectively.
“Attack attribution is difficult – and risky. Staying too focused on the ‘who’ rather than the ‘how’ of attackers can actually help the criminals, and can and will distract defenders’ focus from what’s truly important, such as setting up detection and response operations and closely monitoring threat activity clusters,” said Budd.
“At this point, all casinos should be moving to the highest defensive posture possible and taking active measures to verify the integrity of their systems and environment, and reviewing – if not activating – their incident response processes. There have been attacks against multiple casinos, and it’s possible we’ll see more. As the quote about why rob banks goes, ‘That’s where the money is’ – and that applies here,” he said.
MGM Resorts back online
At the time of writing, MGM Resorts has managed to stand up its public-facing website. In a statement posted to its website, it said: “MGM Resorts recently identified a cyber security issue affecting some of the company’s systems. Promptly after detecting the issue, we quickly began an investigation with assistance from leading external cyber security experts. We also notified law enforcement and took prompt action to protect our systems and data, including shutting down certain systems.
“Although the issue is affecting some of the company’s systems, the vast majority of our property offerings currently remain operational, and we continue to welcome tens of thousands of guests each day. We are ready to welcome you.”
The organisation is accepting and honouring reservations, and processing credit card transactions as normal, although its mobile check-in and digital room key services remain offline. It is also waiving cancellation fees for guests with reservations through to Sunday 24 September.
As reported last week, Caesars Entertainment appears to have experienced a lesser degree of disruption having paid a significant ransom.