On September 13th, news started to get out that MGM had again suffered a data breach followed by a ransom by the Scattered Spider hacker group. Stories in the media have suggested that social engineering might have been involved, and the whole hack took only 10 minutes to execute. While it may have only taken a few minutes to execute, it likely took a lot longer to plan by the hackers, who were likely well prepared with reconnaissance already performed and intelligence gathered on their targets.
DynaRisk identified 1,200 risk signals (cybersecurity issues), rating the company at much ‘higher risk’ than its peers. We also identified over 1,270 stolen credentials for both MGM employees and MGM's customers.
In this blog post, we will examine how the hackers may have gained access to MGM's systems using DynaRisk's cyber intelligence data from Breach Check. You can download our PDF report of the analysis in our Resource Centre.
How we gather data
We collected our data through the use of our Cyber Risk Monitoring tool, Breach Check. Breach Check functions by checking a company's domain name, identifying their internet-facing assets and then running them through our scanning modules.
MGM’s attack surface
Scanning mgmresorts.com shows the company has a huge attack surface, with Breach Check identifying over 1,200 risk signals and rating the company Much Higher risk than peers with many high and medium severity findings. So, what issues are driving this rating?
Vulnerabilities – Were these an issue?
From our data, we see MGM’s vulnerability footprint is minimal; they seem to be doing a good job securing their perimeter.
We only identified 10 vulnerabilities, and we can see their applications are behind Cloudflare web application firewalls, their content is hosted via Akamai, and they have some Palo Alto firewalls.
From what we can see, we will rule out a vulnerability being used to break into the company for now from the information we have.
The real issue – Hacked employees & stolen credentials
Our data shows we have over 1,270 stolen credentials for both MGM employees and MGM's customers. Credentials were stolen by infostealer malware implanted on PCs which then steals login credentials.
The data is telling, there is a slow drip of stolen credentials over time but there are clearly two large spikes in activity in March and August/September 2023.
When we exclude hacked customers and only focus on MGM employees, we find 96 employees were hacked and had credentials stolen by malware implanted on their PCs.
Analyzing stolen employee credentials
Our data shows we have over 200 stolen credentials for 96 MGM employees; while many of these are for sites that are relatively innocuous like someone’s password for their forbes.com subscription, there are some real diamonds in the rough. The hackers may have found their target using this type of data to learn about the employee, gather intelligence then impersonate them to a helpdesk support agent.
Here is a sample of 39 of the sites where MGM employees had data stolen from.
Hacked employee analysis
Out of all the hacked MGM employees, a few stick out like a sore thumb, as you can see from this chart. Out of 96 hacked employees, one has had a staggering 63 credentials stolen, while 26 more had between 2-5 credentials stolen, and the remaining 69 only had one.
Potential entry points
Potential entry point 1 - MGM VPN
We see one hacked employee who had their VPN credentials stolen; the account was seen in March, June and September of this year. The account’s username is a number and not an employee’s name, so it would be hard to match this up with a specific person to target for social engineering.
Affected URL: gpvpn.mgmresorts.com/global-protect/login.esp
Potential entry point 2 – MGM Exchange Server via Outlook Web Access (OWA)
Similar to the VPN credentials, we’ve seen a credential stolen for OWA access to employee email accounts. Some of these stolen accounts are linked to employee usernames and contain passwords. Hackers could have specifically targeted these users; some of the most recent stolen credentials were exposed in August and September.
Affected URL: exchange.mgmresorts.com/owa/auth/logon.aspx
Potential entry point 3 – MGM’s identity and access management portal (IAM)
At least two more employees had credentials stolen from this IAM portal, one credential contains a session ID, which could have been re-used to assist with the login process.
Affected URL: iam.mgmresorts.com/ui/external/reset.jsf
Potential entry point 4 – Okta
We have observed at least one MGM employee who had their Okta credentials stolen. That person’s profile on LinkedIn indicates they are a support engineer who may have had elevated privileges to systems or could request elevated privileges.
Earlier in September, a great article was published about hackers targeting IT help desks to gain admin and bypass MFA.
“The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or could tamper with the authentication flow through the Active Directory (AD).” - Bleeping Computer.
Perhaps the already stolen passwords for privileged accounts are the ones we mentioned above.
We scanned our data to look for companies with stolen Okta credentials and found a staggering 522 companies, including Diageo, Epic Games, Circle K, Delivery Hero, Adobe, Coxauto, Fox and Restaurant Brands International. The companies had a total of 3,700 credentials stolen. These could be used in many attacks to come.
If you are an Okta customer or work with companies that are, contact us for intelligence scans of these companies to see if we can help you secure them against similar attacks.
Affected URL: https://mgmresorts.okta.com
But what about multifactor authentication? Doesn’t that prevent this from happening?
No technology is 100% secure. We hear technical and non-technical people alike say, “But we have MFA enabled; how could the hackers possibly get in?”. Insurance companies have been requiring MFA for some time to reduce their risk exposure; as we can see, it doesn’t always work.
Modern information-stealing malware can extract logged-in sessions and cookies from a person’s PC. Do you know that tick box that says “trust this computer for the next 30 days” when you log into a site? We bet you tick this box fairly often to reduce the friction of logging into all your apps. This feature saves a small file onto your device that a hacker can steal and reuse to log into a website as you.
Modern malware also has the ability to let a PC be controlled remotely. When malware gets installed, a hacker can access your PC, as the user, and attempt to log into an administrative portal or VPN using the saved session and/or cookie details mentioned earlier.
Voila, MFA is bypassed.
It’s not a simple process, but it can be done and hackers are doing it today. Sometimes the process requires a bit of social engineering, a hacker may gain access to a device but need someone to tap on a push notification prompt. This is when a hacker can call the person or helpdesk and ask them to tap a prompt to allow the access. It’s best to defend against the device getting hacked in the first place.
Could the data breach have been prevented?
If the source of the breach was one of these four entry points, the answer is yes. These credentials and the associated intelligence hackers could have gathered would have given them the information they needed to craft an attack.
There is the possibility hackers could have gotten in via another method we didn’t cover; only time will tell.
DynaRisk observed sensitive stolen MGM credentials being shared in March and August of this year. If these were the source of the breach, there would have been time to address these issues before they snowballed into a data breach.
What lessons could MGM, and any other company take away from this analysis?
1) Get a handle on employee endpoint security
Over 90 employees have been hacked and malware installed on their PCs; that’s a large number. The company has a huge workforce so this is undoubtedly a challenge however, getting this right is a fundamental control companies need to have in place.
2) Monitor for stolen credentials and act on the information
Many times, we find companies either don’t monitor for stolen credentials or they are so overwhelmed by them that they find it challenging to prioritize and investigate efficiently. A few simple criteria can be applied to home in on the credentials that need to be prioritized. “IAM”, “admin”, “VPN” are some simple words you can search for to go after the riskiest issues.
3) Focus on securing privileged accounts
When a hacker finds an admin account, they know they’ve hit the jackpot. Whole books have been written on this topic but the main points would be to ensure they are used by as few people as possible, have the most stringent protections in place to use them and their use must be authorized and logged.
4) Train employees, have good policies, and build a secure culture
While these controls are far less straightforward to build than deploying a technical control, we can see from the types of stolen credentials that there are some improvements that could be made.
- Employees have accessed adult websites on work systems
- Employees might be using personal devices with poor security controls on them
- For all employees with stolen credentials, did they receive targeted follow-up security training?
- Helpdesk staff have not authenticated callers properly and may have performed actions which they weren’t supposed to
- At the time of writing this, the data breach is being investigated by law enforcement so new information will likely not arise for some time.
Download a PDF copy of our analysis in our Resource Centre or reach out to us for more information on our intelligence data. You can also run a free security scan of any company with our Company Security Scan.