Defending against identity impersonation attacks at MGM Resorts

What happened at MGM Resorts?

MGM Resorts was compromised by a threat actor, Scattered Spider (UNC3944). The threat actor gained control over the super administrator account of Okta, gained Azure administrative rights, and gained Domain Admin privileges over the Active Directory. The threat actor deployed the ALPHV ransomware on over 100 ESXi servers on premise. This caused an entire system shutdown, with MGM resorts losing millions of dollars, having to fall back to paper-based hotel admission and suffering tremendous damage to their reputation.

The impact of this attack was severe. As the hospitality services experienced outages, customer service and experience took a nosedive, payment systems were down and the slot machines at their casino were completely inoperable.

How did this attack occur?

This is an evolving threat, with new details emerging. The current available information indicates the use of a combination of exploit techniques, primarily centered around identity impersonation.

• The attackers gained initial access through social engineering attacks on helpdesk administrators of the Okta tenant.
• This was used to reset MFA permissions for the super administrator account of Okta to gain administrative control over the Okta tenant. The threat actors leveraged an Okta feature known as “inbound federation” to set up a secondary IdP for the MGM tenant.
• The attacker controlled IdP enabled the threat actor to impersonate the identities of multiple users and gain administrative control over the Azure tenant for MGM.
• The threat actors leveraged shared credentials in Azure and on premise to pivot to the on-premises environment and gain domain admin privileges over the AD.
• They also controlled the Okta sync servers to gain access to additional credentials and ultimately gained control over the on-premises environment, with privileged access to 100+ ESXi servers.
• After waiting for several days, the threat actors eventually deployed the ALPHV ransomware to encrypt applications deployed on ESXi, leading to widespread damage and system shutdown.

Didn’t MGM have cybersecurity controls in place? How did this identity-driven attack go undetected for several days?

MGM had deployed multiple forms of security controls. MFA (multi-factor authentication) had been configured for administrative users. Multiple mechanisms of threat detection had been deployed. Despite all this, the threat actor gained control over cloud and on-premises environment for multiple days without getting detected.

Traditional forms of identity defense are repeatedly falling short.

The massive spike in identity-driven attacks, such as this one against MGM Resorts, is an eye-opening reminder that traditional forms of identity threat defense are not sufficient. Identity prevention techniques such as MFA are useful but can be bypassed, as demonstrated by the Scattered Spider threat group.

Traditional identity threat detection approaches (log analytics, anomaly-based detection, behavior-based detection) are focused on attacker TTPs. Attackers continue to evolve new TTPs, such as the abuse of the inbound federation Okta feature for the MGM attack to impersonate identities, escalate privileges, and maintain persistence. This enables threat actors to bypass traditional identity threat detection mechanisms.

Deception-based Active Defense provides an effective defense layer for identity protection.

What is Deception-based Active Defense?

Deception-based Active Defense is a fundamentally different approach for cybersecurity and identity protection.

Deception technology is based on identifying the privileged identities that would be targets for the attacker, setting traps with decoy privileged identities and honeytokens on endpoints and deflecting the attacker away from the critical assets. This is a proactive approach for identity protection that is agnostic to the attacker TTPs and can detect new and evolving identity threats.

How could Deception-based Active Defense have helped in this case?

For the MGM exploit, honey accounts that represent deceptive forms of privileged identities and honeytokens derived from these honey accounts could have provided an effective approach for identity protection. The attackers would have been lured into revealing themselves by triggering deceptions, while the real network assets were protected.

As attackers evolve the next set of identity exploit techniques (beyond the abuse of the inbound federation feature in this case), the goal of the attacker does not change. Honey accounts and honeytokens based on deception technology provide a powerful identity threat detection and response layer to protect organizations from continuously evolving identity threats.