The MGM Resorts Cyber Attack: How Attackers Gained Highly Privileged Access Through Social Engineering
Overview
Cyber threats have become increasingly sophisticated, emphasizing the need for organizations to fortify their security measures. Okta, a leading identity and access management provider, has observed a surge in social engineering attacks targeting highly privileged accounts within Okta customer organizations. The threat actors behind the recent MGM Resorts cyberattack demonstrate novel methods of lateral movement and evasion, underscoring the critical importance of proactive cybersecurity measures.
Okta Warned About It
Okta warned of the potential for social engineering attacks of this type with an alert on Aug. 31 detailing attempts on Okta systems to gain highly privileged access through social engineering.
"In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," Okta warned. The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.
Tactics, Techniques & Procedures of Scattered Spider
So what caused this cyber attack? It’s not yet clear what exactly happened, but these are the key details that we know:
- Scattered Spider, a hacking group, used social engineering to gather login credentials or one-time-password (OTP) codes, which helped bypass multi-factor authentication, according to a January blogpost by the security research firm CrowdStrike. In this the threat actor targeted users assigned with Super Administrator permissions.
- Based on the access, they enrolled their own device for future MFA requests. If this is unsuccessful, they would have fallen back to smishing users with a fake login portal, or if they were able to obtain a username and password, they would MFA bomb users with requests until they accepted a prompt.
- The threat actor accessed the compromised account using anonymizing proxy services and an IP and device not previously associated with the user account.
- The compromised Super Administrator accounts were used to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. In some cases, the threat actor removed second factor requirements from authentication policies.
- The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised organization on behalf of other users. This second Identity Provider, also controlled by the attacker, acted as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.
- From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” identity provider to match a real user in the compromised “target” identity provider. This provided the ability to single sign-on (SSO) into applications in the target IdP as the targeted user.
How Organizations Can Stay Safe Against a Future Attack
To minimize the risk of falling victim to a similar social engineering attack, organizations should adopt a proactive and comprehensive approach to cybersecurity:
- Implement Phishing-Resistant Authentication: Leverage Okta's industry-leading authentication methods like FastPass and FIDO2 WebAuthn to protect sign-in flows from phishing attempts.
- Configure Authentication Policies: Utilize a SaaS security tool to apply robust authentication policies for privileged applications, requiring re-authentication at every sign-in to enhance security. These policies should be implemented into your automated workflows set up in SIEMs, SOARs, or data lakes automatically.
- Review and Limit Access: Regularly review and limit the use of highly privileged accounts and roles, enforcing the principle of least privilege to minimize potential risks.
- Continuous Monitoring and Alerting: Utilize detection methods and alerts, such as monitoring for suspicious activity and unauthorized access, to promptly respond to potential threats.
By adhering to these recommendations and adopting a proactive approach to cybersecurity, organizations can significantly reduce their vulnerability to SaaS identity cyberattacks. Stay vigilant, stay informed, and stay secure.
Given the pervasiveness of social engineering attacks and the increasing rate of adoption of SaaS, the challenge of securing your SaaS estate will only increase. Is your organization at risk of the same vulnerabilities as the MGM breach? You can reach out to the Reco team for a free security risk assessment and learn how using Reco’s AI-driven approach to comprehensive mapping of data, apps, and identities can keep your Okta tenant and highly privileged SaaS identities secure.
Resources
https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
Request a demo and explore Reco in action
ABOUT THE AUTHOR
Gal Nakash
Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.
Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.