Root Cause of MGM Hack, and How It Could Have Been Prevented

A simple phone call, globally available Okta login, and pervasive IAM permissions possibly made this attack extremely pervasive.

Disclaimer: I will be taking creative freedom writing this article, making educated guesses based on experience. I do not have any direct knowledge of the attack, and the details are still unknown. The below is based on my experience and analysis of current and previous similar attacks.

The MGM Attack

It’s 11pm on a Friday night, and the L1 Help Desk (which is located offshore) receives a phone call of a supposed employee (“attacker”) that needs a password reset. The “employee” says they lost their phone, so they can’t access their MFA token. The helpdesk empathizes with the employee and resets their password and gives them a temporary MFA token to access systems.

The attacker then goes to https://mgmresorts.okta.com/, which was open to the world, and logs in to the employee portal.

Oh, did we mention that the employee impersonated was an Okta Global Admin??

They found their profile on LinkedIN.

From there the attacker was able to pivot into the following:

  • Azure Admin Console

  • ESX Hypervisors that are all linked to Okta logins

As you see from the next section, it was turtles all the way down.

MGM Attack Impact

Not much was published about the impacts of the attack, which started sometime over the 9/8 weekend (Attackers love to do big attacks over the weekend in the US).

Here is a summary of the impact:

  • Electronic Gaming was down

  • Restaurants could not accept credit card payments

  • ATMs were not working

  • Room keys were not functioning

    • Elevators allowed anyone access to any floor

    • People could not

  • HUGE lines for check-in (hours waiting)

  • People walking into the random rooms

  • Data Theft

    • Social Security Numbers

    • Driver’s License Numbers

    • Other PII information

Here’s an excellent play by play…

Root Causes

So many things went wrong here, let’s go over them:

  • Poor employee identification procedures, allowing someone to impersonate another employee easily

  • Poor password reset / MFA token procedures allowing someone to bypass MFA

  • Globally accessible OKTA login page, allowing anyone in the world access to core identity systems

  • Well architected, but possibly flat, federated access control systems. No additional step up authentication or limited zoning of systems.

  • Probably too many Okta admins

  • Poor or undocumented Incident Response plans and procedures, and likely no tabletop exercises or simulations ever or in years

  • No Disaster Recovery Plan

  • No Business Continuity Plan

How To Prevent A Disaster Like the MGM Attack

  • Limit the number of Full / Global Admins

  • Have a robust system for employee identification for password reset

  • Do not allow MFA token resets over the phone. Build an escalation path for any MFA resets or bypass

  • Lockdown Global IAM (Okta, SSO, etc) access. There are multiple ways:

    • Limit by certification authentication (Company devices only)

    • Limit by VPN or IP

    • Enable strict Context Aware logins (new IP, country, etc)

  • Require step-up-authentication when logging into other/new systems

    • For example, when I want to login to Azure, check context of login compared to past logins and either block or ask for authentication again (in this case, it would not have slowed down the attacker much since they had global IAM)

  • Have separate directories for critical infrastructure and administrative logins

    • The same directory for all employees shouldn’t be used by Admins. No one does this, but it’s a HUGE way to prevent such an attack.

  • Have a well thought out Incident Response Plan

    • Do tabletops often (Quarterly, Semi-Annually, Annually)

    • Think of worse case scenarios

    • Have proper people and authorities on standby

  • Do not ignore your attackers

Conclusion

Cybersecurity can be complex, but it’s not rocket science. If you have the right people and processes in place, you can prevent a disaster, or at least stop it from getting worse. The best medicine is preventative.

Nothing here was novel or new unfortunately.

Side Node: New SEC rules require public companies to file 8K’s for cybersecurity incidents.

If you liked this article, share it with your friends. It would help me a lot. Thanks!

Appendix

Below are links that were helpful in putting this article together.

Reply

or to participate.