The threat actors linked to a suspected cyberattack attack against MGM Resorts have claimed to have accessed the company’s Okta environment prior to the attacks.
The group called AlphVsaid that MGM Resorts shut down their Okta servers after realizing the hackers had been lurking in their Okta Agent servers in order to find vulnerable passwords, in claims posted by Brett Callow, a threat analyst at Emsisoft.
The threat actors also claimed to have super administrator privileges to the company’s Azure tenant.
AlphV also known as AlphV/BlackCat has been suspected of working in some capacity with a threat group called Scattered Spider, which is suspected in the attack on Caesars Entertainment, a rival hotel/gaming company in Las Vegas.
Caesars Entertainment disclosed a recent social engineering attack in a filing Thursday with the Securities and Exchange Commission. The filing indicated the attack against an IT support vendor led to the theft of customer data from Caesars Entertainment’s customer loyalty database.
Just two weeks ago, Okta disclosed a pattern of attacks in which hackers were using social engineering tactics to gain privileged access inside customer organizations. Okta disclosed the attacks in a regulatory filing with the SEC.
Okta confirmed that MGM has been attacked and said it has been working with them to support their mitigation efforts.
“We are aware of a cyber attack on MGM,” an Okta spokesperson said in an emailed statement. “While there has been no compromise or breach of Okta systems and the Okta service remains fully operational and secure, we are available to support in any way we can to assist in MGM’s return to normal operation.”
As reported by Cybersecurity Dive, the social engineering attacks were used against four U.S. organizations.
According to the Okta disclosures, multiple U.S. companies were duped by hackers, who called IT service desks and convinced them to reset MFA factors of highly privileged users.
Okta is encouraging customers to read mitigation recommendations from its recent blog in order to protect customer data.
The Cybersecurity and Infrastructure Security Agency confirmed it is working with MGM to respond to the attack.
“CISA is in contact with MGM resorts to understand the impacts of their recent cyber incident,” a spokesperson said via email.“We are also offering any necessary assistance should the organization need or request it.”
Researchers from Mandiant, in a blog released Thursday, said Scattered Spider, the financially motivated threat group also known as UNC3944 or Oktapus, has been known to use SMS phishing techniques to target help desks in order to then reset passwords or bypass multifactor authentication.
Mandiant researchers told Cybersecurity Dive that AlphV does operate a ransomware as a service model and they have seen Scattered Spider deploy the same ransomware.
“In these partnerships, the operators of the ransomware will typically provide builds to its affiliates to distribute along with other related support services, such as infrastructure that allows easy management of victims and extortion support (e.g. DDoS),” Mandiant researchers said via email
