Cybersecurity Lessons from the Cyberattack on MGM Resorts

Although it will take more time to get an accurate picture of how exactly this cybersecurity attack was implemented, cybersecurity experts have reconstructed the event based on available evidence.

The attackers used a combination of human and technology vectors. Specifically, a social engineering technique known as ‘vishing’ (voice phishing) is believed to have been employed. The method involves using phone calls to identified human targets (or someone affiliated to them) to extract sensitive information that is used for further actions. Sometimes, the attackers ask targets to perform some actions that directly compromise security.

Experts feel that the hackers’ starting point was MGM usernames and passwords obtained from earlier breaches. Using additional information obtained from the LinkedIn profiles of certain ‘high value’ individuals (those likely to have a high level of access privileges to MGM’s security and other infrastructure), the perpetrators convinced MGM’s help desk to somehow bypass the multi factor authentication protocols.

After the initial infiltration, the attackers consolidated their control over critical infrastructure, enabling them to unleash chaos. Having gained access to MGM’s network, the attackers used the ‘inbound federation’ feature of MGM’s IAM (Identity and Access Management) solution to create persistence. Using BlackCat/ALPHV’s ‘Ransom as a Service’, the attackers encrypted a large number of MGM’s ESXi servers (Virtual Machines) that supported various systems. As the servers got impacted, the applications running on them crashed, affecting check in/check out, slot machines, room keys, table reservations, etc.

By this time, the attackers reportedly gained privileged access to accounts that managed MGM’s IAM infrastructure, including its IDP (Intelligent Document Processing) solution. This gave them control of MGM’s Microsoft Azure cloud environment.