The recent ransomware attack on MGM Resorts occurred via a breach in the Okta platform. This was announced by the hackers of the ransomware gang ALPHV themselves.
According to ALPHV, the attack occurred via a breach in MGM Resorts’ active Okta Agent application. This application connects the cloud-based IAM platform to the Active Directory the resort group uses.
The hackers indicated that they had managed to retrieve passwords for a day following a social engineering attack. They mainly captured the passwords that could not be obtained from the domain controller has dumps-on MGM Resorts’ Okta servers.
Although the casino immediately shut down the Okta servers individually after the finding, the damage was done. The hackers launched ransomware attacks against more than a thousand ESXi hypervisors last Monday, Sept. 11. Earlier, ALPHV had tried to notify MGM Resorts but failed.
‘Access not closed’
ALPHV says it still has access to some of MGM’s infrastructure and threatens more attacks if negotiated deals are held off. It also threatens to publish stolen data.
MGM Resorts’ operations, including in Las Vegas, are said to have been greatly affected by the attack. Check-in systems for the hotels, many elevators and the casino itself would still be experiencing problems, as witnessed by Techzine employee last week.
Okta has since confirmed that its platform was involved in the ransomware attack on MGM Resorts, Dark Reading writes. The platform was allegedly deployed during the more sophisticated part of the attack, as the hackers managed to abuse built-in functionality from Okta itself.
More specifically, this involved deploying their own identity provider (IDP) and user database into the Okta system of, in this case, MGM Resorts. Creating multiple identity subgroups is a standard part of the Okta platform.
Through a social engineering attack on the IT help desk, the hackers could convince the employee to reset all MFA factors entered by highly privileged users. The hackers then used compromised highly privileged Okta Super Administrators accounts to abuse certain legitimate “identity federation” features that allowed them to impersonate users within the organization.
Okta has warned of these types of social engineering attacks on its platform since late August. The IAM specialist will work with MGM Resorts to do everything possible to solve the problem.