Identity management company Okta says the cybercriminal groups that attacked Caesars and MGM Resorts are also behind three other attacks in the past two months, outside the gambling sector. Without naming specific companies, David Bradbury, Okta’s Chief Security Officer (CSO), told Reuters that the victims were in manufacturing, retail, and technology.
On Sep. 11, MGM Resorts experienced a system-wide outage at its US properties. A malware group, ALPHV, later acknowledged its involvement, though it claimed MGM itself was the cause of the outage, having taken its systems offline to defend against the intrusion. Some sources, including Okta, suggest another group, Scatter Spider, also helped with the social engineering component of the attack. While MGM’s website went back online after a few days, it has taken over a week for the company’s operations to return to relative normalcy.
Experts say ALPHV and Scatter Spider attacks are financially motivated, with ransom for stolen data being the ultimate goal. ALPHV has confirmed that MGM refused to pay, though Caesars, which suffered a similar attack, reportedly paid a $15 million ransom.
In a Sep. 14 SEC filing, Caesars said it was a victim of a cyber-attack, and the target was “an outsourced IT support vendor.”
That aligns with Okta’s statement that its customers experienced a consistent pattern of attacks.
Hackers Use Social Engineering
The identity management company says hackers used social engineering and presented themselves as the victim firms’ employees. Social engineering is a form of manipulation through social pressure.
The attackers’ plan usually involves targeting the IT help desk and convincing them to reset all or administrators’ multi-factor authentications (MFA). MFA is a security method that requires multiple passwords to access an account, like getting a text message or email when logging into your account.
In August, in a blog post, Okta released information on the hackers’ patterns, including:
- The attacker would obtain passwords or exploit an Active Directory vulnerability before contacting the helpdesk.
- The hacker would access the compromised account through a proxy server and IP address.
- The attacker would elevate other accounts’ security through compromised Super Administrator accounts and reset or eliminate MFA for different accounts.
- Through a second Identity Provider, the hacker would gain access to applications within the compromised organization on behalf of other users.
- Attackers manipulated usernames to provide the ability for single sign-on into applications.
Okta also provided prevention suggestions, System Log events, and workflow templates to detect possible attacks better.
Social engineering attacks are not limited to cyber-attacks. In July, the Nevada Gaming Control Board (NGCB) warned all state casinos after the Circa Resort & Casino in downtown Vegas was a victim of social engineering attacks worth $1.17 million. These involved fooling casino cage cashiers into hand-delivering large sums of cash to attackers posing as high-ranking executives at the company.
Recent Attacks Number in the Hundreds
Beyond the five recent attacks, Okta’s CSO says social engineering attacks have increased. Bradbury said:
We’ve seen consistently over the past six to 12 months, a ramp up in these types of attacks.
The two groups, ALPHV and Scattered Spider, are among the most active hackers. Charles Carmakal, Chief Technology Officer with Google’s Mandiant cybersecurity unit, told the Wall Street Journal that UNC 3944 (another name for Scattered Spider) had attacked more than 100 organizations in the past two years.
Meanwhile, in April 2022, the FBI released a flash report on ALPHV. In it, the agency says the hacker group is responsible for over 60 attacks. In addition, the FBI says ALPHV is the first group to use a newer and sophisticated programming language called RUST. ALPHV is thought to be responsible for recent attacks on Western Digital and Reddit.