The social engineering attacks against MGM Resorts and Caesars Entertainment are raising questions about previous activity linked to threat actors and the vulnerabilities they leverage.
There is a growing consensus among security researchers that the threat group AlphV, also known as BlackCat, which is taking credit for the attack on MGM, has been working with Muddled Libra.
Muddled Libra has been heavily involved in attacks dating back to mid-2022, which target outsourcing firms that serve high-value cryptocurrency firms and individuals, Palo Alto Networks Unit 42 said.
The threat group, which is known under various names, including Scattered Spider, Scatter Swine and Oktapus, is likely multiple actors employing the same toolkit for attacks.
The group sent messages to targeted employees claiming they need to reauthenticate their identities or update account information, according to the Unit 42 blog. The hackers then installed multiple versions of remote monitoring and management tools, which provides them backup access to a system if they initially get caught.
The AlphV threat actor claimed in a post that MGM shut down its systems after realizing the hackers were lurking around in the company’s Okta environment. Okta confirmed that MGM was one of its customers and said it was available to work with the company to respond to the recent attacks.
The attack highlights the risk to the hospitality and gaming industries, which handle a great deal of personal customer data.
“The MGM breach continues to demonstrate that for all the sophisticated security controls and technologies that organizations employ to defend themselves against hackers, the human element remains a vulnerable spot that attackers continue to target,” Merritt Maxim, vice president, research director, security and risk at Forrester. “Social engineering attacks are not new — attackers have increased the sophistication and target systems for social engineering, especially the multifactor authentication process."
As an organization’s IT infrastructure grows more complex, the risk is not just to that company’s employees, but to outside business partners, according to Maxim.
The Lapsus$ breach of Okta in early 2022 involved the compromise of an outside contractor who provided customer support for the company and had access to certain systems, Maxim said.
“Social engineering attacks are not going away and will remain hard to defend,” Maxim said. “Firms that provide core identity authentication services like Okta will remain a hacking target because controlling/compromising credentials is how attackers get access to data and systems.”