MGM Resorts hack: How attackers hit the jackpot with service desk social engineering

Hotel and entertainment giant MGM Resorts were left reeling in September 2023 after a serious cyber-attack that kicked off with a fraudulent call to their Service Desk. In the days after the attack, they struggled to get systems back online after widespread outages across its famous Las Vegas properties, including the MGM Grand, Bellagio, Aria, and Cosmopolitan. The attack had led to outages of their internal networks, ATMs, slot machines, digital room key cards, and electronic payment systems. Even TV services and phone lines have been taken down, and staff are having to rely on pen and paper to deal with large queues of guests.

MGM Resorts said they suffered a $100 million hit to its 2023 third-quarter results due to the cyber-attack. The company is also facing federal lawsuits and has committed to investing up to $40 million to improve its cybersecurity measures. MGM CEO and President William Hornbuckle said that insurance should cover the losses they’d suffered, but added that they had seen a ‘staggering’ rise in cyber insurance costs. Interestingly, it has been revealed that fellow casino business, Caesars Entertainment, instead chose to pay a $15 million ransom to keep their operations afloat after also been struck by Scattered Spider in 2023.

Attack summary

  • Who was targeted: MGM Resorts
  • Attack type: Ransomware, Data exfiltration
  • Entry technique: Social engineering (vishing of service desk), Privilege escalation  
  • Impact: System outage, Operational disruption, Data breach, Federal lawsuits, Profit loss
  • Who was responsible: Scattered Spider/UNC3944 (believed to subgroup of ALPHV ransomware group) claimed responsibility on 9/12/23

How did the attack happen?

Scattered Spider (also known as UNC3944) have claimed responsibility for the attack and said they had been in MGM Resorts’ systems since 9/8/23. They’re believed to be a subgroup of the larger ALPHV ransomware group. The hackers told vx-underground that they used social engineering as an initial entry point. They were able to find an MGM Resorts employee on LinkedIn, impersonate them, and call the organization’s service desk to ask for access to their account. This suggests that they didn’t have a system to enforce end user verification at the service desk. After initial entry, they gained administrator rights and proceeded to deploy a ransomware attack.

In a statement titled ‘Setting the record straight’ posted on 9/14/23, the hacker group gave a detailed explanation of how the attack played out: “MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we continued having super administrator privileges to their Okta, along with Global Administrator privileges to their Azure tenant.

“On Sunday night, MGM implemented conditional restrictions that barred all access to their Okta (MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response playbooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to “take offline” seemingly important components of their infrastructure on Sunday.

“After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing. This was after they brought in external firms for assistance in containing the incident.”

Specops analysis: What can we learn from the MGM Resorts hack?

Firstly, it’s important to note this isn’t a one-off case. MGM Resorts aren’t even the first casino group to be targeted in the last two months. We’ve seen other recent serious breaches where service desks have been targeted through social engineering – there was an eerily similar incident in 2021 with the EA Games breach.

From the information available, the key to preventing this incident was avoiding the initial access. This attack could have been avoided with better authentication protocols which would have allowed the service desk to verify that the ‘locked out employee’ was not who they claimed to be. According to the sources, the attacker was able to vish (phishing via voice call) a service desk agent without being forced to authenticate themselves via another factor.

It’s also interesting to note that the hackers claim this was not initially planned as a ransomware attack and became one due to ‘revenge for bad faith negotiation’. This shows the risk of a prolonged and escalating attack from a threat actor. In this case, it’s possible that the attackers could have been detected during their initial reconnaissance phases before they ‘went nuclear’ with the ransomware attack. Detecting common ransomware toolkits isn’t enough – organizations need a comprehensive view of their whole environment through a combination of tools, such as PTaaS, EDR, and SIEM.

Prevent initial access by enforcing end user identity verification

With Specops Secure Service Desk you can securely enforce caller verification instead of relying on insecure or “on paper” processes that are prone to human error. Secure Service Desk customers can use authentication methods that remove the opportunity for user impersonation, by requiring verification with something the user has, not just something the user or an attacker may know.

Secure Service Desk increases security with identity verification options that range from mobile or email verification codes, to commercial providers such as Duo Security, Okta, and PingID. All of the supported identity services go beyond the knowledge-based “something you know” method by requiring “something you have” such as the possession of a device.

If you want to remove the risk for social engineering at the service desk by enforcing user verification before allowing a password reset or account unlock to be completed, get in touch to see how Secure Service Desk could work in your environment.

(Last updated on November 5, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • Helpdesk password reset best practices

    If your organization is currently using a self-service password reset solution, it is critical that the helpdesk staff who manage the system, and assist users, consistently follow best practices. This post will provide tips for reducing password-related calls to the helpdesk, and outline some security measures for safeguarding user accounts. Educate and direct to self-service…

    Read More
  • Evaluating Windows password recovery tools for employee self-service

    Nearly every organization, large or small has to deal with the problem of employees occasionally forgetting their passwords. Historically, a forgotten password has meant placing a phone call to the helpdesk. However, this tends to be a very poor use of helpdesk resources. The statistics vary widely, but there is a direct cost associated with…

    Read More
  • Identity verification best practices

    Identity verification must consider the level of access being granted, the type of data being accessed, and the action being performed.

    Read More