Okta: Caesars, MGM hacked in social engineering campaign

Identity management vendor Okta confirmed that two of its customers, casino giants Caesars Entertainment and MGM Resorts, were compromised via social engineering attacks.

Las Vegas was rocked this month by a cyber attack on MGM Resorts, which affected several hotels and casinos. MGM published a statement on Sept. 11 claiming that a "cybersecurity issue affecting some of the Company's systems" had occurred, after guests reported significant disruptions with MGM resort and casino amenities. In a follow-up statement posted Tuesday night, MGM Resorts said its gaming floors and resort services were "operating normally."

In addition, Caesars confirmed an attack via an 8-K filing published Sept. 14 and said an "unauthorized actor" had stolen data in a social engineering attack targeting an outsourced IT support vendor. The company said it "recently identified suspicious activity" in its network and determined that on Sept. 7 threat actors had obtained corporate data, including a loyalty program database with members' Social Security and driver's license numbers.

Last week, cybersecurity research collective VX-Underground attributed the MGM attack to the Alphv/BlackCat ransomware gang and a threat actor known as Scattered Spider, claiming that attackers used vishing to compromise the company. Later, Alphv issued a statement to its data leak site that took responsibility for the attack and claimed that attackers had compromised MGM's Okta super administrator accounts.

No threat actors have publicly claimed responsibility for the attack on Caesars, which reportedly paid a $15 million ransom to attackers, according to The Wall Street Journal. Ransomware gangs do not typically name victim organizations that pay the ransom.

On Tuesday, Reuters first reported that Caesars and MGM were Okta customers. Okta told TechTarget Editorial Tuesday that customers Caesars and MGM were compromised in social engineering attacks that were first detailed in a blog post last month. At the time, Okta said four unnamed customers had been attacked by a threat actor attempting to gain highly privileged roles in each customer tenant's environment.

An Okta spokesperson confirmed to TechTarget Editorial that Caesars was among the four victims referenced in the blog post that had been tracked between July 29 and Aug. 19. MGM, the spokesperson said, was the fifth victim of the social engineering campaign in an attack that occurred after those dates; the other three victims remain unidentified.

In its August blog post, Okta detailed the attack chain, which began with vishing calls. "In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users," the vendor wrote.

Okta said the threat actors appeared to have either obtained passwords to privileged user accounts or manipulated authentication flows in the victims' Active Directory. The attackers then called the IT service desk and requested a reset of MFA factors of Okta super administrator accounts. Once that was achieved, the threat actors accessed the administrator accounts with anonymized proxy services and used them to reset authenticators and assign higher privileges for other accounts.

The threat actors also used "novel methods of lateral movement and defense evasion," according to the blog post. The activity included configuring a second identity provider, controlled by the threat actors, that served as an "impersonation app," which granted other users single sign-on access to the victim organizations' applications.

When asked if Scattered Spider was behind the attack, the Okta spokesperson said the vendor was "relying on our cybersecurity partners for attribution" and that the observed behavior was consistent with Scattered Spider activity, citing third-party threat intelligence reports from Trellix, CrowdStrike and Mandiant.

Media outlets such as Reuters reported last week that Scattered Spider was behind the MGM attack. And Mandiant said last week that Scattered Spider has deployed Alphv ransomware as part of its recent threat activity.

TechTarget Editorial has contacted both MGM Resorts and Caesars Entertainment for additional comment.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.