Strong identity security could've saved MGM, Caesars, Retool

Three cyber attacks that featured vishing led to compromised identities, data loss and the interruption of operations. Passwordless authentication could have prevented all three.

MGM Resorts, Caesars Entertainment and Retool all recently suffered ransomware attacks. The attack vector for all three? Vishing.

Like phishing and smishing, vishing is a type of social engineering attack. Phishing uses email, smishing uses text messages and vishing uses voice. In all three attacks, the aim was to convince an employee to expose their passwords or multifactor authentication (MFA) tokens. And all three attacks could have easily been prevented.

Inside the vishing attacks

The Alphv ransomware group claimed responsibility for the MGM attack, which reportedly started Sept. 7. Alphv claimed it identified target employees through LinkedIn and successfully vished an employee in 10 minutes. Once inside MGM's IT environment using the employee's stolen credentials, Alphv said it was able to access MGM's identity management infrastructure.

In what might be a self-inflicted wound, Alphv claimed MGM's response was to shut down its identity management infrastructure, leaving many internal systems incapacitated. More than a week later, MGM was still recovering from the attack.

Around the same time as the MGM attack, Caesars Entertainment in Las Vegas was attacked using almost identical techniques, presumably also by Alphv. The malicious actors exfiltrated Caesars' customer loyalty database, which included driver's license and Social Security numbers. Caesars reportedly paid a $15 million ransom to the attackers to not publicly release the data.

Developer platform Retool announced on Sept. 14 that it fell victim to a vishing attack on Aug. 27. Demonstrating the sophistication of the attackers and their depth of research, Retool said the attackers called an employee and "claimed to be one of the members of the IT team and deepfaked our employee's actual voice. The voice was familiar with the floor plan of the office, coworkers and internal processes of the company."

Despite growing suspicions, the Retool employee provided the attacker with an MFA code, enabling attackers to steal the employee's credentials. The good news is that Retool was able to identify and respond to the attack quickly enough to prevent the attacker from accessing critical data or doing any long-term damage.

Like the MGM and Caesars attacks, the goal of the Retool attack was to gain access to valid identity credentials that provided legitimate access to critical systems and sensitive data that could be exploited for financial gain.

How to thwart identity attacks

The first step to prevent social engineering attacks is to move to phishing-resistant authentication methods and eliminate shared passwords. FIDO passkeys, a new form of passwordless authentication, rely on the well-understood security properties of public key cryptography and have no known social engineering attacks against them. Okta, Ping Identity, Microsoft, CyberArk and other identity access management and identity security vendors offer passwordless authentication products, as do a plethora of third parties.

If MGM, Caesars and Retool had implemented FIDO passkeys, they would not have fallen victim to vishing attacks because the affected employees could not have been socially engineered into exposing their credentials.

The second step is to treat identity infrastructure as a critical component of IT infrastructure. Identity should have the same protection as data. For example, organizations apply the principle of least privilege access to data and should apply it to identity infrastructure as well.

Organizations impart resiliency to operations by backing up data. They should impart resiliency to identity infrastructure to backing up their identity environment. Vendors such as Acsense can help with identity infrastructure resiliency.

The third step is to change thinking and put identity security front and center as the core of any cybersecurity strategy. Attackers start with identities. Ideally, as I recently wrote, so should we -- and launch an identity revolution.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing