A Call to Strengthen Identity Security - Review of MGM Attack

A Call to Strengthen Identity Security - Review of MGM Attack

Lior Tamir, Product Manager at Spera Security
Lior Tamir, Product Manager at Spera Security
December 18, 2023

There is a growing and concerning trend, in which hackers focus their attack on privileged accounts, employing creative tactics to bypass MFAs and exploit features from Identity Providers. The ransomware attack on MGM Resorts is one such example. This most recent attack exemplified how identity is the new perimeter in the cloud-forward world, requiring solutions to prevent and detect identity-driven attacks.

Understanding the attack process:  

  1. Reconnaissance
    Attackers found MGM’s Okta Super Admins: The attackers gathered information about MGM employees to pinpoint privileged users.
  2. Obtained leaked Super Admins passwords
    Attackers acquired Okta Super Admins credentials to eliminate a layer of authentication.
  3. Vishing (Voice phishing)
    Through voice phishing, the attackers tricked MGM's service desk into resetting Super Admins' MFA.
  4. Gained persistence - Attackers changed Okta configurations
    Leveraging Okta's architecture (“org2org”), the attackers created a new identity provider layer, allowing them to impersonate users in crown jewel apps.
  5. Escalated permissions
    The attackers changed privilege assignments for additional users to gain control of data and users.

What can organizations do to detect and prevent future attacks?

  1. Identify and Minimize Your Privileged Accounts:
    -
    Maintain an updated inventory of privileged accounts.
    - Automatically identify inactive admin users
    - Identify active admin users not utilizing their roles
    - Detect admin users with excessive access
    - Create remediation plan to remove unnecessary users, roles, and access
  2. Remove Unrotated Leaked Passwords:
    -
    Ensure password hygiene across all organization accounts
    - Automatically identify and correlate leaked credentials with organization accounts
    - Filter unrotated passwords since the breach
    - Prioritize based on severity and blast radius
    - Develop and implement a remediation plan
  3. “Trust But Verify” Service Desk and IT Teams:
    -
    Detect deviation of MFA coverage across identities
    - Implement automated detection of MFA being turned off
    - Prioritize detection of Super Admin with unrotated passwords
    - Develop and execute a remediation plan
  4. Identify Anomalies in Identity Provider Configurations:
    - Analyze legitimate login providers for employees
    - Monitor configuration changes in the identity provider
    - Detect and alert on new login providers configured for user access
    - Identify unauthorized login providers
    - Develop and execute a remediation plan
  5. Identify New Escalated Permissions:
    - Map legitimate privileged users and admins
    - Detect deviations in privileg assignments from established norm
    - Prioritize remediation of accounts with new, unauthorized privileges

Getting ahead of the next attack

Spera provides an all-encompassing detection and prevention solution, for similar security incidents:

  1. Spera’s privilege analysis and posture controls minimize the attack surface immediately. 
  2. In the case of a breach, Spera detects the attacker’s steps to allow swift remediation. 
  3. Spera helps security teams to “trust but verify” IT decisions, alerted only on high-fidelity critical changes.

Secure your Identity Jungle. Fast.

See in action