MGM Hackers Conned Their Help Desk – Are You Prepared?
The help desk was operated by a third party. The hackers conned the help desk, it is reported, to reset all of the two factor methods that were set up to protect a super-admin account.
They likely did this after they phished an employee for his/her userid and password. They used deceptive phone calls to accomplish this, rather than emails.
According to Okta, which issued an alert about this last month, this is a recurring scenario. In all of these attacks, they target the accounts of highly privileged users.
Once they have compromised the Okta super admin accounts, it is game over. They can create accounts, change permissions, lock others out, etc.
They can even impersonate legitimate admins inside (in this case) MGM.
The Scattered Spider gang (AKA UNC3944) claimed credit for this attack.
As we have seen many times, they use someone else’s ransomware software, so they are kind of systems integrators. In this case, they are using the ALPHV group’s software. They are also known as BlackCat.
MGM, after they realized they had been totally owned, used the nuclear option and actually took themselves down. Whether this was a smart move or not will be the subject of many discussions over the next weeks and months.
It is thought that the hackers are based in the U.S. and/or the U.K. If this is true, they might want to lay low for a while because there are going to be a lot of FBI and MI-5 folks looking for them and unless they are really, really good, that won’t end well for them. That is the downside of super high profile attacks.
Here is the critical part:
(a) is your help desk ready for this? Is your third party provider ready, if you have outsourced this function?
(b) Is your incident response team ready to deal with your core infrastructure (in this case, your authentication system) getting hacked? What do you do in this case?
(c) In this case the hackers attacked 100 hypervisor hosts. Granted MGM is big and you don’t (probably) have that many hosts, but their IT department is also much larger than yours. How long would it take you to recover if all of your hypervisors were toast?
If you think that you should review your preparedness, please contact us.
Credit: Computing