Thoughts on the Las Vegas hack
Social engineering and access strike again!
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’m looking to hire a Senior Security Software Engineer for my team. If you’re interested in building secure systems, please reach out to me and/or apply via the website!
There’s been a lot of talk about the MGM and Ceasars hack, but there’s so much going on in cybersecurity in general that I haven’t had a chance to do a deeper dive until now. I do think it’s interesting to analyze major hacks to ensure we are focusing on our most important risks as an industry.
What happened?
This Vox article provides a good summary of what happened with the hack. Okta also issued a warning on these types of attacks, not naming anyone specific. It affected MGM, and later it was learned through an SEC filing that Caesars also faced a similar breach from the same group.
The attack started with a phone call to MGM’s IT help desk by impersonating an employee whose details they scraped off of LinkedIn. This is known as “vishing,” which is a convincing phone call to extract credentials to access a system. Its better-known email equivalent is called phishing. As a result, the hacker obtained access to a highly privileged Okta account. Once they had this Okta access, they were able to elevate privilege and remove security policies for other accounts and applications to laterally move across the system. My guess is that once they were able to get admin privileges to Azure, they could easily deploy their ransomware. The systems were offline for 10 days, and what we learned later is that Caesars was similarly attacked but chose to pay the ransom.
My thoughts
There are a few pieces to unpack here, and I’ll talk about each piece individually:
The emergence of “vishing”
Highly privileged accounts
Threat model
Prevention and mitigation tactics
To be fair, this did seem like a sophisticated attack, and casinos are an attractive target given their business. They deal with a wide range of attacks, so I do feel for them and the spectrum of attacks they have to consider mitigating on a regular basis.
The emergence of “vishing”
The use of “vishing” is relatively new in my opinion. I believe it’s that it does take more effort than their email/text equivalent of phishing. In phishing, you can send out large numbers of emails in a short period of time. It’s very low cost, and all it takes is one success to gain access. That’s why it’s the common kind of social engineering attack, and why over 90 percent of attacks start with phishing.
“Vishing” takes more effort because it requires an actual person to make a phone call. However, it seems that they tend to be more effective for now because we have limited tools that target this type of attack. It makes sense that there are more tools because phishing is so prevalent. It’s also easier to detect because it’s text-based where our detection technology is better developed and more sophisticated.
My thought is that larger organizations are becoming better trained against phishing because they tend to have more risk and tend to have more sophisticated security programs. As a result, attackers will resort to using more “vishing” because there are fewer defenses against these, leading to a higher success rate. This means that organizations need to start training employees against this type of attack. They also need to invest more in detecting and stopping “vishing” attacks using voice recognition and verification software, so in the short term, there might be a boon in this technology. My guess is that most IT desk support software will start including features like this as part of their platform/offering.
Highly privileged accounts
It’s well-known in the security community that stolen credentials are the cause of over 80 percent of major breaches. However, we don’t invest 80 percent of our security effort to handle this issue. One major problem is that organizations tend to have super admins or highly privileged roles. They are typically assigned to high-level IT admins or security people.
Although these roles do make it easier to debug and fix issues, they present a high risk in large, complex organizations. We should stop using org admin and super admin roles at scale. There are a lot of potential ways to do this, such as de-centralization of the privileges in a super admin role. Maybe, there needs to be more verification around the elevation of certain privileges and have it require multiple forms of verification through authenticated channels (I don’t believe phone is an authenticated channel.). I’m not clear what the best implementations are here, and how we can get there. It’s something as an industry we should start considering. At the very least, we need to reduce the number of super admin roles that are allowed to exist at any time in an organization.
Threat model
This hack brings forward a discussion on how we should think about threat models. It seemed that the casinos were most worried about hackers stealing money or hacking gaming machines. The hackers tried to breach a slot machine but couldn’t, but in the end, the hackers did cause financial harm to MGM through a different method than originally imagined. Instead of stealing money, they caused an outage and placed the data under ransom, which led to financial loss for the casino. This means they were clear on what threats could happen, but they didn’t consider all possible ways that these attacks could cause financial harm.
In general, outages will cause financial harm to the business, and security issues that cause outages both internally and externally should be considered a risk. Traditionally, security behaves like a protector of an asset, but they need to start thinking like business owners as many hackers look to disrupt businesses not just steal information.
Prevention and mitigation tactics
Clearly, this breach was sophisticated, but there are a lot of potential prevention and mitigation tactics. Okta gave some guidance, and I alluded to some above. Here is a quick summary:
phishing-resistant authentication/MFA, which makes it difficult to log in once credentials are stolen
Strengthen phone verification and verification in general
Limit the number of super admins and org admins
Require all super admins and org admins to log in via managed devices and use phishing-resistant MFA
For ransomware attacks, maintain daily backups that can easily be deployed, and it’s important to test these backups and work with the infrastructure team on exercises to practice disaster recovery
Set up alerts to allow for early detection
Takeaway
We are likely going to see more of these types of attacks. These attacks aren’t technically sophisticated but are sophisticated because they require thoughtful exploitation of seemingly secure processes. However, it does seem like as technological systems become more complex, managing access and credentials is going to be more difficult but more crucial than ever. In this case, they used Okta to centralize their control, which was smart, but however, they didn’t have sufficient secure configurations and processes in place. This is an example of how tools alone don’t provide security. We need to focus on building secure programs and processes, and tools are an important part of scaling and automating them.