Last week MGM, owners of multiple hotels and casinos in Las Vegas, suffered a crippling cyberattack that has shut down many of its operations. Slot machines, reservations, and room key systems are among the many systems affected.  An analysis by Cyberark.com states that MGM "is losing as much as $8.4 million in revenue each day.”  And beyond the money they are losing brand reputation. This attack is a big deal.

The attack appears to have been caused by one of their IT employees using the same credentials on multiple sites.  Another, non-MGM site, was breached and the employee's credentials were stolen. The hackers then used these credentials to log in to the MGM site but they encountered multi factor authentication (MFA: think DUO).  However, the hackers were able to convince the MGM help desk to reset the MFA, probably by using the stolen password on a backup email account. It is reported that all this took was a 10 minute phone call with the MGM help desk.

The hackers were very sophisticated as they used this compromised account to further penetrate into MGM. One of the first things they did was to create a path into MGM’s Identity and Access Management System (IAM). They then used this IAM system to create multiple other accounts in various MGM systems, including their Azure Cloud environment and MGM's virtualization systems.  As MGM detected and started to respond to the attack, MGM was forced to shut down their IAM which led to many of their systems becoming inoperable.  The hackers also enlisted the support of "BlackCat/ALPHY" ransomware group to begin encrypting HUNDREDS of MGM's virtual hosting servers, effectively shutting down thousands of servers.  MGM's operations were crippled between the encrypted servers now failing and the shutdown of the IAM system. As of this writing, MGM still has not recovered from the attack.

What lessons are in this hack for Miami faculty, staff, and students?  First, do NOT use the same password on multiple sites.  If one site is breached you don't want to have those same credentials used elsewhere.  The site "https://haveibeenpwned.com/" is a good site to see if your email is involved in a breach.  My personal email has been in 17, yes 17, breaches.  Fortunately, I use a strong password manager and never use the same password on multiple sites.  Miami is using the 1password password manager but there are others out there. Another password manager, Lastpass, has had several embarrassing issues in the last year, so be careful before using that tool for now.

Second, MFA is a very good tool in protecting your accounts but its not perfect.  Miami has seen some examples of MFA "cramming" where attackers send multiple, unsolicited MFA requests in the hope that the user just accepts one. Don't accept random requests. Also please be considerate of the help desk people when you call in to fix issues with your MFA. The annoying questions and processes employed are there for your protection and need to be followed.

Third, be careful about information you put out on the web and then use in secret questions.  From Cyberark: "With additional information collected from a high-value user’s LinkedIn profile, they hoped to dupe the helpdesk into resetting the user’s multi-factor authentication (MFA). They were successful."  Attackers are going to great lengths to find out about you and will use attacks that target you specifically.  When setting up password reset questions, don’t use the actual answers to the questions. It’s fine to say your first pet was “Gozilla 3d” or something completely different. 

MGM is suffering a costly and embarrassing cyberattack which as usual is a result of multiple vulnerabilities.  Be diligent about proper passwords and authentication and make it harder for hackers to target you.

References

The MGM Resorts Attack: Initial Analysis. (n.d.). The MGM Resorts Attack: Initial Analysis. https://www.cyberark.com/resources/blog/the-mgm-resorts-attack-initial-analysis