Would Have, Could Have, Should Have: Dissecting the 2023 MGM Hack
In late 2023, MGM Resorts experienced the beginning of a ransomware cyberattack that would cost them nearly $100M USD. The multi-stage attack was launched by ShatteredSpider, a subgroup of AlphV, and progressed quickly from infiltration to exploitation. By taking advantage of social engineering tactics, injection, and inadequate security practices, ShatteredSpider pulled off one of the highest profile attacks in years. And it didn’t have to happen.
The MGM Attack
In the first phase of the attack, ShatteredSpider (who recently had a 17-year-old member arrested in connection with the MGM hack) used LinkedIn to gather information about an MGM employee and then impersonated that employee on a call to MGM’s IT helpdesk. Using that access, ShatteredSpider was able to convince the helpdesk to grant them access, bypassing every existing security control. The attackers then quickly established persistence, installed sniffers, and exfiltrated key admin credentials for Azure, Windows, and Okta. MGM was, at this point, a very securely stuck fly in ShatteredSpider’s web. Because the credentials had already been exfiltrated, MGM’s subsequent attempt to stop the cyberattack by shutting down critical infrastructure was too little, too late.
As soon as services came back online, ShatteredSpider was able to use the exfiltrated credentials and persistence to attack their main objective. They identified critical MGM business services running on VMware with 100 ESXi Hypervisors. Hitting this one target caused massive disruption to their hotel reservation systems, gambling, slot machines, digital key room access, and so much more - achieving their desired outcome. Having established Internet communication to their cloud services, they exfiltrated MGM customer data/PII, and deployed ransomware to 100 ESXi VMware Hypervisors: MGM’s entire Virtual Server and some virtual desktop environments. That, kids, is the ballgame.
Rewriting a Successful Attack
Learning the right lessons after a cyberattack is an important part of both remediation and preparation for the next attack. When a high-profile attack like MGM happens, the entire cybersecurity industry gets the chance to analyze, dissect, and ultimately battle game the attack to see what would have worked and what wouldn’t. Everyone should be admitting the same thing about the first phase of the attack: there is not a policy in place, a training you could give, or a tool available that can remove the human element from an attack. The tools malicious actors use are complex, effective, and malleable. With the rise of AI, they’ve only become more dangerous. AI voice and video impersonations are an excellent example of this danger.
Initial infiltration was just step one. The real battle took place in the hours and days following the vishing. The attackers installed sniffers and compromised critical infrastructure. The strategy of ‘detect and respond’ falls short here: how much time does it take to detect an attack and how much more time does it take to adequately respond?
It’s during that ‘detect and respond’ period that Deep Instinct could have been a difference maker, not just slowing the attack, but preventing it altogether. ShatteredSpider were smart about their attack. The payload was delivered directly to the hypervisor layer; it wasn’t staged on end points, in storage, or delivered via email, thus avoiding several detection and prevention layers. This leaves two points to prevent the attack: the hypervisor layer and the internet delivery. In our tests, Deep Instinct was able to secure both points.
Deep Instinct EPP running on the hypervisor layer detected and quarantined the payload before it could execute. Similarly, Deep Instinct Prevention for Applications (DPA) integrated into the internet layer via API or ICAP would have also prevented the payload.
Debrief, DIANNA, Do-Over
MGM lost control of their situation the moment the social engineering attack was successful. Their lack of hypervisor partition, secondary credentials, scanning capabilities, and other industry-standard security controls meant that once the attackers had established persistence and exfiltrated admin credentials they would have free run of the place. Having those defenses would have at least hardened MGM as a target but they would not necessarily have prevented the attack completely.
Unfortunately, much of the cybersecurity industry’s value-prop isn’t true prevention, it’s disaster mitigation. The biggest success of most tech stack configurations would be that they stopped the bleeding. This cybersecurity philosophy can be cynically distilled into one key question: How much are you willing to lose? At a large enterprise like MGM, even successfully defending against a cyberattack can be costly.
Where Deep Instinct makes a difference is the focus on prevention. Barring the human element that allowed access to critical infrastructure, Deep Instinct DPE and DPA would have prevented the actual substantive parts of the MGM attack. The bleeding didn’t have to happen, and the “success” of only a small number of accounts being affected didn’t have to happen. The malicious payload used in the MGM attack could have been immediately caught, quarantined, and deleted pre-execution when scanned by Deep Instinct. Using DIANNA, MGM could have immediately figured out why the payload was caught and deleted.
DIANNA, our generative AI powered cybersecurity companion, was able to tell us nearly instantly (okay, seven seconds) in real language why the Alphv ransomware was malicious, including the markers it used to make that determination. In short order we had both stopped the attack and developed a framework for investigating the attack. In addition to stopping the attack, there are other key benefits for some groups:
SOC Teams: In terms of both efficacy and stress, SOC teams are a main beneficiary of effective prevention-first cybersecurity. Given rising rates of burnout among SOC professionals, tools that support their mission are invaluable. Read more about the rates of burnout among SOC professionals in our 2024 Voice of SecOps report.
MGM: Better cybersecurity reduces organizational risk and increases confidence. A prevention-first approach eliminates the death-by-a-thousand-cuts damage to organizational reputation and budget caused by the current cybersecurity paradigm.
MGM Customers: Having personal data stolen is incredibly dangerous for consumers and puts them at risk for fraud, identity theft, and other targeted attacks. Not allowing a breach to occur at all increases confidence and mitigates the legal and personal ramifications of allowing personal data to be stolen.
Novelty is a weapon. Most of the time it’s a very effective one. The introduction of deepfakes has revolutionized social engineering attacks. Malicious AI has similarly revolutionized cyberattacks. There are more methods than ever for bad actors to gain access to secure systems. AI-powered mutations allow attacks to constantly refresh and renew themselves in novel ways to evade existing cybersecurity. To keep up, defenders need tools that make them equally responsive.
Get a demo to see the power of a prevention-first approach for yourself.