MGM, Caesars Hacks: More of the Same Is Coming Your Way–But Here’s How to Stop It

Javed Shah

Given the stunning success of the recent hacks at MGM and Caesars, it’s a safe bet what happened in Vegas won’t stay there for long. Even though technology to prevent such breaches is readily available, there’s every reason to believe large organizations in any number of sectors could soon face a rude awakening.

Success breeds success, after all. It also inspires copycats. The attacks on Caesars Entertainment and MGM Resorts International in early September appear to have been perpetrated by a group of teenagers and young adults that employs simple social engineering techniques to infiltrate corporate systems for fun and serious profit.

Dubbed “Scattered Spider” by some security analysts and UNC3944 or “Muddled Libra” by others, the group of Gen-Z threat actors is believed to have pulled off a series of cryptocurrency heists before breaching and then extorting Western Digital and other technology firms over the past few years. Reuters reports the group has been implicated in 52 attacks spanning multiple industries worldwide since 2022.

Specifics in the casino breaches are still emerging. However, it appears that operatives in the MGM attack used LinkedIn profile information to impersonate a resort employee in “vishing” calls to an outsourced IT support vendor, requesting access to the employee’s corporate accounts after getting “accidentally” locked out. After gaining entry, the hackers gained super administrator rights to MGM’s Okta environment. They even configured a second identity provider to bypass multi-factor authentication (MFA) and impersonate highly privileged users within the corporate systems.

In a word: diabolical, especially for a group of suspected 17- to 22-year-olds. But as the Washington Post reports, Scattered Spider’s Vegas jackpot also represents a troubling new escalation in the group’s MO. The hackers threw the company into utter chaos by deploying crippling ransomware from notorious Russian cyber gang ALPHV into MGM’s systems. Ten days into the breach, MGM was still struggling to repair corporate email, restaurant reservation systems, hotel booking operations, slot machines, and digital keycard access at its Aria, Bellagio, and MGM Grand properties. There’s little reason to believe Scattered Spider isn’t already scouting new prey.

Gaming the System: Harvesting Passwords, Short-Circuiting MFA

Ransomware attacks are nothing new, of course. Last year, more than 620 million ransomware attacks worldwide cost victims more than $30 billion. According to Verizon’s 2023 Data Breach Investigations Report, 74% of breaches stem from credentials stolen through phishing, vishing, and SIM-swapping attacks.

Indeed, stolen passwords are implicated in up to $25 million in average losses suffered by a third of all businesses that have fallen victim to cyberattacks over the last 36 months. When an ATO leads to a data breach, it can mean an average additional cost of $9.5 million per incident for US-based companies. ATOs account for more than $300 million in losses annually. And as WAPO points out, Scattered Spider and its Eastern European business partners could worsen matters in coming weeks.

For one thing, you have financially motivated, English-speaking hackers with a proven talent for pulling off social engineering and data exfiltration schemes. Now add the Russian “ransomware-as-a-service” operatives believed to be behind the Colonial Pipeline attack and an underworld network as technologically sophisticated as any modern enterprise.

Mix in plentiful targets with outsourced IT support and call center operations crewed by untrained, often short-term employees vulnerable to vishing. And sprinkle in emerging, AI-powered phishing and vishing tactics and automated credentials-stuffing technologies. Put it together, and far too many organizations in health care, telecom, government, financial services, and others may be vulnerable to an emboldened Scattered Spider and copycat groups. The good news: Organizations can quickly deploy effective defenses. But they’d better move fast.

No More Rolling the Dice with Outdated Forms of MFA

According to a recent survey from Google and Ipsos, a successful data breach can erode customer trust by as much as 44%. As the MGM and Caesars breaches so vividly illustrate, legacy forms of multifactor authentication (MFA) won’t cut it anymore. Cybercriminal organizations like Scattered Spider have clearly developed inventive ways to acquire login credentials and circumvent things like one-time passcodes and limited biometric authentication systems designed to confirm the legitimate user is attempting to access their account.

The problem: Traditional forms of MFA are built around login passwords and a device instead of the identity of the person accessing an account. Even with Windows Hello for Business (WHfB) and Okta Verify Authenticator, anybody with administrative access can register things like user biometrics to any device they can access—or set up an alternative identity provider to bypass authentication measures altogether.

For some business applications, that may not be a significant risk. But it still leaves the door open to account compromise that puts IT and security teams in reactive mode against data breaches and ransomware after access to systems has already been granted. Fortunately, a new generation of strong, non-phishable biometric identity solutions is changing all that.

Enter: “Liveness”-based Biometric Authentication

With traditional forms of MFA becoming so unreliable as a means of identity verification, modern forms of biometric authentication are helping to set a new standard for security and convenience. Solutions certified to FIDO2 , iBeta biometrics-, and NIST 800-63-3 standards, for instance, use “live” biometric markers tied to a registered identity to provide reliable, strong authentication impervious to account takeover.

These modern biometric solutions offer machine-verified identity to government-issued credentials (driver’s license, state ID, passport, etc.) and enable non-phishable multi-factor authentication when users login to digital services.

1Kosmos BlockID, for instance, uses the private key of a matched public-private pair in the user’s device as a possession factor (ie, “what you have”), while a live facial scan becomes the “what you are” or inherent authentication element. To access a site, app, or system, a live image scan is compared to an image scan captured at the time of enrollment. If they match, the identity of the person of authentication is confirmed to be in fact, the authorized user—and not a bot, deep fake or imposter—with 99.9% accuracy.

This technology is widely available and supports a consistent onboarding and authentication experience into all apps, devices, systems, and environments—including existing privileged access management systems. Any organization can stop phishing, ransomware attacks, and data breaches before hackers can infiltrate accounts. Scattered Spider simply provided an urgent new reason to stop gambling with security now.

To learn more about 1Kosmos BlockID, the only NIST, FIDO2, and iBeta biometrics-certified platform on the market, click here.

FIDO2 Authentication with 1Kosmos
Read More
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.