The bottom line is that customers of either company should assume that their private information will probably be sold to adverse actors on black markets , if it hasn ’ t been already . appeared identical to their legitimate sites . And because many of these companies rely on Okta , all of these login pages look very similar , perhaps with just the company logo swapped out , making it relatively easy for the attackers to reuse a fake login page on many different target domains .
When the employee submits his or her credentials , the server immediately transmits that information to the attackers , including two-factor codes ( those annoying SMS message or Google Authenticator digits ), which the attackers use in real time to easily gain secure access to the legitimate site . Additionally , threat intelligence service Mandiant notes that the group also tries persistent calls to company help desks to initiate password resets that it can intercept . Once inside , the attackers launch a number of infiltration tools to breach additional systems and get closer to the most valuable data and assets .
Okta keeps being mentioned . What is it , and should it be avoided ?
Okta is a cloud service company that handles login and identity management . Many companies use it internally for employee login and authentication — in short , Okta handles login screens , password management , application permissions .
Because security and authentication are difficult problems , outsourcing is often a good idea because their experts , who are entirely focused on this one area , are certain to have a more secure authentication flow than one you ’ d build in-house . The problem is , because Okta is so widely used , any tiny exploit is a master key into hundreds of company networks , so adversaries spend enormous amounts of time and effort into finding any flaw in Okta ’ s systems .
Still , because these attacks relied initially on obtaining legitimate credentials via social engineering , it would not be accurate to say that Okta itself was compromised , but more that some of the enterprise configurations were not optimized for maximum protection against these types of attacks .
What could the casino operators have done to prevent these attacks ?
Clearly , after more than a year of attacks by the same group using similar methods , knowledge about Scattered Spider and its methods was available . Whether anyone in infosec at Caesars , MGM or their partners was familiar with the group is unknown , but it demonstrates the importance of monitoring threats across all industries and never assuming an attack won ’ t evolve to come after you , especially when one of your primary assets is a very large and detailed patron database .
Importantly , as I wrote in GGB in 2020 , the casino industry must end its practice of keeping silent about any and all cyberattacks . The detailed reports produced by Twilio , CloudFlare , Coinbase and Reddit certainly helped other companies recognize similar attacks , allowing them to fend off , or reduce the severity of , those attacks .
By contrast , Caesars didn ’ t produce any report or public statement , and its hack was a secret until journalists began speaking to sources as a result of the MGM disruption . It is entirely plausible to believe that had Caesars published a comprehensive report detailing the attack on its network , MGM could have amplified its security to be on high alert for specific social engineering tactics , and possibly prevented its hack altogether .
Although Caesars and MGM are competitors , professional ethics dictate sharing information about external threats . Casinos share information among security teams about individual criminals , cheaters and fraud schemes , and their credit departments share information about bad debtors . Refusing to share information about cyberthreats is simply irresponsible .
What is the impact on customers ?
Truthfully , it ’ s unlikely any of us will ever know . Because the casinos won ’ t speak out , we really don ’ t know what data the attackers were able to access or steal . Casinos require customers to offer up their driver ’ s licenses ( with photo , birthdate , address , height , weight , etc .) and private PIN numbers ( which often match the customer ’ s banking PIN ) to participate in their loyalty programs . In return , they should owe those customers full transparency when such information has been breached or stolen .
Unfortunately , no state gaming regulators have held the casinos accountable . As of writing of this article , the Nevada Gaming Control Board has not released any public statement about either incident , except to say on X . com that it is “ monitoring the cybersecurity incident with MGM Resorts .” The bottom line is that customers of either company should assume that their private information will probably be sold to adverse actors on black markets , if it hasn ’ t been already .
How should the different responses from Caesars and MGM be evaluated ?
While most information surrounding these incidents is unverified , the widespread belief is that Caesars quickly paid a large ransom ( supported by reporting from Bloomberg ) while MGM did not . And because Caesars ’
NOVEMBER 2023 www . ggbmagazine . com 15