The threat actors believed to be behind last week’s MGM Resorts and Caesars Entertainment cyberattacks now say they were able breach MGM’s systems by somehow cracking into the company’s Okta platform, specifically the Okta Agent, which is the lightweight client that connects to an organization’s Active Directory.
Okta is a popular identity and access management (IAM) provider for the cloud.
“MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked from their domain controller hash dumps,” ALPHV wrote on its leak site, in a statement that Emsisoft researcher Brett Callow tweeted out. “This resulted in their Okta being completely out.”
The ALPHV statement added that after lurking around Okta for a day and scooping up passwords, the threat group then launched ransomware cyberattacks against more than 1000 ESXi hypervisors on Sept. 11, “… after trying to get in touch [with MGM] but failing,” the statement said.
The ransomware group made it clear MGM Resorts isn’t negotiating with them, and are threatening further action if a financial arrangement is not made.
“We still continue to have access to some of MGM’s infrastructure,” the ALPHV statement said. “If a deal is not reached, we shall carry out additional attacks.” The group also said it would release the data it exfiltrated to Troy Hunt of Have I Been Pwned, to responsibly disclose if he chose to do so.
ALPHV (aka BlackCat) is the name of the ransomware as a service (RaaS) operator who provided the threat group Scattered Spider with the malware and support services to pull off the casino cyberattacks.
Okta’s August Warning About Social Engineering Attacks
It’s not clear how the hackers managed to access Okta Agent. But for its part, Okta seemed to be aware of a potential risk for attacks, posting an alert on Aug. 31 to warn customers about attempts on Okta systems to gain highly privileged access through social engineering.
“In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users,” Okta warned. “The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.”
Okta has also been very public about its relationship with MGM, working with the hospitality company to provide the “building blocks to the ultimate guest experience” according to its website.
Okta did not respond immediately to requests for comment from Dark Reading.
New Wave of MFA Abuse Likely
Worryingly, this could be the first in a new wave of cyberattacks targeting high-privilege users, according to Callie Guenther, senior manager of threat research at Critical Start. Okta is, after all, already a popular target among cybercrime actors.
“Okta, given its centrality in many organizations’ IAM strategies, is naturally an appealing target,” Guenther says. “The key is not to view these systems as inherently flawed, but to recognize the importance of robust security hygiene, continuous monitoring, and the rapid sharing of threat intelligence.”
The real issue isn’t Okta itself, according to Aaron Painter, CEO of Nametag, a provider of helpdesk cybersecurity tools. Rather, it’s simply the fact that MFA is designed to identify devices rather than people.
“This vulnerability is not unique to MGM nor Okta; it’s a systemic problem with multi-factor authentication,” Painter says. “MFA verifies devices, not people. It lacks secure enrollment and recovery — two moments when you need to know which human is being authenticated. This is a known problem, which MFA wasn’t built to address.”
This is a developing story.