Alchemy Blog

The MGM Hack: What Went Wrong This Time?

MGM Resorts International has once again fallen victim to another monumental cybersecurity hack. Reports state that the hacker crew Scattered Spider (UNC3944), which appears to be affiliated with the BlackCat (ALPHAV) ransomware crew, has maliciously acquired roughly six terabytes of data from the casino goliath. The exact ransomware strain is still being debated, but several admired cybersecurity outfits to include IBM’s X-Force claim a variant of the Sphynx encryptor was commissioned in the crime. Full details on the hack have yet to be released, and what is available is murky at best. However, there are a few essential details about the hack that speak volumes to MGM’s lack of Incident Response playbooks and ability to appropriately mitigate cyber risk. A series of well-known attack vectors associated with Okta’s SCIM protocol, along with social-engineering tactics and coupled with ineffective administrative security practices, have led to Scattered Spider’s successful attack. Currently MGM has over 100 ESXi hypervisors locked up by the ransomware strain with a fully compromised Azure tenant to add. Additionally, multiple malicious accounts with super and global administrative privileges run rampant throughout MGM’s domains.

As a trained and certified Ethical Hacker with over 10 years of experience in the field, I have participated in multiple social engineering campaigns along with Red/Blue/Purple Team operations for various three-letter government agencies to include the DOD and NSA. Speaking from personal experience, I can state with a high level of confidence that despite the wealth of security training unceasingly inundating our thoughts, the exploits and hacks prove to get easier year-over-year. Unfortunately, this isn’t MGM’s first experience when it comes to epic compromises. In 2020, roughly 142-million MGM customer related documents were leaked online and later sold on the darknet for a little under $3,000 dollars. Can an old dog be taught new tricks? The following information to proceed will be broken down into two primary pillars of importance that will weigh heavily on the Techniques, Tactics, and Procedures (TTP) employed by the threat actor crew.


Social Engineering

MGM’s shortcomings begin with a simple social engineering tactic referred to as “Impersonation.” Seemingly, the specifics have been withheld from public domain, but reports declare that Scattered Spider manipulated unaware IT administrators into resetting a user account which then presented the opportunity for privileged account escalation. One can probably infer the meaning of “Impersonation,” but for argument’s sake we will establish what social engineering is and a few of the more popular strategies used by threat actors.

The subtle art of social engineering invokes manipulation and deceptive practices employed by individuals for the purpose of exploiting human psychology. Gaining unauthorized access to secure spaces and information systems normally unobtainable is the primary objective. By way of psychological manipulation versus blunt brute force, this potent threat to cybersecurity and personal privacy demands unrelenting respect.

Common Social Engineering TTP’s include:

  • Phishing/Smishing: Sending fraudulent emails or SMS messages that appear legitimate to intimidate and compromise trusted organizations or individuals.

  • Baiting: Offering something of value, such as a free download or USB drive, that contains malicious exploits wrapped in unsuspecting Trojan Horses.

  • Impersonation: Acting as an authority figure for the purpose of intimidation and to pressure individuals into divulging information or complying with their demands.

There are far too many preventative measures linked to the mitigation of social engineering attacks to list; although, here are few of the more popular and practical approaches to prevention:

  • Education & Situational Awareness: Knowledge is power. Arguably the most critical component, continuous training with applied muscle memory is a fundamental key to success.

  • Identity Verification: Repeated and regular authentication through what you know (password), what you have (Common Access Card), and what you are (biometrics) especially if the request seems unusual or urgent.

  • Suspicious Activity Reporting: Encourage a culture of reporting any suspicious incidents to the appropriate authorities or IT/security teams.

By staying informed, vigilant, and cautious, individuals and organizations can significantly reduce the risk of falling victim to social engineering attacks and safeguard their sensitive information and assets.


Identity/Privileged Access Management (I/PAM)

Due to exploitable vulnerabilities identified in Okta’s password management protocols, the hacker outfit seamlessly corrupted password sync processing occurring between Active Directory and Okta permitting for password interception. Additionally, upon Scattered Spider successfully owning all administrative writes to MGM’s Okta Sync servers they were left with no choice but to shut them all down. Unfortunately, the results of this impose significant collateral damage to all business operations and user accounts pertaining to MGM’s Okta platforms. Identity & Privileged Access Management (I/PAM) is a cybersecurity practice that involves controlling, monitoring, and securing access to critical systems, data, and accounts with elevated privileges while safeguarding against insider threats and external attacks by limiting access to only authorized personnel. Henceforth, organizations can drastically reduce the negative impact compulsory to cyber-attacks through the execution of a solid I/PAM program.

Minimum requirements to uphold I/PAM effectively:

  • Enforce Least Privilege: Assign minimal access rights necessary for each user or system to help reduce the risk of unauthorized actions.

  • Implement Strong Authentication: Require multi-factor authentication (MFA) and one-time passwords (OTP) for all privileged access to guarantee only authorized individuals gain entry.

  • Monitor and Audit Activity: Continuously monitor privileged access, logging all actions, and promptly investigate any suspicious or unauthorized activity.

Okta I/PAM Best Practices Hygiene:

  • Never export your master Okta passwords

  • Review logs and alert data that indicate change in SCIM configs and /or elevated privileges

  • Utilize Okta Fastpass for a password-less login experience



We have been reminded once again that history does in-fact repeat itself and that if we continue to do the same things, or not do certain things in this case, we will get the same results. MGM is just one of the many corporations added to the ever-growing laundry list of recently hacked entities. Sadly, this list will never cease to expand if the needed security requirements are never implemented. Are you or your organization in need of Incident Response development or Social Engineering training. Perhaps you need a full-fledged Data Loss Prevention program so that your precious PII doesn’t get doxed for the whole world to purchase like our MGM friends. Whatever the case, our highly experienced Alchemist are ready to assist you towards any cybersecurity deficiencies you may be experiencing.



Alchemist: Cody Mercer

Sr. Cybersecurity Architect