Wing Security’s Threat Intelligence Team continuously analyzes data from hundreds of customers. A common misconfiguration we’ve identified is the assignment of excessive privileges to help desk administrators in Okta. In its default configuration, Okta allows help desk personnel to reset multi-factor authentication (MFA) factors for users, including those with highly privileged accounts. While this can be convenient, it also creates a significant security risk, particularly when help desk staff are targeted in social engineering attacks. In fact, this scenario is exactly how MGM Resorts was breached in September 2023.
The risk of SaaS misconfigurations
Help desk employees are often seen as easy targets for attackers because they have access to sensitive account management functions but may not be as highly trained in security practices as other IT staff. Attackers can exploit this by convincing help desk personnel to reset MFA for privileged users, gaining unauthorized access to critical systems.
Case study: MGM Resort cyberattack
In September 2023, MGM Resorts International, a global leader in hospitality and entertainment, became the target of a sophisticated cyberattack. The attackers, allegedly part of a cybercriminal gang known as Scattered Spider (also referred to as Roasted 0ktapus or UNC3944), used social engineering tactics to penetrate MGM’s defenses.
The attack flow
1. Obtain dark web credentials
The attack began with the exploitation of credentials obtained from the dark web. These credentials, likely harvested from previous data breaches, included usernames and passwords of MGM employees. Scattered Spider used these credentials in conjunction with detailed information from a high-value user’s LinkedIn profile to execute a highly convincing social engineering attack.
2. Social engineering attach
Scattered Spider targeted an MGM helpdesk employee, duping them into resetting the multi-factor authentication (MFA) for a high-value user’s account. This type of attack is often highly effective since it leverages human psychology rather than relying solely on technical exploits. With the MFA reset, the attackers gained access to the user’s account and subsequently, MGM’s internal network.
3. Establishing a foothold
Once inside, the attackers carefully created persistence within the network. They configured an additional Identity Provider (IdP) in MGM’s Okta tenant, a feature intended for quick integration during companies M&As. This unauthorized IdP allowed them to manage and manipulate MGM’s internal systems with greater freedom and stealth.
4. The SaaS IAM application exploited
The initial point of compromise was the SaaS Identity and Access Management (IAM) Okta, used by MGM. By gaining control over Okta, the threat actors could navigate through MGM’s network and cloud environments more easily. This move was critical as it provided the attackers with broad access to sensitive systems and data, significantly amplifying the potential impact of their intrusion.
5. Moving up to cloud infrastructure
Unsurprisingly, the breach didn’t stop at Okta. The threat actors extended their access into MGM’s Microsoft Azure cloud environment, gaining control over a wide array of applications and services. This escalation significantly broadened the scope of the attack, putting nearly all of MGM’s digital assets at risk. The attackers utilized the IAM platform to infiltrate and manipulate cloud resources, making their presence more entrenched and damaging.
6. Ransomware deployment
After establishing control, the attackers called in the BlackCat/ALPHV ransomware group. Using ransomware-as-a-service (RaaS), they encrypted several hundred of MGM’s ESXi servers, which hosted thousands of virtual machines essential for the company’s operations. This attack caused widespread disruption: hotel room keys stopped working, reservation systems failed, point-of-sale systems crashed, and guests were left unable to check in or out.
The fallout
MGM’s incident response team eventually discovered the breach and acted to sever the attackers’ access by terminating the Okta sync servers. However, the damage, that started with SaaS misconfigurations, was already done. The attackers had exfiltrated an unknown amount of data and caused significant operational chaos. The financial impact was severe, with the final damage assessed to be around $110 million. This figure includes direct financial losses, the cost of remediation, and the long-term damage to MGM’s reputation.