You’ve likely heard about the ransomware attack that crippled MGM Resorts locations a couple weeks ago. The criminal group ALPHV claimed to be the source of the attack, and that all it took was a call to the helpdesk to get into MGM Resort’s systems, and within 3 days they took over the environment.
MGM’s communications about the incident align with the story, indicating that it was a very sophisticated attack, and that while their team attempted to contain the incident, the criminals deployed a ransomware payload on many critical systems and encrypted them.
What’s wrong with this story?
It’s in ALPHV’s best interest to tell everyone they can break into an environment and gain access in short order. It’s good for their ego, sounds impressive, and generates fear. It also serves MGM public relations in stating they were the target of a sophisticated attack. From a PR standpoint, it’s a win-win.
I believe the reality is quite different, based on the steps required to pull off such an attack.
- Pre-attack reconnaissance
- Scan MGM public networks, addresses, sites, and systems to find vulnerabilities.
- Search social media for MGM employees and personal information.
- Do you use information that can be found on social media to identify employees?
- Compromise an account
- Did it take a single phone call to the helpdesk to compromise an account? While possible, they may have performed multiple calls to understand the employee validation process when someone asks to reset a password.
- What’s your process to confirm the person on the phone is really who they say they are?
- Did it take a single phone call to the helpdesk to compromise an account? While possible, they may have performed multiple calls to understand the employee validation process when someone asks to reset a password.
- Initial access to the environment
- Assuming ALPHV found links to remote access capabilities during the pre-attack reconnaissance. They would use the compromised credentials to access a limited set of MGM systems, based on the permissions assigned to the credentials they were using.
- Think about your own company; does everyone have access to all systems? If so, you have work to do…
- Assuming ALPHV found links to remote access capabilities during the pre-attack reconnaissance. They would use the compromised credentials to access a limited set of MGM systems, based on the permissions assigned to the credentials they were using.
- Internal systems reconnaissance
- Using their initial access, ALPHV might have been able to use existing tools to scan the internal network or had enough permissions to install their own.
- To minimize the chances of getting caught, the scans are often done in a way that won’t tip off the security team, and it typically takes time.
- Escalating privileges
- Using the knowledge they gained from the scans and previous reconnaissance activities, ALPHV likely found a way to escalate their privileges. This means they found credentials giving them the permissions they need to take over MGM’s systems and do what they need.
- Would you notice if someone created a new administrator account or gave someone those privileges?
- Using the knowledge they gained from the scans and previous reconnaissance activities, ALPHV likely found a way to escalate their privileges. This means they found credentials giving them the permissions they need to take over MGM’s systems and do what they need.
- Exfiltrating sensitive information
- There hasn’t been any mention of data theft (so far), but this is a step that is frequently taken by criminals. It increases their leverage on the victim to pay the ransom, and depending on the information, it can still be sold on the dark web.
- However, for an outsider, it takes time to understand what systems have the information, and then build the scripts, run the commands to extract the data and send it to an external site.
- Ransomware payload delivery
- At this stage, the criminals want to copy their ransomware encryptor to as many critical systems as they can. They have admin privileges now, so they can do what they want, right? Not quite.
- Endpoint security tools installed on every system should generate an alert when anyone disables it, and secondary systems should be monitoring this. To get around this, ALPHV needed to know which tools were deployed and then test their payload against those tools to see if they could get by without disabling the security tools. The alternative is to disable all the tools and take the risk that someone will notice.
- Would you notice if someone disabled your security solutions?
- Encrypt systems
- Launch the encryption!
That’s a lot of activity to accomplish in a few days.
How else could we explain the timeline?
- MGM security was very weak at all levels, making this an easy attack. This is highly unlikely.
- The attack took weeks or months to complete. All steps were followed carefully, and when privileges were elevated to gain administrative access and sensitive systems were accessed, MGM’s security team was alerted and attempted to contain the attack. Unfortunately, it was probably too late.
Where does this leave you? If an organization like MGM, and so many others can’t stop these attacks, why would you invest in cybersecurity?
These incidents continue to confirm that prevention alone doesn’t work, and existing solutions that collect more and more data to be processed by AI to “identify new threats and attacks” are flawed.
If you agree and are looking for a service that uses a different approach. Let’s talk.
For those looking at recommendations to better defend and recover from such attacks, you can find more information here.
Read the follow up to this post here: You are not the weakest link
