EP 39 – Analyzing the MGM and Okta Breaches: the Identity Connection

[00:00:00.000] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in Identity Security.

[00:00:22.620] – David Puner
When people in the infosec industry hear the phrase supply chain attack, names like Codecove, MOVEit, and Log4j come to mind. These attacks had devastating repercussions for both the primary targets and the downstream clients that rely on their products or services. The interconnectedness of our digital ecosystem means that any weakness in the supply chain can have a cascading effect amplifying the scale of a breach. The consequences can be far-reaching, ranging from data loss and financial damage to reputational harm and operational disruption.

[00:00:58.800] – David Puner
While technical vulnerabilities are still a significant threat, there’s been a major uptick in a different type of supply chain attack. Threat actors are targeting by way of social engineering what many consider to be the weakest link in security, the human element. In these cases, that’s been the privileged access of humans working in and maintaining identity-related systems. That raises critical questions about the trust we place in our interconnected systems and what it takes to safeguard our digital infrastructure.

[00:01:32.270] – David Puner
Today’s guest is Andy Thompson, who’s CyberArk Labs’ Offensive Security Research Evangelist. Andy’s back to talk about two of the biggest and highest-profile breaches we’ve seen in a while. He takes us through the breaches, who’s behind them, how identity plays a pivotal role in both, and the larger implications of this new breed of supply chain attack amid the evolving threat landscape. Then, he shares insights into how organizations can better protect themselves and their customers. Here’s my conversation with Andy Thompson.

[00:02:08.160] – David Puner
Andy Thompson, CyberArk Labs’ Offensive Security Evangelist. Thank you very much for coming back onto the podcast. It’s your fourth time. I don’t know if you knew that or not.

[00:02:19.310] – Andy Thompson
Really?

[00:02:20.100] – David Puner
Yeah. You’re the first member of the 4-timers club. You’re like our Tom Hanks here at Trust Issues, I think.

[00:02:26.710] – Andy Thompson
Well, when do I get my jacket, David?

[00:02:29.330] – David Puner
That’ll be probably fifth or sixth visit.

[00:02:33.070] – Andy Thompson
Okay, all right.

[00:02:33.680] – David Puner
We’ve got a designer working on them now. They’re nice. They’re satin.

[00:02:38.660] – Andy Thompson
Well, trust me. I’ve got content for days, so looking forward to it.

[00:02:42.690] – David Puner
We had our own little blitz here at the top of the recording with USB cable breaches of some sort but all of our own doing here, but now we’re all set and we’re going to dive right in. You’re just back to the US now after a whirlwind trip to Thailand and Singapore. What were you doing over there?

[00:03:01.450] – Andy Thompson
I was having a lot of fun actually. I spent a couple of days in Bangkok presenting at the CyberArk’s Impact World Tour. Then I spent the rest of the trip, eight days in Singapore, where I was presenting at a GovWare 2023—it’s my second time back—where I was on a panel talking about AI and cybersecurity. Then I got to present an alternate viewpoint because I’m the offensive guy. Then followed it up with a presentation about AI from an offensive perspective. It was a lot of fun.

[00:03:37.540] – Andy Thompson
Then last but not least, I got to eat all the food. That was probably the best part, the chicken rice, the laksa. I stayed away from the durian, though.

[00:03:47.730] – David Puner
Okay. Any particular reason you stay away from it?

[00:03:50.810] – Andy Thompson
Have you ever tried durian? Not only does it taste bad. It smells terrible.

[00:03:56.430] – David Puner
All right, an acquired smell. I believe they [crosstalk 00:03:59]

[00:03:59.370] – Andy Thompson
They would actually fine you at the hotel if you had durian in. It’s that bad.

[00:04:04.290] – David Puner
Wow. All right. Good to know. Note to self for when I travel over there. We were actually in the process of planning this episode a little bit when you were right about to take off for your multi-flight trip back to Dallas. We were all set to talk about this falls, high-profile breach, the MGM Resorts breach, and you wrote a blog post about that not too long ago.

[00:04:29.560] – David Puner
Then just in the last few days actually, I think while you were up in the air, we found about another high-profile breach to hit the news. We’re going to interrupt our regularly scheduled MGM conversation to take a spin into that more recent breach, and then we’re going to go back over to MGM after that. With that being said, this newer breach specifically an attack on Okta’s support unit or their support management system, what happened, and what does it have to do with identities?

[00:04:58.160] – Andy Thompson
Like you said, the support portal, their ticketing system, I’m assuming, was compromised. Ultimately, it led the threat actor to access these really sensitive files called HAR files, and that really led to session hijacking of the clients of Okta that were submitting support tickets. It was pretty bad. What was really bad was it was bypassing the MFA of Okta’s clients. That’s really the long and short of this particular compromise.

[00:05:34.610] – David Puner
I just want to couch that as we don’t know everything here and there are certain things we may never know.

[00:05:40.790] – Andy Thompson
I think it is personified by Donald Rumsfeld. Remember his quote?

[00:05:45.950] – David Puner
Sure.

[00:05:46.240] – Andy Thompson
About there’s known knowns, that stuff that we know we know; and then there’s the known unknown, the stuff we know we don’t know; and then the unknown unknowns, the stuff we don’t know that we don’t know. Again, there is a ton of stuff that is available to the public currently, and that’s really what we’re basing our discussions on. But there will be more data released as time goes by.

[00:06:10.740] – David Puner
This was a third-party identity attack. I think you’ve already touched upon it a little bit, but can you go into a little bit more about what the vulnerability was here?

[00:06:20.930] – Andy Thompson
This is an interesting discussion here because most people when it comes to data breaches assume it from a technical perspective where there’s a vulnerability that is exploited, and that’s the TTPs or tools, tactics, and procedures of threat actors. But this was an issue with the PPT, papa papa tango, where it was the people, the process, well, in this circumstance, it wasn’t the technology. But in this situation, the privileged identity getting into the support system was compromised.

[00:06:58.860] – Andy Thompson
On top of that, this is where a process failed. There were these unsanitized HAR files that had that session token information in the cookies that were then available to that threat actor. Really, this wasn’t a technical hack. This was more of a process and people hack.

[00:07:19.020] – David Puner
Interesting. It just goes to show that you can have all the technology in the world, but ultimately, you need to also have the processes followed to a T or there could still be problems.

[00:07:31.170] – Andy Thompson
Absolutely. It’s important to note that the Okta system, this identity access management system, there was nothing vulnerable with it. It wasn’t compromised. It was, again, the person and the process that was really at fault here.

[00:07:48.800] – David Puner
Do we know who’s behind this recent breach?

[00:07:52.410] – Andy Thompson
We honestly don’t know currently. Nobody’s made an announcement taking responsibility or anything, but we have some ideas. Back in 2022, when the Okta support panel was compromised previously, that was the threat actor LAPSUS$. These were the folks that were responsible for popping Microsoft, Nvidia, T-Mobile. These guys were and still are fairly nasty. We could assume that, but also more recently, there are other threat actors that are actively focusing on Okta.

[00:08:31.080] – Andy Thompson
Scattered Spider, which is where MGM comes in, these guys are, again, specifically focusing on Okta as a platform, and they’ve compromised well over 100 different victims per Mandiant. This is how much they focused on Okta. They have many different names, and one of them is Oktapus. Get it? Okta could be one of these two, but honestly, we have no idea at this moment.

[00:09:00.720] – David Puner
Do we know whether they’re going after them for sports, or is it because they’re trying to get stuff?

[00:09:10.050] – Andy Thompson
They’re focusing on that downstream supply chain attack. By compromising the identity access management vendor, they can then pivot into their clients, and because they have administrative access, that really gives them the keys to the kingdom to all their clients. It’s a very, very juicy target by compromising Okta. That’s really why they’re focusing on them because it really opens the door to all their other clients.

[00:09:42.590] – David Puner
I’ll just state here that we’re recording this now on October 26th. When this episode does wind up releasing, there are things that could have come to light between now and then. Of course. There’s a lot that that we may find out. There’s a lot we may not find out, but based on what we know right now, what’s the fallout from all of this so far? Do you think there’s a lot more that will still come to light about this breach? What don’t we know?

[00:10:12.070] – Andy Thompson
The fallout so far is a limited amount. A handful of clients have been affected. In fact, they were the ones that knew about the issue and were the ones who introduced this to Okta. The fallout, really, from what we know is around brand damage, really, in reputation. Okta, unfortunately, has been the victim of several different breaches and compromises.

[00:10:37.920] – Andy Thompson
Also specifically, this one is because of the lack of detection and the slow response time. Again, we still don’t know all the repercussions of this, coming from compromised victims and whatnot, but for the most part, in this particular breach, the fallout is fairly contained and limited. It’s bad, but it could have been a lot worse.

[00:11:04.850] – David Puner
Before we move over to MGM, what’s the worst-case scenario here had the suspicious activity not been detected when it was?

[00:11:17.240] – Andy Thompson
Wow. Worst-case scenario would be that they didn’t detect this, and way more clients were compromised. Hundreds and hundreds of clients could have been compromised in this circumstance. Then that would lead to worst-case situations in those organizations. The data exfiltration of PII, the financial loss of all reasons from operational disruption, proprietary data being leaked, and then you have the regulatory and compliance penalties that come on this.

[00:11:51.190] – Andy Thompson
This could have been absolutely catastrophic if it wasn’t for the organizations that disclosed the breach back to Okta so that they could then contain it. I mean, if we’re talking worst-case scenario, I think the MGM breach is a poster child example.

[00:12:09.410] – David Puner
That’s a perfect segue to talk about the MGM breach and we’ll go back to what organization should be on the lookout for. But let’s first move on to the attack on MGM Resorts International. Of course, it’s a global hospitality and entertainment company with a portfolio of 29 hotel and resort properties including iconic names like Bellagio, MGM Grand, and Mandalay Bay. The breach occurred in September, and it’s one of the most visible and brand-damaging attacks in recent years.

[00:12:40.730] – David Puner
Why don’t you take us through what happened to MGM? What did the attack look like? What was the attack flow? What did LinkedIn have to do with all this?

[00:12:50.670] – Andy Thompson
I’d like to start off with my favorite movie of all time. 1995, the movie Hackers.

[00:12:58.520] – David Puner
Okay.

[00:12:58.730] – Andy Thompson
The very first scene is Crash Override calling the help desk of a client because his BLT drive is fried. I know what happened here. Vx-underground really, really did a great job at summarizing this thing. Basically, a company valued at $34 billion was defeated by a 10-minute conversation. Yeah, pretty nasty, right?

[00:13:26.240] – Andy Thompson
This is where LinkedIn comes into play. It’s about OSINT or Open-Source Intelligence gathering. By using these social media and websites and whatnot, they were able to determine the organization and what applications they were using specifically Okta. Then diving in deeper and finding a privileged administrator within that company that had the level of privilege that they needed.

[00:13:55.750] – Andy Thompson
Now that they picked the target, they picked the victim, now it was time to socially engineer the help desk. They were able to convince the help desk to bypass the multifactor authentication.

[00:14:10.250] – David Puner
This is the MGM help desk that we’re talking about?

[00:14:13.310] – Andy Thompson
Yes.

[00:14:13.430] – David Puner
Okay.

[00:14:13.570] – Andy Thompson
That’s absolutely right. We don’t quite know how they acquired the username and password. It could have been through a data dump password reuse or phishing attack. I mean, that, again, we don’t know just yet, but the linchpin was the disabling of the multifactor. It was simply done via social engineering.

[00:14:38.850] – Andy Thompson
I could come up with an example really quick. You call the help desk and you say, “Hey, Bob. I’m so sorry. I was on a fishing trip, and I dropped my phone in the water. I got a new phone, but I need to reset my MFA. Can you hook me up?” It’s just as simple as that. Once they were able to log in and authenticate, that’s when they got access to the Okta back end.

[00:15:03.850] – Andy Thompson
From there, they were able to bolt on their own IDP, which gave them persistence along with the ability to escalate their privilege. Ultimately, that allowed them to get access to any application that Okta had configured, including their Azure tenant, amongst all these other different applications.

[00:15:24.370] – Andy Thompson
Some time went by and they did some stupid things like installing malware on a particular server, and that was actually picked up. That really kicked off the instant response. At that point, IR decided to shut down the Okta instance trying to kick them out.

[00:15:40.850] – Andy Thompson
Once they did that, they knew the gig was up. But they left MGM with a little gift. They outsourced to ALPHV or the BlackCat ransomware group, and they pushed probably one of the most devastating types of ransomware called intermittent encryption. They pushed this to their ESXi or their virtualization infrastructure.

[00:16:03.120] – Andy Thompson
They were running ransomware and they were shutting down hypervisor after hypervisor after hypervisor. These are the servers that actually host the virtual machines that MGM was using for all their systems from reservations, booking, even the slot machines.

[00:16:23.150] – Andy Thompson
As the ransomware was going through all those hypervisors, the systems just started shutting down one after another after another after another. That really was what kicked off the chaos. That’s really where we are now.

[00:16:38.900] – David Puner
You had mentioned the movie Hackers. This all made me think of the movie Ocean’s Eleven, casino heist-

[00:16:44.550] – Andy Thompson
Going after the casino.

[00:16:45.810] – David Puner
Yeah. We do not think that there was any intention to actually do a casino heist here. This was in order to get things or other people or other organizations. Is that accurate?

[00:17:01.460] – Andy Thompson
The MGM was the end target. Outside of the PII and the customer data that was leaked, they were the target. That’s why the Okta breach that we were discussing earlier is so relevant because that gave them access to so many other Okta tenants and customers. What happened to MGM could have happened to any one of them.

[00:17:28.230] – David Puner
Right. Like you said, the personal information of millions of MGM guests was exposed in this breach.

[00:17:34.590] – Andy Thompson
Oh, yeah.

[00:17:35.010] – David Puner
What are the implications there, and have we seen anything happening with that yet?

[00:17:40.040] – Andy Thompson
MGM announced that PII was leaked. We don’t know how much. Rumor is around 6 terabytes, but again, we don’t know for certain. We’re talking names, phone numbers, and email addresses, but it gets nastier. We’re talking about driver’s license numbers, social security numbers, even passport numbers. What can a criminal do with that?

[00:18:04.540] – Andy Thompson
We’re talking further social engineering, extortion, identity theft. There’s a ton of stuff that you can do with that sort of sensitive information. What we do know is that the data that was leaked was prior to 2019. I guess that’s good, but I guarantee some of your listeners here have been going to Black Hat well before 2019. If that’s the case, then your PII might actually have been exposed in this data breach.

[00:18:36.310] – David Puner
We’ll get to what folks whose PII may have been exposed in this data breach can do moving forward in a bit, but I want to continue digging into the details of this a little bit. If we go back to the help desk scenario, that was aided by information that was gleaned from LinkedIn. You were a help desk guy at one point, weren’t you?

[00:18:59.230] – Andy Thompson
Long time ago in a different life, but yeah, I used to be a help desk administrator, very similar to this circumstance that was outsourced MSP. The problem with that is I didn’t know who I was working with. I didn’t know their personalities. The other thing is service level agreements. I was required to have a 90% FCR, which stands for First Call Resolution.

[00:19:27.120] – Andy Thompson
It was really important for me to close that ticket instead of saying, “Hey, we’re going to keep this open until you can give me whatever qualifying information to verify your identity.” The problem that I find with helpdesk is their priority is not security quite often. It’s more about closing the ticket as soon as possible. That’s really where I think there was a problem, for sure.

[00:19:54.540] – David Puner
Protocol had to have been breached at that level for this to have happened.

[00:19:58.290] – Andy Thompson
Possibly. We don’t know what their policy is, standard policy that we often see as some sort of verification of identity, but we’re assuming either that was circumvented, bypassed, or the information that was gathered through the OSINT, through social media, or whatnot was able to provide that.

[00:20:20.340] – Andy Thompson
Think about it. If you have a post on LinkedIn, you probably have listed your previous jobs, your schooling that allows you to pivot and cross-reference, I don’t know, Facebook. Now you know your wife’s name or your husband’s name, your kid’s, your dog’s name. A lot of that, again, can be leaked unintentionally through just posting publicly on social media.

[00:20:46.420] – David Puner
That’s very concerning. All things being equal, it seems that MGM did detect this all relatively quickly, and the situation could have been much worse had it taken them longer to detect it. How long did it take for them to realize it was going on exactly? Once they detect it, then what do they do? Was that when everything got shut down, or was the shutdown a result of the attack?

[00:21:11.790] – Andy Thompson
September 7th, we’re assuming that’s when the social engineering and the MFA bypass happened. September 11th, five days later, that’s when they put out the announcement stating, “Hey, there’s a cybersecurity incident.” That’s when all hell broke loose. That’s the day that Scattered Spider, aka Oktapus, kicked off that BlackCat ransomware.

[00:21:34.800] – Andy Thompson
September 12th is the day that MGM made an announcement and said, “Hey, certain systems are operational.” It can be safe to assume that they were able to recover a lot of those systems that were stood back up from backup, which is a great call. But there’s still a significant amount of infrastructure that wasn’t backed up. MGM was basically stating that the full scope and the cost and impact, really, isn’t quite known. What estimates are currently is that this one event has caused MGM a financial loss of over $100 million.

[00:22:14.650] – David Puner
Wow. Obviously, damaged their brand, reputation, and all that stuff. Just horribly big implications. Even though this happened a couple of months ago or almost a couple months ago, I’m sure we’ll be hearing more as time goes by as well.

[00:22:33.460] – Andy Thompson
Oh, yeah. Now that this tactic has been basically released to the public, it is happening on a daily basis. I’m not kidding. I’ve had three people call me today and go, “Holy cow. I read your blog post. This has happened to at least three or four of my clients.” That’s 12 different clients that have been attacked in this exact same way. Social engineering, brokering access into the identity access management system. It’s just a good thing that many of these organizations have fairly sound ITDR, processes. Identity Threat Detection and Response, ITDR.

[00:23:13.980] – David Puner
Your segueing right into what organizations can take away from all of this. But before we get to that, I just want to ask you, what does it take for an organization like MGM to recover from an attack like this?

[00:23:27.330] – Andy Thompson
How much money do you have? There’s the option of paying the ransom, which we highly advise against. There is sound backup and recovery. Those are really the best way, or standing up new infrastructure and replacing these compromised systems. That’s the way to recover, but really the best way is to not have these incidents happen in the first place.

[00:23:51.290] – David Puner
Okay. Well, so how does an incident like this not happen in the first place?

[00:23:56.130] – Andy Thompson
Well, there’s a lot of things that we can do as far as implementing additional controls, that defense-in-depth that we often hear about. A couple of the recommendations that I would have is making sure that those privileged accounts, like that admin access to Okta, really ought to be behind a privileged access management solution, a PAM solution. That would be one of the first things.

[00:24:22.570] – Andy Thompson
Additionally, everything in your tier zero infrastructure really ought to be behind a PAM. Domain controllers, any of your disaster recovery backup systems, SSO, even your security tools, these need to be behind a PAM solution, especially your identity access and management solution, for sure.

[00:24:46.360] – Andy Thompson
The other thing would be to up your game when it comes to multifactors. One of the things that we really advocate is moving away from SMS, those text messaging multifactor, that can be easily hijacked by via SIM swapping. We would also say from a process perspective, really up the security controls from the help desk perspective, really validate the identity so that you’re not socially engineered.

[00:25:14.480] – Andy Thompson
Another thing that I would recommend when it comes to multifactor, especially when it comes to those high-value targets, like Okta admins, they’re really ought to be dual control, the two keys where one person approves it and then it goes to another. That’s really what you need to have, especially when we’re talking about those high-value targets.

[00:25:37.080] – Andy Thompson
Another thing that I would recommend is good monitoring for behavior deviations. One of them that we saw in the MGM breach, I believe, was that they were able to detect the user agent of the browser. If your admins are consistently using Chrome, for example, but this person’s logging in from Firefox on a Mac, well, that might be a deviation to look into.

[00:26:05.570] – Andy Thompson
Another thing that we saw in these data breaches was remote access. I can’t remember which breach it was, but they were stating that the IPs accessing their system were from a VPN in Malaysia. What I would recommend is your organization really ought to implement some secure zone of access. If you’re not doing business in Malaysia or Eastern Europe, well, why don’t you just block access to it?

[00:26:35.270] – Andy Thompson
Another thing that I would recommend would be more or less allow listing certain assets to broker into the high-value targets, making sure you have certain machines defined only for that administrative access. That would be another thing.

[00:26:54.530] – Andy Thompson
One of the tactics that we saw just in the MGM breach was that they established persistence by bolting on their own identity provider. That gave them again the persistence and privilege escalation. We need to keep an eye out for those trust changes. What I would recommend there is really implementing some aggressive logging and detection so that when you see something like a new directory is appended to it, you’re alerted to that. Those would be a couple of things.

[00:27:29.330] – Andy Thompson
The last thing—and that this goes specifically to the Okta breach—is those HAR files. Those HAR files, HTTP archive, by the way, if you’re curious what it stands for, they contain two juicy bits of information that the attacker is able to hijack other sessions and bypass MFA. What they have is the session tokens and cookies.

[00:27:52.690] – Andy Thompson
There’s two ways to approach this. One, the support application ought to be able to securely store and possibly sanitize that data so that it’s not in the HAR files. But also that could be done from the client’s side as well. Strip out that valuable, sensitive information before it’s submitted to the help desk. I don’t know whose responsibility it is to make sure that data is safe, but it can be done from both the client and the provider side as well.

[00:28:26.730] – David Puner
You’re essentially saying there’s hope here. People, process, and technology. They all really do work hand in hand, and it’s not just necessarily plugging in some technology and expecting that you’re all set. You need to have your people and processes locked down as well or [crosstalk 00:28:45].

[00:28:46.090] – David Puner
Absolutely. It’s about that papa papa tango. The people need to have that awareness. User awareness training is so incredibly valuable because I know a lot of the people in the industry are like, “Oh, the human is the weakest link.” Yeah, in some aspects, but you know what? They can also be the first line of defense that can really protect the organization.

[00:29:12.260] – Andy Thompson
I think, in user awareness training, absolutely, is a critical element in protecting your organization. In this Okta breach, really wasn’t about the technology. It was really the process and people that really were hacked.

[00:29:25.610] – David Puner
Then what about the PII? What should people know when it comes down to what they’re putting out there on social media? And what can be used ultimately either against them or their organization?

[00:29:38.990] – Andy Thompson
Just be careful what you’re posting, folks. There’s a lot of sensitive information that can be disclosed with social media as far as address, where you live, your occupation, your personal circle of friends. These things can be absolutely harnessed for a malicious purpose. Those are the things that you need to be careful of.

[00:30:05.940] – Andy Thompson
For example, I do a lot of traveling, but I refuse to post pictures while I’m on the road because that pretty much says, “Hey, Andy is not home.” These are the things that we call it OPSEC, operational security, making sure you know based on your security posture really what information you can publicly disclose. For example, a high-value executive or a government official probably shouldn’t be posting as much as my grandma. It really all boils down to your security posture depending on which you disclose on social media.

[00:30:43.700] – David Puner
Thank you for the grandma Easter egg. I don’t think we’ve heard from her since episode one. Andy, as always, you’re full of information and we love having you on the show.

[00:30:55.190] – David Puner
For further insights into these two breaches, and what you can do, check out our blog post on the CyberArk blog. The first one’s called The MGM Resorts Attack: Initial Analysis. That’s by Andy Thompson right here with support from his CyberArk Labs’ team. The other post is called Piecing Together the Attack on Okta’s Support Unit. Andy authored it along with Shay Nahari, who folks who listen to the podcast know him well. He’s our VP of the CyberArk Red Team Services, and Khizar Sultan, who’s our Senior Director of IAM Product and GTM Strategy, and just has a really cool name.

[00:31:29.900] – Andy Thompson
Also, we have two webinars that we’re doing. We just recorded the one about the MGM Breach, me and Khizar. Then we’re also recording this week another webinar about the Okta circumstances. Both of those will be recorded, so feel free to check them out.

[00:31:50.760] – David Puner
Andy Thompson, CyberArk Labs’ Offensive Security Evangelist. Always great to talk with you. Thank you.

[00:31:56.190] – Andy Thompson
Thanks, David. Appreciate it.

[00:32:06.390] – David Puner
Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. Don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. Let’s see. Oh, yeah. Drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are like comments, our email address is [email protected]. See you next time.