Why the MGM Hack Shows the Importance of Help Desk Security

Wide-reaching news reports would have us believe one of the world’s largest casinos was hacked by brilliant social engineering and a 10-minute phone call. Truth be told, MGM Resorts International was digitally crippled by a Gen Z group because the casino had subpar help desk security.

Scattered Spiders, suddenly one of the more infamous hacker gangs on the planet, preyed on MGM’s weakest link — a poorly trained help desk employee. The breach and subsequent ransomware attacks are expected to cost the Las Vegas gambling mainstay upwards of $100 million in losses before it settles at least nine federal lawsuits. The fallout from one of the more cunning cyber-attacks in recent years now serves as a teachable moment. Without strong help desk security, spending money on comprehensive cybersecurity proves a poor investment.

MGM Resorts Hacked: How It Happened

If you’ve followed the MGM hacked systems through the media, there are a variety of slightly different narratives. Those outside managed IT support security trades tend to see cybercrime through different lenses. Some attribute the knock-out blow — so to speak — to Scattered Spiders’ use of ransomware-as-a-service, sophisticated social engineering or deployment of multi-factor authentication (MFA) fatigue techniques. While all of these tools and tricks were necessary steps to infiltrate the network, the coup de gras was help desk human error. These are the steps Scattered Spiders took to bring one of the world’s largest and wealthiest casino operations to its knees.

1: Social Engineering

Reports indicate that Scattered Spiders identified an MGM Resorts International staff member on LinkedIn. The popular professional networking platform apparently provided the critical personal information needed to impersonate the employee. The hacking group used the information to create a profile with enough detailed and personal data to answer pertinent questions a help desk operator posed.

2: Thwarting Help Desk Security

Scattered Spiders may have recognized an organization with seemingly endless money that handles personal identity information of some of the world’s wealthiest people would have determined cybersecurity in place. Brute force, zero-day and other types of cyberattacks would likely prove fruitless, or might take a tremendous amount of time and energy to breach. Instead, the Gen Z hackers used the LinkedIn profile to persuade a help desk worker to provide a one-time password.

3: Overriding Multi-Factor-Authentication

With a legitimate username and password in hand, members of Scattered Spiders trained their attention on the employee whose login credentials they had acquired. MGM, like so many organizations, relies on multi-factor authentication to prevent hacks precisely like this one. A code was sent to the legitimate staff member. However, the hackers used a highly sophisticated technique known as MFA fatigue to upend the security measure.

This scheme floods the person’s device with hundreds of electronic approval messages. The idea is to keep sending them until the person grows weary of deleting them and clicks “yes” to make it stop. That misstep allowed the hackers to march into the international gambling and real estate operation’s network.

4: Seizing Digital Assets

Although the incident is loosely being dubbed a ransomware attack, Scattered Spiders attempted to broker a deal with MGM before releasing ransomware into the vast network. This is what Scattered Spiders co-conspirator, ALPHV ransomware group, reportedly had to say on the dark net.

“Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding of how the network functions, network access was problematic on Saturday. They then made the decision to ‘take offline’ seemingly important components of their infrastructure on Sunday,” according to a reported hacker statement posted on the dark net. “After waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in their environment on September 11th after trying to get in touch but failing.”

5: Deploying Ransomware-as-a-Service

One of the things that was most surprising about Scattered Spiders’ complex strategy was their ability to deploy highly sophisticated malware. The ransomware they employed was apparently “above their pay grade,” so to speak. Reports indicate the application was crafted by advanced malicious software criminal organization ALPHV and purchased by Scattered Spiders.

That, in itself, represents a clear and present danger to businesses because ransomware-as-a-service allows mid-level hacking gangs to level attacks like advanced persistent threats. The statement, allegedly posted by the cybercriminals, demonstrates they are bold to the point of being brash.

“We still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out additional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us,” according to the hacker statement.

When conducting a post-mortem from the outside, it’s easy to get bogged down in the minutia. Arriving at the conclusion that social engineering or advanced ransomware was a key to hacking MGM is not necessarily incorrect. All of the elements used by Scattered Spiders, or ALPHV, were essential to thwart what many saw as determined cybersecurity defenses. But successfully putting the social engineering information, MFA fatigue and ransomware to work was all contingent upon human error and failed help desk security.

How Does a Help Desk Work?

The benefits of a help desk, coupled with secure IT support, are undeniable. Digital help desks reduce labor costs and accelerate customer solutions. More than 85 percent of customer service teams indicate digital help desks improve efficiency, and the niche software market is expected to exceed $11 billion this year. There’s no going back to employees fielding every call without causing long wait times or breaking the bank to staff call centers.

A help desk serves as the first point of contact for customers. People typically call in or use an online chat to gain information at a digital level. If the platform is not equipped to answer specific questions, the caller is routed to a real person. In terms of managing employee requests, help desk operators are usually available to provide information and guidance. In the case of MGM getting hacked, issuing a one-time password was either a cybersecurity policy shortcoming or a human error.

How to Maximize Help Desk Security After the MGM Hack

A help desk can serve as the eyes and ears of a secure IT support team. When hackers such as Scattered Spiders attempt to assail a system, employees could report suspicious interactions. This was not the case in the MGM hack because the operator was deceived into believing an actual employee was on the other end of the call. Rather than dwell on how the MGM casino hack was a cybersecurity failure, let’s look at ways to harden help desk security going forward.

1: Use Secure Help Desk Software

Cybercriminals are relentless in their efforts to find weak links. Although the MGM hacked systems were orchestrated by gaining a one-time password and firing a barrage of MFA fatigue messages, it’s crucial to have the right help desk software in place. Help desk software must also serve as a frontline defense when customers, employees or cybercriminals interact with it.

2: Help Desk Cybersecurity Awareness Training

Cybersecurity awareness training remains a cornerstone business protection that no organization can do without. The MGM hack was always contingent upon that single interaction between the Scattered Spiders scammer and the casino help desk operator. Had the person suspected something was amiss or directed the flim-flam artist to a higher-up for security clearance, the entire hacking scheme would have come tumbling down. Instead, a help desk security failure handed them the keys to the Vegas treasure trove.

3: Rethink Help Desk Security Policies

It stands to reason that MGM will likely rewrite and reinforce help desk policies surrounding one-time passwords. At the time, it may have seemed reasonable to issue a temporary password, given that other cybersecurity protections were in place. But, in hindsight, managed IT support security professionals are keenly aware cybercriminals tirelessly develop ways to adapt and overcome the most secure protections. Such was the case with MGM using multi-factor authentication.

In the wake of a data breach and ransomware attacks that resulted in massive financial losses, federal lawsuits and a tarnished reputation, it’s prudent to consider help desk security policies through a “what if” lens. It’s time to ask: What if a hacker defeats a security measure?

4: Address MFA Fatigue Attacks

Security professionals and sophisticated hackers have been involved in an online chess match for decades, and your business’s digital assets are the king and queen. Now that hackers have discovered a way to overcome multi-factor authentication, business professionals and IT support security experts are tasked with hardening their defenses. These are three ways to keep the multi-factor authentication measure in place by making it more difficult for criminals to exploit people with MFA fatigue.

• Shorten the time a network user has available to input the code.
• Reduce the number of failed login attempts before denying access.
• Integrate biometric and geolocation security measures to identify sources.

Although cumbersome, it is possible to increase two-factor authentication to three or four codes and electronic devices. These and other enhanced cybersecurity measures chop away at the effectiveness of MFA fatigue strategies. And when a flood of electronic messages surfaces, the employee should be already trained to contact the organization’s IT support security team.

5: Implement Zero Trust Protocols

Little is known about how Scattered Spiders waltzed through the MGM hacked network, accessing some of its most prized digital assets. However, one way that companies can minimize the damage of a cyber-intrusion involves profile restrictions. Zero trust involves setting pragmatic limits on each user profile, so the person can perform their job, but not access other data. Had this been in effective use at MGM, the hacking gang would seemingly have been kept away from the personal identity information of high rollers, long-standing club members and critical financial data.

Consequences of Help Desk Cybersecurity Failures

The number of data breaches caused by human error has reportedly retreated from 95 percent to 88 percent in recent years. Fewer human-driven cybersecurity mistakes are largely attributed to companies recognizing that workers can either be the weakest link or a front line of defense. It’s almost a certainty that MGM has come to this realization after the disastrous help desk security failure.

Business professionals would also be well-served to keep in mind the Las Vegas casino corporation has at least nine civil lawsuits to resolve, and government regulators will likely level significant fines. Federal data privacy laws are not limited to physical networks or how well a company circles the wagons around its cloud-based data. If employees are not adequately trained to recognize cybersecurity threats or understand the organization’s policies against doling out sensitive information, companies can anticipate hefty fines.

In many cases, what proves to be even more punitive is the reputational damage brands suffer after a data breach. One has to imagine that high-profile gamblers and clients won’t be staying at the MGM casino again anytime soon. The mounting losses of having to shut down systems, revert to manual operations and restore the system could be nothing compared to having to explain thousands of client files may be sold on the dark web.

Contact Red River for Secure Help Desk Support

Red River provides IT help desk support, including determined cybersecurity that exceeds data privacy regulations. As an IT support security firm with help desk expertise, our team is fully committed to maintaining the highest levels of protection and responding to imminent threats.

The MGM incident is a precursor that hacking gangs are poised to unleash MFA fatigue tricks, deploy ransomware-as-a-service and focus their attention on weak help desk security. To learn more about the diverse ways we can deter hackers, educate staff members about cybersecurity and prevent financial and reputational losses, contact us today.