Okta Agent Involved in MGM Resorts Breach, Attackers Claim

Note: This story has been updated to include comments from Okta chief security officer David Bradbury.

The threat actors believed to be behind last week's MGM Resorts and Caesars Entertainment cyberattacks now say they were able breach MGM's systems by somehow cracking into the company's Okta platform, specifically the Okta Agent, which is the lightweight client that connects to an organization's Active Directory.

Okta is a popular identity and access management (IAM) provider for the cloud.

"MGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we had been lurking in their Okta Agent servers sniffing passwords of people whose passwords couldn't be cracked from their domain controller hash dumps," ALPHV wrote on its leak site, in a statement that Emsisoft researcher Brett Callow tweeted out. "This resulted in their Okta being completely out."

The ALPHV statement added that after lurking around Okta for a day and scooping up passwords, the threat group then launched ransomware cyberattacks against more than 1,000 ESXi hypervisors on Sept. 11, "... after trying to get in touch [with MGM] but failing," the statement said.

The ransomware group made it clear MGM Resorts isn't negotiating with them, and it is threatening further action if a financial arrangement is not made.

"We still continue to have access to some of MGM's infrastructure," the ALPHV statement said. "If a deal is not reached, we shall carry out additional attacks." The group also said it would release the data it exfiltrated to Troy Hunt of Have I Been Pwned, to responsibly disclose if he chose to do so.

ALPHV (aka BlackCat) is the name of the ransomware as a service (RaaS) operator who provided the threat group Scattered Spider with the malware and support services to pull off the casino cyberattacks.

Okta's August Warning About Social Engineering Attacks

Okta chief security officer David Bradbury confirms the cyberattack on MGM had a social engineering component, but adds it was successful because the threat actors were sophisticated enough to deploy their own identity provider (IDP) and user database into the Okta system.

"The human part was simple, but the subsequent part of the attack was complex," he says.

The ability to create multiple identity subgroups is a feature of the Okta system, not a flaw, Bradbury adds. He suggests adding a visual verification step at the helpdesk for just the users with the highest access privileges would stop these cyberattacks.

Okta warned of the potential for social engineering attacks of this type with an alert on Aug. 31 detailing attempts on Okta systems to gain highly privileged access through social engineering.

"In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," Okta warned. "The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization."

Okta has also been very public about its relationship with MGM, working with the hospitality company to provide the "building blocks to the ultimate guest experience," according to its website.

Bradbury says Okta will continue to work with Caesars and MGM on response and recovery, confirming Okta's role in the Caesars breach as well.

New Wave of MFA Abuse Likely

Worryingly, this could be the first in a new wave of cyberattacks targeting high-privilege users, according to Callie Guenther, senior manager of threat research at Critical Start. Okta is, after all, already a popular target among cybercrime actors.

"Okta, given its centrality in many organizations' IAM strategies, is naturally an appealing target," Guenther says. "The key is not to view these systems as inherently flawed, but to recognize the importance of robust security hygiene, continuous monitoring, and the rapid sharing of threat intelligence."

The real issue isn't Okta itself, according to Aaron Painter, CEO of Nametag, a provider of helpdesk cybersecurity tools. Rather, it's simply the fact that MFA is designed to identify devices rather than people.

"This vulnerability is not unique to MGM nor Okta; it's a systemic problem with multi-factor authentication," Painter says. "MFA verifies devices, not people. It lacks secure enrollment and recovery — two moments when you need to know which human is being authenticated. This is a known problem, which MFA wasn't built to address."

This is a developing story.