
In September 2023, social-engineering crews hit MGM Resorts and Caesars Entertainment. Caesars reportedly paid a ransom around $15M, while MGM booked more than $100M in business impact. The entry point wasn’t a zero-day; it was identity tricks and help-desk manipulation. AP News
Same playbook, new headlines (2024–2025)
- Snowflake customer compromises (2024): A joint alert warned of a surge in identity-based attacks on customer accounts, frequently succeeding where MFA wasn’t enforced. Mandiant tied the campaign (UNC5537) to large-scale data theft across ~165 orgs. CISAThe Register
- CDK Global (2024): After two incidents, CDK warned dealers about follow-on social-engineering callsimpersonating CDK staff to regain access—classic “pressure-and-impersonate” moves after a breach. SC Media
- Change Healthcare (2024): Attackers logged in with stolen credentials to a remote access service without MFA, then deployed ALPHV/BlackCat ransomware—an identity failure with nationwide fallout. BleepingComputerCybersecurity Dive
- 2025 watch: Law-enforcement and industry briefings note “Scattered Spider”-style social engineering remains active, now targeting collaboration tools (Slack/Teams) and help-desk workflows to reset factors and hijack SSO. IT Pro
Bottom line: attackers don’t need your zero-days if they can socially engineer your identity controls, help desk, or third-party access.
What actually happened in Vegas (and why it matters everywhere)
CISA’s ALPHV/BlackCat guidance describes affiliates posing as IT/help-desk and using phone/SMS to trick staff into handing over credentials or resetting MFA—exactly the playbook seen in the casino intrusions and many 2024 cases. Treat your help desk and identity stack as Tier-0. CISA
The 2025 “Evidence Pack” Insurers Expect
Underwriters have shifted from checkboxes to evidence. Come to renewal or a new application with artifacts that prove controls are real, enforced, and monitored—especially MFA, EDR coverage, and IR/tabletops.
1) MFA & Identity (prove it, don’t just state it)
- Global MFA enforcement screenshots/exports from your IdP (Okta, Entra ID, Duo, etc.). Show phishing-resistant methods (FIDO2/WebAuthn/passkeys) for admins and number-matching where applicable.
- Admin safety rails: Separate admin accounts; MFA reset protections (no resets without high-assurance identity proofing), plus a help-desk SOP.
- Coverage report: User export with MFA status = 100%, or documented exceptions with compensating controls and due dates.
- Session hygiene: Token lifetime/reauth policies, legacy auth blocked, and conditional access for risky sign-ins/geo anomalies.
(Why it matters: 2024 campaigns against Snowflake customers and ALPHV tradecraft exploited credential reuse and weak/no MFA.) CISA+1The Register
2) Endpoint Detection & Response (EDR) Coverage
- >95% enrollment across workstations and servers, with a short, dated exception list and remediation plan.
- Health/tamper status proof (real-time protection on, sensor current, tamper protection enabled).
- Response readiness: 24×7 alerting (internal or MDR), credential-theft and lateral-movement playbooks, and an on-call escalation path.
(Why it matters: once identity is phished, EDR visibility and fast containment break the ransomware chain.)
3) Incident Response (IR) & Tabletop Exercises
- IR plan summary with roles, decision thresholds, legal/PR/insurance contacts.
- Tabletop proof from the last 12 months (calendar invites + redacted AARs), with remediation items closed.
- External coordination: Broker/carrier hotline and panel firm contacts ready; practice your first-24-hours script.
(Why it matters: ALPHV/BlackCat affiliates move quickly; rehearsed teams shorten detection, decision, and recovery windows.) CISA
Controls to lock down now (Help-Desk & Identity Edition)
- High-assurance help-desk verification: No password/MFA resets for privileged users without live identity proofing and a second approver; log and review all resets daily.
- Phishing-resistant MFA for admins: Enforce FIDO2/WebAuthn/passkeys on IdP, VPN, PAM, and cloud consoles; block SMS/voice for privileged roles.
- Just-in-Time admin & break-glass: Remove standing admin; require ticket-linked elevation with session recording. Keep one passkey-protected offline break-glass.
- Conditional access & device posture: Require managed/compliant devices for admin access; block high-risk geos and anonymizers.
- Third-party access: Enforce your MFA/conditional access on vendors; disable shared accounts; time-box access.
- Token/session hygiene: Short refresh tokens for admins; revoke refresh tokens on password/factor changes.
- EDR as a gate: No prod access without healthy EDR; alert on uninstall/disable attempts.
Sources & further reading
- MGM & Caesars (2023): cost and ransom reporting. AP News
- CISA – ALPHV/BlackCat: social-engineering and MFA-bypass tradecraft. CISA
- Snowflake (2024): identity-based intrusions; MFA gaps noted by CISA and Mandiant. CISAThe Register
- CDK Global (2024): dealer warnings about follow-on social-engineering. SC Media
- Change Healthcare (2024): stolen creds + no MFA on remote access; technical takeaways. BleepingComputerCybersecurity Dive
- 2025 activity: Scattered Spider tactics expanding to Slack/Teams & help-desk resets. IT Pro