Identity and access management solution Okta has warned about social engineering attacks by sophisticated actors targeting super administrators.
Okta observed threat actors attempting to trick service desk staff into resetting multi-factor authentication for privileged users.
“In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users,” Okta said.
The attackers exploited compromised accounts to elevate others and entrench themselves within the tenant.
Okta serves over 18,000 organizations, including high-profile companies such as T-Mobile, S&P Global, and FedEx.
Attackers impersonate super administrators via federated authentication
Okta observed the social engineering attacks leveraging voice calls between July 29 and August 19, 2023.
The attackers obtained super administrators’ passwords or ensured they could “manipulate the delegated authentication flow via Active Directory (AD)” before calling helpdesk staff and requesting them to reset enrolled authenticators’ accounts.
After successful resets, attackers abused privileged Okta Super Administrator accounts to assign higher privileges to other accounts.
They also reset authenticators for existing accounts or removed the second factor authentication requirements, even for super administrators.
In other cases, the adversaries configured a second Identity Provider (IdP) or “impersonator app” under the control of threat actors to act as the “source” IdP.
“From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” Identity Provider to match a real user in the compromised “target” Identity Provider,” Okta explained.
The federated approach allowed threat actors to “single sign-on (SSO) into applications in the target IdP as the targeted user.”
The attackers used anonymity services such as proxy servers, unrecognized IP addresses, or devices not associated with the targeted super administrators to cover their tracks.
Okta social engineering attacks resulted in lateral movement
Okta observed adversaries employing “novel methods of lateral movement and defense evasion,” suggesting a sophisticated threat actor was involved.
However, after compromising super administrators’ accounts, the identity provider could not determine the attackers’ objectives.
“Cybercriminal organizations intentionally and smartly target the organizations that have the richest assets and that will pay the highest ransoms, and with that, they focus on compromising the users that have the greatest privileges to gain immediate access to applications and data they are targeting,” suggested John Gunn, CEO of Token. “Because of Okta’s market dominance, they are able to get a perspective not available to others, and they share this with the market to the benefit of all.”
Okta did not attribute the social engineering attacks to any persistent threat actor, whether state-sponsored, financially motivated, or otherwise.
However, the campaign bears the hallmarks of threat actor Muddled Libra and mirrors those of Scattered Spider, Scatter Swine, or Google’s Mandiant’s designation UNC3944.
The group leverages the 0ktapus phishing kit, although Palo Alto’s Unit 42 threat intelligence team warns that multiple attackers have incorporated the toolset into their arsenal.
This is the second wave of social engineering attacks targeting Okta within 12 months. In August 2022, over 160 Twilio customers, including Okta, experienced social engineering attacks that compromised thousands of credentials. It is unclear if the two social engineering campaigns are related.
Meanwhile, Okta has advised organizations to implement phishing-resistant solutions for enrollment, authentication, and recovery solutions to prevent attacks.
Additionally, they should reduce the use of highly privileged accounts such as super administrators, implement dedicated access policies for such accounts, and monitor and review the use of privileged account functions.
