Jakub JirsÃ¡k - stock.adobe.com
Identity and access management (IAM) specialist Okta has warned its customers to be alert to a developing campaign of cyber attacks in which an unknown threat actor is using social engineering to hijack highly privileged roles in their Okta tenants.
The supplier said that over the past couple of weeks, multiple US-based customers had reported a consistent pattern of social engineering attacks against their IT service desks, in which the unfortunate staffers were convinced to reset Okta multifactor authentication (MFA) enrolled by highly privileged users with so-called Okta Super Administrator accounts which, among other things, can create new admins, and edit and revoke privileges.
The campaign has not been officially attributed, but the threat actor appears to be highly organised, as they either already had passwords to main admin accounts prior to calling the service desk, or were able to manipulate delegated authentication flows via AD. They used anonymised proxy services and IP addresses and devices unassociated with the target accounts to cover their tracks.
Once in the attackers’ hands, the targeted Super Administrator accounts were abused to exploit legitimate identity federation features – designed to enable swift provisioning in large organisations or during M&A scenarios – to assign higher privileges to other accounts and reset authenticators in existing admin accounts. In a few cases, said Okta, it observed the threat actor removing MFA requirements from authentication policies.
They also targeted other applications by setting up compromised identity provider accounts, an ability also granted via their Super Administrator rights.
“These recent attacks highlight why protecting access to highly privileged accounts is so essential,” said Okta in its advisory.
“Based on our analysis of this intrusion, we recommend Okta customers implement our industry-leading, phishing-resistant methods for enrolment, authentication and recovery; restrict the use of highly privileged accounts, and apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.”
Read more about IAM
- Attackers increasingly target user accounts to gain access. Identity threat detection and response offers organisations a way to improve security for identity-based systems.
- As business tools evolve into cloud-based services, organisations are finding themselves becoming ever more reliant on the cloud, but how can data be secured across so many different platforms?
- With IAM central to enabling appropriate access to cloud-based services, identity first security is becoming a key trend for IAM in the cloud.
A more detailed set of recommendations, alongside indicators of compromise, can be found in Okta’s advisory, which is available to read here.
Organisations such as Okta that specialise in IAM services present a huge target for cyber criminals due to the highly sensitive nature of customer credentials, which if compromised successfully grant no-holds-barred access to thousands of downstream companies.
As such, this is by no means the first time the supplier has found its customers being targeted in this fashion.
In the summer of 2022, a campaign dubbed Scatter Swine, or 0ktapus, targeted more than 10,000 accounts at over 100 Okta customers, including tech companies Cloudflare, Signal and Twilio, in a simple yet highly effective swoop in which they obtained Okta identity credentials and MFA codes from users at targeted organisations then leveraged these to dupe their victims into accessing phishing sites that mimicked their Okta tenant authentication page.
Singapore-based Group-IB, which analysed 0ktapus’s attacks, suggested the group had harvested data on its target users from separate cyber attacks on mobile operators and other communications services providers.