Okta customers targeted in new wave of social engineering attacks

Identity and access management (IAM) specialist Okta has warned its customers to be alert to a developing campaign of cyber attacks in which an unknown threat actor is using social engineering to hijack highly privileged roles in their Okta tenants.

The supplier said that over the past couple of weeks, multiple US-based customers had reported a consistent pattern of social engineering attacks against their IT service desks, in which the unfortunate staffers were convinced to reset Okta multifactor authentication (MFA) enrolled by highly privileged users with so-called Okta Super Administrator accounts which, among other things, can create new admins, and edit and revoke privileges.

The campaign has not been officially attributed, but the threat actor appears to be highly organised, as they either already had passwords to main admin accounts prior to calling the service desk, or were able to manipulate delegated authentication flows via AD. They used anonymised proxy services and IP addresses and devices unassociated with the target accounts to cover their tracks.

Once in the attackers’ hands, the targeted Super Administrator accounts were abused to exploit legitimate identity federation features – designed to enable swift provisioning in large organisations or during M&A scenarios – to assign higher privileges to other accounts and reset authenticators in existing admin accounts. In a few cases, said Okta, it observed the threat actor removing MFA requirements from authentication policies.

They also targeted other applications by setting up compromised identity provider accounts, an ability also granted via their Super Administrator rights.

“These recent attacks highlight why protecting access to highly privileged accounts is so essential,” said Okta in its advisory.

“Based on our analysis of this intrusion, we recommend Okta customers implement our industry-leading, phishing-resistant methods for enrolment, authentication and recovery; restrict the use of highly privileged accounts, and apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.”

A more detailed set of recommendations, alongside indicators of compromise, can be found in Okta’s advisory, which is available to read here.

Organisations such as Okta that specialise in IAM services present a huge target for cyber criminals due to the highly sensitive nature of customer credentials, which if compromised successfully grant no-holds-barred access to thousands of downstream companies.

As such, this is by no means the first time the supplier has found its customers being targeted in this fashion.

In the summer of 2022, a campaign dubbed Scatter Swine, or 0ktapus, targeted more than 10,000 accounts at over 100 Okta customers, including tech companies Cloudflare, Signal and Twilio, in a simple yet highly effective swoop in which they obtained Okta identity credentials and MFA codes from users at targeted organisations then leveraged these to dupe their victims into accessing phishing sites that mimicked their Okta tenant authentication page.

Singapore-based Group-IB, which analysed 0ktapus’s attacks, suggested the group had harvested data on its target users from separate cyber attacks on mobile operators and other communications services providers.