Okta is warning customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions.
The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.
Once obtained a highly privileged role in an Okta customer Organization (tenant), the threat actor adopted novel methods of lateral movement and defense evasion.
“In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.” reads the advisory published by the identity services provider. “The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.”
Threat actors appeared to either have passwords to privileged user accounts or be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk.
The threat actor targeted Okta customers’ users assigned with Super Administrator permissions.
The attackers were spotted using anonymizing proxy services and an IP and device not previously associated with the user account to access the compromised account.
Once compromised Super Administrator accounts, the threat actors used them to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. The provider reported also that the threat actor removed the second factor for authentication policies.
According to The Hacker News, threat actors used the phishing kit 0ktapus, which was also employed in attacks against Twilio and Cloudflare in 2022. The tool was used to trick users into providing credentials and MFA codes.
In the latest attacks, threat actors were spotted configuring a second identity provider to act as an ‘impersonation app’ to access applications within the compromised organization on behalf of other users.
“The threat actor was observed configuring a second Identity Provider to act as an “impersonation app” to access applications within the compromised Org on behalf of other users.” continues the advisory. “This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.”
The company recommends customers to:
(SecurityAffairs – hacking, Okta)