Pierluigi Paganini September 02, 2023

Identity services provider Okta warned customers of social engineering attacks carried out by threat actors to obtain elevated administrator permissions.

Okta is warning customers of social engineering attacks carried out in recent weeks by threat actors to obtain elevated administrator permissions.

The attacks targeted IT service desk staff to trick them into resetting all multi-factor authentication (MFA) factors enrolled by highly privileged users. The company did not attribute the attack to a specific threat actor.

Once obtained a highly privileged role in an Okta customer Organization (tenant), the threat actor adopted novel methods of lateral movement and defense evasion.

“In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.” reads the advisory published by the identity services provider. “The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.”

Threat actors appeared to either have passwords to privileged user accounts or be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk.

The threat actor targeted Okta customers’ users assigned with Super Administrator permissions.

The attackers were spotted using anonymizing proxy services and an IP and device not previously associated with the user account to access the compromised account.

Once compromised Super Administrator accounts, the threat actors used them to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. The provider reported also that the threat actor removed the second factor for authentication policies.

The hacking campaign was observed between July 29 and August 19, 2023.

According to The Hacker News, threat actors used the phishing kit 0ktapus, which was also employed in attacks against Twilio and Cloudflare in 2022. The tool was used to trick users into providing credentials and MFA codes.

In the latest attacks, threat actors were spotted configuring a second identity provider to act as an ‘impersonation app’ to access applications within the compromised organization on behalf of other users.

“The threat actor was observed configuring a second Identity Provider to act as an “impersonation app” to access applications within the compromised Org on behalf of other users.” continues the advisory. “This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.”

The company recommends customers to:

• Configure Authentication Policies (Application Sign-on Policies) for access to privileged applications, including the Admin Console, to require re-authentication “at every sign-in”. 
• If using self-service recovery, initiate recovery with the strongest available authenticator (Okta Verify or Google Authenticator), and limit recovery flows to trusted networks (by IP, ASN or geolocation).
• Review and consolidate the use of Remote Management and Monitoring (RMM) tools by help desk personnel, and block execution of all other RMM tools.
• Strengthen help desk identity verification processes using a combination of visual verification, delegated Workflows in which helpdesk personnel issue MFA challenges to verify a user’s identity, and/or Access Requests that require approval by a user’s line manager before factors are reset.  
• Turn on and test New Device and Suspicious Activity end-user notifications.
• Review and limit the use of Super Administrator Roles – Implement privileged access management (PAM) for Super Administrator access, and use Custom Admin Roles for maintenance tasks and delegate the ability to perform high-risk tasks.
• Enforce dedicated admin policies – Require admins to sign-in from managed devices and via phishing resistant MFA (Okta FastPass, FIDO2 WebAuthn). Restrict this access to trusted Network Zones and deny access from anonymizing proxies.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Okta)