Okta Warns of a Intricate Attack Targeting Privileged Accounts

Category: Threat Actor Activity | Industry: Global | Source: Okta

Recent findings from Okta reveal a series of social engineering attacks that have targeted several US-based Okta customers aimed at obtaining highly privileged admin accounts. These attacks have prompted an advisory to be released by the identity provider (IdP), sharing observed tactics, techniques, and procedures (TTPs) of the threat actors behind the campaign. Okta reports the campaign amped up in recent weeks as "multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users." Once their attempt succeeded, the attackers exploited their compromise of Okta Super Administrator accounts to misuse identity federation features, allowing them to impersonate users within the compromised organization.

According to Okta, the threat actors "appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account. In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions." Okta assessed the threat actors as being highly proficient having "demonstrated novel methods of lateral movement and defense evasion."

A noteworthy tactic initiated by the attackers was configuring "a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target." Abusing their controlled source IdP, it enabled them to achieve Single Sign-On (SSO) access to applications within the target IdP using the credentials of the targeted user. Okta has provided a list of indicators of compromise (IOCs) observed between July 29th, 2023, and August 19th, 2023 to aid customers with exposure checks and threat-hunting opportunities.