Okta customers targeted in new wave of social engineering attacks

Jakub JirsÃ¡ok – inventory.adobe.com

Authentication specialist Okta has warned customers to be on alert for a marketing campaign of social engineering attacks exploiting extremely privileged customers

Alex Scroxton

Alex Scroxton,
Security Editor

Published: 06 Sep 2023 12:00

Identity and entry administration (IAM) specialist Okta has warned its customers to be alert to a creating marketing campaign of cyber attacks in which an unknown risk actor is utilizing social engineering to hijack extremely privileged roles in their Okta tenants.

The provider mentioned that over the previous couple of weeks, a number of US-based customers had reported a constant sample of social engineering attacks in opposition to their IT service desks, in which the unlucky staffers have been satisfied to reset Okta multifactor authentication (MFA) enrolled by extremely privileged customers with so-called Okta Super Administrator accounts which, amongst different issues, can create new admins, and edit and revoke privileges.

The marketing campaign has not been formally attributed, however the risk actor seems to be extremely organised, as they both already had passwords to principal admin accounts previous to calling the service desk, or have been in a position to manipulate delegated authentication flows through AD. They used anonymised proxy providers and IP addresses and gadgets unassociated with the goal accounts to cowl their tracks.

Once in the attackers’ fingers, the targeted Super Administrator accounts have been abused to take advantage of professional id federation options – designed to allow swift provisioning in giant organisations or throughout M&A eventualities – to assign increased privileges to different accounts and reset authenticators in current admin accounts. In a couple of instances, mentioned Okta, it noticed the risk actor eradicating MFA necessities from authentication insurance policies.

They additionally targeted different functions by organising compromised id supplier accounts, a capability additionally granted through their Super Administrator rights.

“These recent attacks highlight why protecting access to highly privileged accounts is so essential,” mentioned Okta in its advisory.

“Based on our analysis of this intrusion, we recommend Okta customers implement our industry-leading, phishing-resistant methods for enrolment, authentication and recovery; restrict the use of highly privileged accounts, and apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.”

A extra detailed set of suggestions, alongside indicators of compromise, may be discovered in Okta’s advisory, which is out there to learn right here.

Organisations corresponding to Okta that specialise in IAM providers current an enormous goal for cyber criminals because of the extremely delicate nature of buyer credentials, which if compromised efficiently grant no-holds-barred entry to hundreds of downstream firms.

As such, that is not at all the primary time the provider has discovered its customers being targeted in this vogue.

In the summer time of 2022, a marketing campaign dubbed Scatter Swine, or 0ktapus, targeted greater than 10,000 accounts at over 100 Okta customers, together with tech firms Cloudflare, Signal and Twilio, in a easy but extremely efficient swoop in which they obtained Okta id credentials and MFA codes from customers at targeted organisations then leveraged these to dupe their victims into accessing phishing websites that mimicked their Okta tenant authentication web page.

Singapore-based Group-IB, which analysed 0ktapus’s attacks, prompt the group had harvested knowledge on its goal customers from separate cyber attacks on cell operators and different communications providers suppliers.