Customers of cloud identity vendor Okta have reported social engineering attacks targeting their IT service desks that attempt to compromise user accounts with administrative privileges.
“Multiple Okta customers based in the United States” have reported these phishing attempts, stating that “the caller’s strategy was to persuade service desk personnel to log all the logins registered by highly privileged users.” “It was to reset the factor authentication (MFA) factor.” security alert Published on Thursday.
“At that time, the attackers took advantage of their compromise “A highly privileged Okta super administrator account abused legitimate identity federation functionality to impersonate a user within a compromised organization,” the alert continued.
David Bradbury, Okta’s chief security officer, said the company discovered the campaign on July 29 and continued until August 19.
“We don’t know which customers were targeted, but we do know that four customers were affected within three weeks of us starting tracking these activities,” he said. register.
Asked if Okta was attributing the attack to a specific group, Bradbury said, “Other cybersecurity companies have linked this activity to an attacker known as the Scattered Spider.”
scattered spidersIt is also tracked as UNC3944, Scatter Swine, and Muddled Libra and has been around since May 2022, according to security researchers.
Mandiant said the crew likes SIM swapping, email and SMS phishing attacks, and after infiltrating employee databases, they may try to phish others within the organization. I got it. In May. “Once persistence is established, UNC3944 has been observed to modify and steal data within the victim organization’s environment,” he said, the Google-owned threat intelligence company said.
The gang typically targets telecommunications and business process outsourcing (BPO) companies, but “recent activity indicates the group is beginning to target other sectors, including critical infrastructure organizations,” Trellix said. researchers said in their paper. report Early this month.
Trellix also linked Scattered Spider to the August 2022 Oktapus phishing campaign in which criminals compromised 163 Twilio customers, including Okta.
In the latest campaign, the criminals either had passwords for privileged user accounts or had access to Active Directory (AD ) was either able to manipulate the delegated authentication flow via According to the Okta alert, this is the target account.
Similar to last year’s attack, after gaining access to the administrator account, Scattered Spider assigned elevated privileges to other accounts and also removed the two-factor authentication requirements associated with some users.
According to Okta, its security team also observed crew members using this access to authenticate themselves as the “source” identity provider and gain single sign-on access to applications. Here’s how the criminals do it:
Okta suggests several steps customers can take to protect themselves from this and similar phishing campaigns. Phish-resistant authenticationyou will be required to re-authenticate every time you sign in to a privileged application.
We also recommend reviewing and restricting the use of administrator roles and requiring administrators to sign in from managed devices using multi-factor authentication.
We also recommend that administrators turn on end-user notifications for new devices and suspicious activity to receive alerts about phishing attempts that may be caused by Scattered Spider. ®