Identity service provider Okta on Friday warned of a social engineering attack orchestrated by threat actors to gain elevated administrative privileges.
“In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel. In these attacks, the caller’s strategy is to The company was able to convince “highly privileged users to reset all multi-factor authentication (MFA) factors.” Said.
The attacker then leveraged a highly privileged Okta super administrator account to impersonate a user within the compromised organization. According to the company, the campaign ran from July 29, 2023 to August 19, 2023.
Although Okta has not disclosed the identity of the threat actor, this tactic exhibits all the hallmarks of a cluster of activity known as Muddled Libra, and is said to have some overlap with Scattered Spider and Scatter Swine.
At the heart of the attack is a commercial phishing kit called 0ktapus. It provides ready-made templates for creating realistic fake authentication portals and ultimately collecting credentials and multi-factor authentication (MFA) codes. It also incorporates a command and control (C2) channel via Telegram.
Palo Alto Networks Unit 42 told Hacker News in June 2023 that multiple threat actors were “adding this to their arsenal” and that “using the 0ktapus phishing kit alone does not necessarily prevent threat actors from It is not classified as a Muddled Libra.”
The company also said it did not find sufficient targeting, persistence, or intent data to confirm a link between the attacker and the Unclassified Group, which Google-owned Mandiant tracks as UNC3944. . This group is also known to use similar techniques.
“Scattered Spider has been observed primarily targeting telecommunications and business process outsourcing (BPO) organizations,” said Phelix Oluoch, researcher at Trellix. Said In an analysis published last month. “However, recent activity indicates that the group has begun targeting other sectors, including critical infrastructure organizations.”
In the latest series of attacks, before calling the victim’s IT help desk, the attacker either already possesses a password belonging to a privileged user account or is able to manipulate a delegated authentication flow via Active Directory (AD). “It is said that. The company will request a reset of all MFA elements associated with the account.
Detect, Respond, Protect: Complete SaaS Security with ITDR and SSPM
Learn how Identity Threat Detection & Response (ITDR) leverages SSPM to identify and mitigate threats. Learn how to secure your enterprise’s SaaS applications and protect your data even after a breach.
Access to the super administrator account can then be used to assign higher privileges to other accounts, reset authenticators registered to existing administrator accounts, and in some cases remove two-factor requirements from authentication policies. It is used for
“Threat actors have been observed setting up a second identity provider to act as a ‘spoof app’ to access compromised internal applications on behalf of other users.” Okta said. “This second his identity provider is also controlled by the attacker and acts as the ‘source’ IdP in the inbound federation relationship (sometimes referred to as ‘Org2Org’) with the target. ”
“From this “source” IdP, the attacker manipulated the username parameter of the target user in the second “source” identity provider to match the actual user in the compromised “target” identity provider. This provided the capability of single sign-on (SSO) to connect as the target user to the target IdP’s application. ”
The company is taking steps to strengthen phishing-resistant authentication, strengthen help desk identity verification processes, enable end-user notifications of new devices and suspicious activity, and review and limit the use of the super admin role. is recommended to customers.