Okta, a leading identity and access management firm, has issued a warning regarding a series of social engineering attacks aimed at IT service desk agents of U.S.-based clients.
The attackers' primary objective was to deceive these agents into resetting multi-factor authentication (MFA) for high-privileged users.
Their ultimate aim was to gain control of Okta Super Administrator accounts, which hold significant privileges. This access would enable them to exploit identity federation features, allowing them to impersonate users within the compromised organization.
Okta has shared specific indicators of compromise based on observed attacks spanning from July 29 to August 19.
According to Okta, before contacting the IT service desk of a target organization, the attackers either possessed passwords for privileged accounts or managed to manipulate the authentication process within the Active Directory (AD).
Once a Super Admin account was successfully compromised, the threat actors took further precautions by utilizing anonymizing proxy services, adopting a new IP address, and employing a different device.
The hackers, leveraging their administrative access, proceeded to elevate privileges for other accounts, reset enrolled authenticators, and even removed two-factor authentication (2FA) protection for select accounts.
In Okta's words, "The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target"
Using this 'source' Identity Provider, the attackers altered usernames to match those of real users within the targeted IdP. This manipulation allowed them to impersonate the desired user, granting them access to applications through the Single-Sign-On (SSO) authentication mechanism.
To safeguard admin accounts from external threats, Okta recommends the following security measures:
- Enforce phishing-resistant authentication using Okta FastPass and FIDO2 WebAuthn.
- Require re-authentication for privileged app access, including Admin Console.
- Implement robust authenticators for self-service recovery and restrict them to trusted networks.
- Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
- Enhance help desk verification with visual checks, MFA challenges, and manager approvals.
- Activate and test alerts for new devices and suspicious activity.
- Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
- Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.
Okta's advisory includes additional indicators of compromise, such as system log events and workflow templates pointing to malicious activity at various stages of the attack. Additionally, the company provides a list of IP addresses associated with observed attacks between June 29 and August 19.
