Okta has confirmed that four of its customers have fallen victim to a social engineering campaign, which has raised concerns about the effectiveness of security measures. In a recent blog post, Okta revealed that a threat actor employed social engineering tactics to gain high-level access to customers’ Okta tenants. The attacker contacted IT service desk personnel at targeted organizations and convinced them to reset all multifactor authentication (MFA) factors for highly privileged users.

After investigating the attacks, Okta confirmed that the compromises occurred between July 29 and August 19. During the campaign, the threat actors were able to gain privileges to Okta super administrator accounts and exploited identity federation features to impersonate users within the compromised organizations. In some cases, the threat actors had access to passwords for privileged user accounts or manipulated Active Directory before requesting the MFA reset from the IT service desk. To evade detection, the attackers used an IP address and device that were not previously associated with the targeted user accounts. They also abused inbound federation protocols to gain additional access to the target organization.

The threat actors configured a second Identity Provider (IDP) to act as an ‘impersonation app’ and gain access to applications within the compromised organization on behalf of other users. It remains unclear whether this app was created using another Identity and Access Management (IAM) provider or if the attackers created their own malicious IDP.

There are still unanswered questions about how the threat actors were able to convince IT service personnel to reset the MFA factors. The increasing use of deepfake audio and video has raised concerns about vishing threats, leading many organizations to prioritize security awareness training to defend against social engineering attacks. Kevin Greene, the public sector CTO at OpenText Cybersecurity, suggests that the threat actors likely spent a considerable amount of time studying the targeted organizations to gather information about targeted users and executives. They may have also utilized available tutorials and training materials for Okta to learn how to abuse inbound federation and establish their malicious IDP.

Greene emphasizes the significance of performing reconnaissance when it comes to threat actors. He highlights that the identity infrastructure, particularly in the cloud, has become an attractive and broad attack surface for these actors. To strengthen their cybersecurity postures, organizations should maintain up-to-date threat profiles and implement additional authorization requirements for high-level actions, such as resetting MFA factors.

In terms of attribution, Okta has linked the social engineering campaign to a threat group known as Scattered Spider, UNC3944, Scatter Swine, or Muddled Libra. Additional cybersecurity companies have also connected Scattered Spider to various phishing techniques and evasive tactics. Trellix, a threat research firm, reported that Scattered Spider has been active since May 2022, targeting telecommunications, business process outsourcing organizations, and recently, critical infrastructure organizations. The group impersonates IT personnel to deceive individuals into sharing their credentials or granting remote access to their computers. They have also been observed attempting to phish other users within an organization after gaining access to employee databases.

Mandiant, another cybersecurity company, notes that Scattered Spider heavily relies on email and SMS phishing attacks. They also exploit vulnerabilities such as CVE-2015-2291, which affects the Intel Ethernet diagnostics driver for Windows. CrowdStrike, yet another cybersecurity firm, warns that Scattered Spider leverages credential phishing and social engineering techniques to capture one-time passwords (OTPs) or overwhelm targets with multifactor authentication notification fatigue.

Interestingly, this is not the first time that Scattered Spider targeted Okta. In a previous phishing campaign attributed to Scatter Swine, Okta reported a breach where the threat actors managed to access some customer data after compromising customer engagement vendor Twilio. Okta’s strong authentication policies prevented further attacks, but the threat actors attempted to gain a deeper understanding of the authentication process by impersonating support personnel.

To defend against the recent social engineering campaign involving cross-tenant impersonation, Okta recommends enforcing phishing-resistant authentication and limiting privileges. They also suggest implementing a combination of visual verification and access requests that require approval from a user’s line manager before resetting factors. These measures aim to strengthen help desk identity verification processes and prevent future attacks.

In conclusion, the social engineering campaign targeting Okta customers highlights the importance of robust security measures and employee awareness. Threat actors like Scattered Spider continue to evolve their tactics and exploit vulnerabilities in identity infrastructure. Organizations must remain vigilant, keep their threat profiles up-to-date, and invest in ongoing security training to protect against social engineering attacks.

Source link