Threat actors have been engaging in social engineering tactics to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts. By gaining access to the cloud-based identity access management (IAM) service, these hackers are able to move laterally through targeted networks.
Okta is an enterprise-grade IAM service that connects users across applications and devices, being used by over 17,000 customers worldwide. While it was initially built for cloud-based systems, it is also compatible with various on-premises applications.
Recently, US-based customers of Okta have reported a consistent pattern of cross-tenant impersonation attacks. These attacks specifically target users with Super Administrator permissions, allowing the hackers to carry out their nefarious activities. Okta revealed these findings in a recent blog post.
According to the post, the threat actors either had passwords to privileged user accounts or were able to manipulate the delegated authentication flow via Active Directory (AD) before contacting the IT service desk of the targeted organization. Once in contact with the help desk, they requested a reset of all MFA factors in the target account.
The hackers would then access compromised accounts using anonymizing proxy services and an IP and device that were not previously associated with the user account. This allowed them to abuse legitimate identity federation features, enabling them to impersonate users within the compromised organization.
The hackers engaged in various activities, including assigning higher privileges to other accounts, resetting enrolled authenticators in existing admin accounts, and removing second-factor requirements from authentication policies. These actions allowed them to move freely across enterprise cloud-based networks and carry out their malicious actions.
The attack revolved around manipulating a feature called Inbound Federation in Okta. This feature allows access to applications in a target Identity Provider (IdP) if the user has successfully authenticated to a source IdP. It can also be used for just-in-time provisioning of users, benefiting organizations during mergers, acquisitions, and divestitures.
Given the immense power of this feature, it is only accessible to users with the highest permissions in an Okta organization, such as Super Admins or Org Admins. These roles can be delegated to Custom Admins to reduce the number of users with Super Admin privileges in complex environments.
During the attacks, the threat actors configured a second IdP to act as an “impersonation app” to access applications within the compromised organization on behalf of other users. By manipulating the username parameter in the second source IdP, they were able to match a real user in the compromised target IdP. This allowed them to use single sign-on to access applications in the target IdP as the targeted user.
To combat these attacks, Okta emphasizes the importance of protecting access to highly privileged accounts in IAM solutions. They recommend restricting the use of highly privileged accounts, applying dedicated access policies for administrative users, and monitoring and investigating any suspicious use of functions reserved for privileged users.
Okta also advises configuring Authentication Policies for privileged applications to require reauthentication at every sign-in. This additional layer of security helps to better secure the environment and prevent unauthorized access.
To prevent hackers from targeting help-desk personnel to gain access to accounts, Okta suggests strengthening help desk identity verification processes. This can be achieved through visual verification, delegated workflows where MFA challenges are issued by help desk personnel to verify the user’s identity, and access requests that require approval from a user’s line manager before factors are reset.
Lastly, organizations should review and limit the use of Super Admin roles, implementing privileged access management for them. Custom Admin roles can be used for maintenance tasks and creating help desk roles with the least privileges required, while constraining these roles to groups that exclude highly privileged administrators.
In conclusion, threat actors have been leveraging social engineering tactics to exploit multifactor authentication resets in Okta enterprise accounts. To prevent such attacks, it is crucial for organizations to strengthen their security measures and implement the recommended strategies provided by Okta. By doing so, they can ensure the safety of their cloud-based networks and mitigate the risk of unauthorized access.