Identity and access management company Okta is warning customers about social engineering attacks by threat actors to obtain elevated administrator permissions.
Identity and access management company Okta is warning customers about social engineering attacks by threat actors to obtain elevated administrator permissions.
The Attack targeted IT service desk agents at U.S.-based customers to trick them into resetting multi-factor authentication (MFA) for high-privileged users.
The attackers aimed to hijack highly privileged Okta Super Administrator accounts to access and abuse identity federation features that allowed the impersonation of users from the compromised organization. Okta provided indicators of compromise for attacks observed between 29 July and 19 August.
The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or could manipulate the delegated authentication flow via Active Directory (AD).
The attackers used anonymizing proxy services and an IP and device not previously associated with the user account to access the compromised account.
Once Super Administrator accounts were compromised, the threat actors used them to assign higher privileges to other accounts, reset enrolled authenticators, and remove some accounts' two-factor authentication (2FA) protection.
The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a "source" IdP in an inbound federation relationship (sometimes called "Org2Org") with the target - Okta
Using the source IdP, the hackers modified usernames to match the users in the compromised target IdP. This allowed them to impersonate the target user and provided access to applications using the Single-Sign-On (SSO) authentication mechanism.
To protect admin accounts, the company recommends customers to:
- Require re-authentication for privileged app access, including Admin Console.
- Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
- Use strong authenticators for self-service recovery and limit to trusted networks.
- Enhance help desk verification processes with visual checks, MFA challenges, and manager approvals.
- Turn on test alert for new Devices and Suspicious Activity.
- Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
- Enforce dedicated admin policies, require admins to sign in from managed devices with phishing-resistant MFA and limit access to trusted zones.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?