Okta, an identity service provider comes with a warning to its customers about social engineering attacks carried out by threat actors to obtain elevated administrator permissions.
The attacks targeted IT service desk staff to trick them into resetting all MFA factors enrolled by highly privileged users. Once obtained a highly privileged role in an Okta customer tenant, the threat actor adopted novel methods of lateral movement and defense evasion.
Threat actors appeared to either have passwords to privileged user accounts or be able to manipulate the delegated authentication flow via Active Directory prior to calling the IT service desk.
The attackers were spotted using anonymizing proxy services and an IP and device not previously associated with the user account to access the compromised account.
Once compromised Super Administrator accounts, the threat actors used them to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. The provider reported also that the threat actor removed the second factor for authentication policies.
The hacking campaign was observed between July 29 and August 19, 2023.In which the threat actors were spotted configuring a second identity provider to act as an ‘impersonation app’ to access applications within the compromised organization on behalf of other users.
Okta recommends customers to:
- Configure Authentication Policies for access to privileged applications, including the Admin Console, to require re-authentication “at every sign-in”.
- If using self-service recovery, initiate recovery with the strongest available authenticator, and limit recovery flows to trusted networks.
- Review and consolidate the use of Remote Management and Monitoring (RMM) tools by help desk personnel, and block execution of all other RMM tools.
- Strengthen help desk identity verification processes using a combination of visual verification, delegated Workflows in which helpdesk personnel issue MFA challenges to verify a user’s identity, and/or Access Requests that require approval by a user’s line manager before factors are reset.
- Review and limit the use of Super Administrator Roles – Implement privileged access management, and use Custom Admin Roles for maintenance tasks and delegate the ability to perform high-risk tasks.
- Enforce dedicated admin policies – Require admins to sign-in from managed devices and via phishing resistant MFA like FIDO keys.
- Restrict this access to trusted Network Zones and deny access from anonymizing proxies