Today’s Cybersecurity Threat Advisory highlights Okta, who in recent weeks has experienced social engineering attacks by threat actors looking to attain highly privileged roles within Okta’s accounts. The company has warned about social engineering attacks targeting IT service desk agents at US-based organizations. These attacks are designed to trick organizations into resetting multi-factor authentication (MFA) for high-privileged users.
What is the threat?
Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. The attackers’ goal is to hijack highly privileged Okta Super Administrator accounts to access and abuse identity federation features. According to Okta, before calling the IT service desk of a target organization, the attacker either has passwords for privileged accounts or can tamper with authentication flow through the Active Directory (AD).
Why is it noteworthy?
Threat actors appear to either a) have passwords to privileged user accounts or b) can manipulate the delegated authentication flow via AD prior to calling the IT service desk at a targeted organization. Then they will request a reset of all MFA factors in the largest account. In Okta’s case, the threat actor targeted users assigned with Super Administrator permissions. The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and removed the two-factor authentication (2FA) protection for some accounts.
What is the exposure or risk?
According to Okta, the threat actors have been observed configuring a second Identity Provider (IdP) to act as an “impersonation app” to access applications within the compromised organization on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target. Using the source IdP, the hackers modified usernames to match the real users in the compromised target IdP, allowing them to impersonate the target user and provide access to applications using the Single-Sign-On (SSO) authentication mechanism.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of external factors on admin accounts:
- Enforce phishing-resistant authentication using Okta FastPass and FIDO Web2Authn.
- Require re-authentication for privileged app access, including Admin Console.
- Use strong authenticators for self-service recovery and limit to trusted networks.
- Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
- Enhance help desk verification with visual checks, MFA challenges, and manager approvals.
- Activate and test alerts for new devices and suspicious activity.
- Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
- Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.
- Turn on and test New Device and Suspicious Activity end-user notifications.
- Review and limit the use of Super Administrator Roles – Implement privileged access management (PAM) for Super Administrator access and use Custom Admin Roles for maintenance tasks and delegate the ability to perform high-risk tasks.
References
For more in-depth information about the recommendations, please visit the following links:
- Cross-Tenant Impersonation: Prevention and Detection | Okta Security
- Okta: Hackers target IT help desks to gain Super Admin, disable MFA (bleepingcomputer.com)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.
