On Friday, Okta, an identity services provider, issued a warning on social engineering attacks conducted by threat actors with the intention of acquiring heightened administrator privileges.
According to the company, there has been a recurring occurrence of social engineering attacks targeting IT service desk personnel reported by several Okta customers based in the United States. These attacks involve callers employing a strategy to persuade service desk personnel to reset all multi-factor authentication (MFA) factors associated with users who possess significant privileges.
Subsequently, the opposing party proceeded to exploit the extensively authorized Okta Super Administrator accounts with the intention of assuming the identities of individuals affiliated with the infiltrated entity. According to the company’s statement, the campaign was conducted from July 29 to August 19, 2023.
The identity of the threat actor was not revealed by Okta. However, the observed techniques demonstrate characteristic features commonly associated with a group of activities referred to as Muddled Libra. This group is believed to have certain similarities with Scattered Spider and Scatter Swine.
At the core of the attacks lies a commercially available phishing kit known as 0ktapus. This kit provides users with pre-designed templates that facilitate the creation of authentic-looking fraudulent authentication portals. The ultimate objective of these portals is to illicitly get user credentials and multi-factor authentication (MFA) codes. Additionally, it integrates a pre-existing command-and-control (C2) channel through the use of Telegram.
In a previous report by Palo Alto Networks Unit 42, it was said that various threat actors have incorporated the 0ktapus phishing kit into their repertoire. However, it was emphasized that the mere utilization of this kit does not automatically categorize a threat actor as Muddled Libra.
Additionally, the report stated that there was insufficient data available regarding targeting, persistence, or aims to definitively establish a connection between the entity in question and an unclassified group referred to as UNC3944, which is monitored by Mandiant, a subsidiary of Google. It is worth noting that UNC3944 is known to deploy comparable techniques and strategies.
According to an examination published last month by Phelix Oluoch, a researcher at Trellix, it has been noted that Scattered Spider mostly focuses on telecommunications and Business Process Outsourcing (BPO) entities. Nevertheless, there is evidence to suggest that this particular group has expanded its focus to encompass several industries, such as critical infrastructure organizations.
According to recent reports, the perpetrators of the attacks are purportedly in possession of passwords linked to privileged user accounts or possess the capability to manipulate the delegated authentication process through Active Directory (AD) prior to contacting the IT help desk of the targeted organization to request a reset of all multi-factor authentication (MFA) elements associated with the account.
The utilization of Super Administrator accounts is afterward employed to allocate elevated rights to additional accounts, reset enrolled authenticators within pre-existing administrator accounts, and perhaps eliminate second-factor authentication requirements from authentication policies in certain instances.
According to Okta, the entity responsible for the attack was seen setting up an additional identity provider with the purpose of functioning as an “impersonation application.” This was done in order to get unauthorized access to apps within the compromised organization on behalf of other users. The second identity provider, which is likewise under the control of the attacker, would function as a “source” IdP within an inbound federation relationship, sometimes referred to as “Org2Org,” with the target.
The threat actor utilized the IdP mentioned as the initial source to manipulate the username parameter of specific users in the second IdP mentioned as another source. This manipulation was done in order to align the username with an actual user in the compromised IdP referred to as the target. This feature enabled the capability of Single sign-on (SSO) accessing applications within the designated Identity Provider (IdP) as the intended user.
The company suggests implementing several countermeasures to address the issue. These include the enforcement of phishing-resistant authentication, the enhancement of help desk identity verification procedures, the activation of end-user notifications for new devices and suspicious activities, and the evaluation and restriction of Super Administrator responsibilities.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
Read More Blogs Here