Article Details

Okta: Hackers target IT help desks to gain Super Admin, disable MFA. Identity and access management company Okta released a warning about social engineering attacks targeting IT service desk agents at U.S.-based customers in an attempt to trick them into resetting multi-factor authentication (MFA) for high-privileged users. The attackers' goal was to hijack highly-privileged  Okta Super Administrator accounts to access and abuse identity federation features that allowed impersonating users from the compromised organization. Okta provided indicators of compromise for attacks observed between July 29 and August 19. The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or were able to tamper with the authentication flow through the Active Directory (AD). After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device. The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication (2FA) protection for some accounts. "The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target" - Okta Using the source IdP, the hackers modified usernames so they matched the real users in the compromised target IdP. This allowed them to impersonate the target user and provided access to applications using the Single-Sign-On (SSO) authentication mechanism. To protect admin accounts from external actors, Okta recommends the following security measures: Okta's advisory includes additional indicators of compromise, like system log events and workflow templates pointing to malicious activity in various stages of the attack. The company also provides a set of IP addresses associated with attacks observed between June 29 and August 19. H/T @HaboubiAnis