Warning!! High Privilege Users Targeted for Social Engineering Attacks, Okta Alerts

Identity services provider Okta warned on Friday about social engineering attacks by malicious actors aiming to gain elevated administrator privileges.

“In recent weeks, several Okta customers in the United States have reported a consistent pattern of social engineering attacks targeting IT service desk staff. The attackers’ strategy was to persuade these personnel to reset all multi-factor authentication (MFA) factors associated with highly privileged customers,” Okta stated.

Details about what happened

The threat actors leveraged the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organizations. This campaign occurred between July 29 and August 19, 2023.

While Okta did not reveal the identity of the threat actor, the methods used resemble those associated with a group known as Muddled Libra, which shares some similarities with Scattered Spider and Scatter Swine.

Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering

A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access pic.twitter.com/isypMcroaw

— SysTools – Your cybersecurity partner… (@SYSTOOLS) June 29, 2023

Phishing Kits are also on the move

At the core of these attacks is a commercial phishing kit called 0ktapus. This kit provides templates to create convincing fake authentication portals and ultimately steal credentials and multi-factor authentication (MFA) codes. It also incorporates a built-in command-and-control (C2) channel through Telegram.

In June 2023, Palo Alto Networks Unit 42 reported that multiple threat actors incorporated this kit into their tactics. However, using the 0ktapus phishing kit alone doesn’t definitively link a threat actor to Muddled Libra.

“The speed and breadth of these attacks caught many defenders off guard. While smishing is not new, the 0ktapus framework commoditized the establishment of a normally complex infrastructure in a way that granted even low-skilled attackers a high success rate.”

Do they relate to Scattered Spider?

“Scattered Spider was primarily observed targeting telecommunications and Business Process Outsourcing (BPO) organizations,” Trellix researcher said in a recent analysis. “However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations.”

How is it different?

In these recent attacks, the threat actors already possessed passwords for privileged user accounts. They could manipulate the delegated authentication process via Active Directory (AD) before contacting the targeted company’s IT help desk to request an MFA reset.

Once they gained access to the Super Administrator accounts, 

• They elevated privileges for other accounts, 
• reset authenticators in existing administrator accounts, and 
• sometimes removed second-factor requirements from authentication policies.

Okta’s analysis of the modus operandi of attack

Okta mentioned, “The threat actor was observed setting up a second identity provider to act as an ‘impersonation app’ to access applications within the compromised organization on behalf of other users. Controlled by the attacker, this second identity provider would act as a ‘source’ IdP in an inbound federation relationship (sometimes called ‘Org2Org’) with the target.”

From this ‘source’ IdP, the threat actor 

• manipulated the username parameter for targeted users in the second ‘source’ Identity Provider to match a real one in the compromised ‘target’ Identity Provider. 
• This enabled Single Sign-On (SSO) into applications in the target IdP as the targeted user.”

What could be done to prevent such attacks?

As countermeasures, Okta recommends that customers must

• implement authentication methods resistant to phishing, 
• enhance identity verification processes for help desk personnel, 
• enable notifications for new devices and suspicious activities for end-users, 
• review and restrict the use of Super Administrator roles.

Cyber threats evolve and are never killed!

This incident, where one threat actor’s tactics overlap with others, emphasizes the need for a collaborative, intelligence-sharing approach among cybersecurity experts. It’s a reminder that understanding the enemy is crucial.

Take my words: Reevaluate the approach to cybersecurity and stay one step ahead. No other survival tip!