Okta, an identity and access management company, released an article uncovering a series of attacks that involve threat actors using social engineering tactics to infiltrate highly privileged roles within Okta customer organizations. These attacks, observed by Okta Security, highlight methods of lateral movement and defense evasion.

Over the past few weeks, several US-based Okta customers have reported a consistent pattern of social engineering attacks aimed at their IT service desk personnel. The attackers’ primary objective is to convince service desk personnel to reset all multifactor authentication (MFA) factors associated with highly privileged user accounts.

Upon successful access, the threat actors exploit compromised Okta Super Administrator accounts to misuse legitimate identity federation features, enabling them to impersonate users within the targeted organization. Attackers either had access to privileged user passwords or manipulated the delegated authentication flow via Active Directory (AD) prior to contacting the IT service desk.

These compromised accounts were used to assign higher privileges to other accounts and change the settings for MFA. In some cases, they removed second-factor requirements from authentication policies. The threat actors were also observed configuring a second Identity Provider to act as an “impersonation app,” allowing access to applications within the compromised organization on behalf of other users.

This “impersonation app” allowed attackers to manipulate the username of targeted users, enabling single sign-on (SSO) into applications as an impersonated user. This technique exploited the inbound federation feature, which facilitates access to applications in a target Identity Provider after successful authentication to a source Identity Provider.

Access to create or modify an Identity Provider is typically restricted to users with the highest permissions in an Okta organization, such as Super Administrators or Org Administrators. These attacks highlight the importance of safeguarding access to highly privileged accounts.

  • in response to these threats, Okta recommends several security measures including:
    implementing phishing-resistant methods for enrollment, authentication, and recovery,
  • restricting and monitoring the use of highly privileged accounts and functions, and
  • applying dedicated access policies for administrative users.

These attacks underscore the evolving nature of cybersecurity threats and the critical importance of proactive measures to protect privileged accounts within organizations.

Bytes & Insights: The Key Takeaways 

In Summary: Okta uncovers a series of social engineering attacks targeting highly privileged roles within Okta customer organizations, showcasing methods of lateral movement and defense evasion. It highlights threat actors manipulating identity federation features and privileged accounts to impersonate users and compromise security.

Why It Matters: MSPs and their clients should take note of these attacks as they demonstrate the increasing sophistication of cybersecurity threats. It emphasizes the need for proactive measures, such as implementing phishing-resistant methods, monitoring privileged accounts, and applying dedicated access policies, to protect against similar attacks and safeguard highly privileged accounts within organizations.

To stay up to date on all APG intel, follow them on Twitter and Reddit.

Want something new to listen to?

Check out The Unfair Fight, a podcast by Jon Murchison, where you can hear conversations with experts surrounding geopolitics, high-level performance, entrepreneurship, and cybersecurity.