Identity and access management company Okta released a warning about social engineering attacks targeting IT service desk agents at U.S.-based customers in an attempt to trick them into resetting multi-factor authentication (MFA) for high-privileged users.
The attackers’ goal was to hijack highly-privileged Okta Super Administrator accounts to access and abuse identity federation features that allowed impersonating users from the compromised organization.
Okta provided indicators of compromise for attacks observed between July 29 and August 19.
The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or were able to tamper with the authentication flow through the Active Directory (AD).
After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device.
The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication (2FA) protection for some accounts.
Using the source IdP, the hackers modified usernames so they matched the real users in the compromised target IdP. This allowed them to impersonate the target user and provided access to applications using the Single-Sign-On (SSO) authentication mechanism.
To protect admin accounts from external actors, Okta recommends the following security measures:
- Enforce phishing-resistant authentication using Okta FastPass and FIDO2 WebAuthn.
- Require re-authentication for privileged app access, including Admin Console.
- Use strong authenticators for self-service recovery and limit to trusted networks.
- Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
- Enhance help desk verification with visual checks, MFA challenges, and manager approvals.
- Activate and test alerts for new devices and suspicious activity.
- Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
- Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.
Okta’s advisory includes additional indicators of compromise, like system log events and workflow templates pointing to malicious activity in various stages of the attack. The company also provides a set of IP addresses associated with attacks observed between June 29 and August 19.