Focus on source code security and collect the latest information at home and abroad!
Compiled by: Code Guard
On Friday, identity service provider Okta warned that attackers were launching social engineering attacks to gain administrator privileges.
The company mentions, “In recent weeks, several of Okta’s U.S. customers have seen consistent social engineering attacks targeting IT help desk personnel, with the caller’s tactic of convincing the service desk personnel to reset all multi-factor authentication ( MFA) factor." The attacker then abused a high-privileged Okta superadmin account to impersonate users within the compromised organization. Okta noted that the activity occurred between July 29 and August 19, 2023.
While Okta has not disclosed the identity of the attackers, the techniques used are very similar to the Muddled Libra group, which is said to have some overlap with Scattered Spider and Scatter Swine.
The most important of these attacks is 0ktapus, a commercial phishing kit that creates realistic fake authentication portals from pre-made templates to harvest credentials and MFA codes. It also has built-in C2 integration via Telegram.
Palo Alto Networks Unit 42 noted in June 2023 that multiple threat actors "are incorporating it into their arsenal" and that "mere use of the 0ktapus phishing package does not necessarily identify the threat group" as Muddled Libra. Additionally, no data regarding targeting, persistence, or purpose could be found to indicate a connection between the threat actor and the group designated by Mandiant as UNC3944. The latter is accused of using similar technology.
Trellix researcher Phelix Oluoch said in an analysis last month that "Scattered Spider has launched attacks against telecommunications and business process outsourcing organizations. However, recent activity indicates that the group has begun to attack other industries, such as key organizations. etc." In the latest attack campaign, the attackers allegedly have the password for a privileged user account, or "are able to manipulate the designated authentication flow through Active Directory," and then call the target company's IT help desk to request that the account be reset. All associated MFA factors.
Subsequently, the privileges of the super-admin account are used to assign higher privileges to other accounts, reset authenticators in existing admin privileges, and in some cases even remove second-factor requirements from authentication policies.
"Threat actors configured a secondary identity provider as an 'impersonation app' to access the compromised organization's applications as other users," Okta said. "The secondary identity provider is also controlled by the attacker and will serve as a link to the target. The 'source' IdP in an inbound federation relationship (sometimes referred to as Org2Org). Through this 'source' IdP, the attacker manipulates the username parameter of the target user used in the second 'source' identity provider to match the target user's username parameter. Trapping a real user in the 'target' identity provider. This allows the attacker a single sign-on to the application in the target IdP as the target user."
Okta mentioned that as mitigation measures, customers can implement anti-phishing authentication mechanisms, enhance help desk authentication processes, enable end-user notifications of new devices and suspicious activity, and audit and limit the use of super administrator roles.
Code Guard trial address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
Recommended reading
CircleCI, LastPass, Okta and Slack security incidents: Attackers are targeting core enterprise tools
Hackers compromise Okta and launch supply chain attack, affecting more than 130 organizations
Okta exposes passwords in clear text that could be stolen
Original link
https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html
Title image: Pexels License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qianxin Code Guard https://codesafe.qianxin.com" when reprinting.
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you think it’s good, just click “Looking” or “Like”~