Hackers Target High-Privileged Okta Accounts via Help Desk
Threat actors convince employees to reset MFA for Super Admin accounts in the IAM service to leverage compromised accounts, impersonating users and moving laterally within an organization.
Threat actors are using social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, gaining access to the cloud-based identity access management (IAM) service and moving laterally through targeted networks from there.
Okta is a cloud-based, enterprise-grade IAM service that connects enterprise users across applications and devices, and it’s used by more than 17,000 customers globally. While it was built for cloud-based systems, it also is compatible with many on-premises applications.
US-based customers of Okta have reported a “consistent pattern” of “cross-tenant impersonation” attacks in recent weeks, with the actors targeting users assigned with “Super Administrator” permissions, the company revealed in a recent blog post.
“Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account,” according to the post, attributed to Okta’s Defensive Cyber Operations.
The hackers then access compromised accounts using anonymizing proxy services and an IP and device not previously associated with the user account “to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization,” according to the post.
Read more at: https://www.darkreading.com/cloud/hackers-target-high-privileged-okta-accounts-via-help-desk
