Okta: Hackers Target IT Help Desks to Gain Super Admin, Disable MFA

Cyber Security Threat Summary:
Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

“The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or were able to tamper with the authentication flow through the Active Directory (AD). After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device. The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication (2FA) protection for some accounts” (BleepingComputer, 2023).

Security Officer Comments:
After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device. The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication (2FA) protection for some accounts. By utilizing the source Identity Provider (IdP), the hackers altered usernames to align with the actual users in the targeted, compromised Identity Provider (IdP). This manipulation enabled them to assume the identity of the target user, granting access to applications through the Single-Sign-On (SSO) authentication method.

Suggested Correction(s):


Okta has released IOCs and recommends the following security measures:

To protect admin accounts from external actors, Okta recommends the following security measures:

  • Enforce phishing-resistant authentication using Okta FastPass and FIDO2 WebAuthn.
  • Require re-authentication for privileged app access, including Admin Console.
  • Use strong authenticators for self-service recovery and limit to trusted networks.
  • Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
  • Enhance help desk verification with visual checks, MFA challenges, and manager approvals.
  • Activate and test alerts for new devices and suspicious activity.
  • Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
  • Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.


Link(s):
https://www.bleepingcomputer.com/ https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection