Okta: Hackers target IT desks to gain Super Admin, disable MFA

Identity and access management company Okta released a warning about social engineering attacks targeting IT service desk agents at U.S.-based customers in an attempt to trick them into resetting multi-factor authentication (MFA) for high-privileged users.

The attackers' goal was to hijack highly-privileged  Okta Super Administrator accounts to access and abuse identity federation features that allowed impersonating users from the compromised organization.

Okta provided indicators of compromise for attacks observed between July 29 and August 19.

The company says that before calling the IT service desk of a target organization, the attacker either had passwords for privileged accounts or were able to tamper with the authentication flow through the Active Directory (AD).

After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device.

The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication (2FA) protection for some accounts.

"The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target" - Okta

Using the source IdP, the hackers modified usernames so they matched the real users in the compromised target IdP. This allowed them to impersonate the target user and provided access to applications using the Single-Sign-On (SSO) authentication mechanism.

To protect admin accounts from external actors, Okta recommends the following security measures:

  • Enforce phishing-resistant authentication using Okta FastPass and FIDO2 WebAuthn.
  • Require re-authentication for privileged app access, including Admin Console.
  • Use strong authenticators for self-service recovery and limit to trusted networks.
  • Streamline Remote Management and Monitoring (RMM) tools and block unauthorized ones.
  • Enhance help desk verification with visual checks, MFA challenges, and manager approvals.
  • Activate and test alerts for new devices and suspicious activity.
  • Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
  • Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.

Okta's advisory includes additional indicators of compromise, like system log events and workflow templates pointing to malicious activity in various stages of the attack. The company also provides a set of IP addresses associated with attacks observed between June 29 and August 19.

H/T @HaboubiAnis

Related Articles:

Okta warns of "unprecedented" credential stuffing attacks on customers

Exploit available for new critical TeamCity auth bypass bug, patch now

Fake job interviews target developers with new Python backdoor

Ring customers get $5.6 million in privacy breach settlement

How to make your web apps resistant to social engineering