Identity services provider Okta on Friday warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions.
"In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller's strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users," the company said.
The adversary then moved to abuse the highly privileged Okta Super Administrator accounts to impersonate users within the compromised organization. The campaign, per the company, took place between July 29 and August 19, 2023.
Okta did not disclose the identity of the threat actor, but the tactics exhibit all the hallmarks of an activity cluster known as Muddled Libra, which is said to share some degree of overlap with Scattered Spider and Scatter Swine.
Central to the attacks is a commercial phishing kit called 0ktapus, which offers pre-made templates to create realistic fake authentication portals and ultimately harvest credentials and multi-factor authentication (MFA) codes. It also incorporates a built-in command-and-control (C2) channel via Telegram.
Palo Alto Networks Unit 42 told The Hacker News previously in June 2023 that multiple threat actors are "adding it to their arsenal" and that "using the 0ktapus phishing kit alone doesn't necessarily classify a threat actor" as Muddled Libra.
It also said it could not find enough data on targeting, persistence, or objectives to confirm a link between the actor and an uncategorized group that Google-owned Mandiant tracks as UNC3944, which is also known to employ similar tradecraft.
"Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations," Trellix researcher Phelix Oluoch said in an analysis published last month. "However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations."
In the latest set of attacks, the threat actors are said to be already in possession of passwords belonging to privileged user accounts or "be able to manipulate the delegated authentication flow via Active Directory (AD)" before calling the IT help desk of the targeted company to request a reset of all MFA factors associated with the account.
The access to the Super Administrator accounts is subsequently used to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and even remove second-factor requirements from authentication policies in some cases.
"The threat actor was observed configuring a second identity provider to act as an 'impersonation app' to access applications within the compromised org on behalf of other users," Okta said. "This second identity provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called 'Org2Org') with the target."
"From this 'source' IdP, the threat actor manipulated the username parameter for targeted users in the second 'source' Identity Provider to match a real user in the compromised 'target' Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user."
As countermeasures, the company is recommending that customers enforce phishing-resistant authentication, strengthen help desk identity verification processes, enable new device and suspicious activity end-user notifications, and review and limit the use of Super Administrator roles.
