Identity and access management solutions provider Okta warns that multiple customers based in the United States have been targeted in sophisticated attacks involving social engineering.
The company said late last week that the attackers targeted IT service desk personnel in an effort to convince them to reset multi-factor authentication (MFA) for high-privilege users within the targeted organization.
Okta said the hackers used new lateral movement and defense evasion methods, but it has not shared any information on the threat actor itself or its ultimate goal. It’s unclear if it’s related, but last year many Okta customers were targeted as part of a financially motivated cybercrime campaign named 0ktapus.
In the recent attacks, prior to calling the targeted organization’s IT service desk, the attackers obtained passwords associated with privileged user accounts or manipulated the delegated authentication flow through Active Directory.
They then attempted to convince IT service desk staff to reset all MFA factors for the targeted accounts, particularly users with Super Administrator permissions.
Once they had access to the Super Administrator accounts, the threat actors assigned high privileges to other accounts, and in some cases reset enrolled authenticators for existing admin accounts. The hackers also altered authentication policies to remove second factor requirements.
Okta also pointed out that the hackers abused inbound federation to impersonate users at the targeted organization. Inbound federation enables access to an application in a ‘target’ identity provider (IdP) by authenticating to a ‘source’ IdP.