Incident Name: Okta August 2023 Social Engineering Attack Advisory
Date of Incident: August 2023
Okta, a provider of identity and authentication services, recently issued a warning to its customers regarding an ongoing, sophisticated social engineering attack that has been targeting Okta customers. Beginning in August of 2023, numerous Okta customers reported being targeted by social engineering attacks that focused on IT service desk employees. The threat actor utilized a technique known as vishing to trick employees into resetting multi-factor authentication (MFA) settings for highly privileged users. If successful, the threat actor leveraged their access to Okta super admins and abused legitimate features to impersonate other users within the organization.
Several tactics, techniques, and procedures (TTPs) were identified by Okta during the investigation. One notable finding was that the threat actors seemed to possess passwords for privileged accounts or were able to manipulate the delegated authentication flow via Active Directory before contacting IT service desk employees. The threat actors also utilized anonymizing proxy services with IP addresses and devices not previously associated with the compromised user’s account. Once the super admin accounts were compromised, the threat actors used these permissions to give higher privileges to other accounts, reset or remove MFA settings for admin accounts, and even configure a second Identity Provider to act as an “impersonation app” to access applications within the compromised organizations on behalf of other users.
The identity of the threat actor remains unknown, but the tactics used resemble those previously employed by groups known as “muddled libra,” “scattered spider,” and “scatter swine,” who utilize the 0ktapus phishing kit to create fake auth portals to harvest credentials and MFA tokens. The muddled libra group has previously targeted organizations in the software automation, Business Process Outsourcing (BPO), telecoms, and technology industries, and they are known to conduct recon on organizations to gather employee data such as credentials and phone numbers. They then register lookalike domains and use the 0ktapus phishing kit to trick employees through smishing or vishing campaigns.
Similar attacks have been carried out against other companies that use Okta for authentication, such as Twilio and Cloudflare, where smishing campaigns were employed by the threat actor. The 0ktapus group has also been attributed to a smishing campaign against crypto exchange Coinbase in February of 2023, in which an employee was tricked into entering their credentials into a phishing site. These cases illustrate the growing popularity of using authentication platforms such as Okta for threat actors who have successfully compromised target organizations using social engineering tactics and credential harvesting.
Key Social Engineering/OSINT Themes:
- Recon – Customer of Okta, employee, and organizational information was harvested. The threat actor leveraged exposed employee information to conduct a social engineering attack.
- Vishing – The threat actor targeted IT service personnel with high privileges and tried to convince them to reset MFA on high-privileged accounts.
Picnic’s Recommended Remediations:
For detailed remediations, see the HASP Framework.
High Risk Employees
- HASP Framework 1.1 — Identify high-value employee targets
- HASP Framework 1.3 — Conduct social engineering risk assessments for high-value employee targets
- HASP Framework 1.5 — Establish and implement procedures for high-value employee targets
- HASP Framework 1.7 — Increase detection and monitoring for high-value employee targets
Exposed Employee PII
- HASP Framework 2.1 — Identify exposed employee PII
- HASP Framework 2.2 — Reduce exposed employee PII
- HASP Framework 3.1 — Identify exposed work credentials
- HASP Framework 3.7 — Restrict service account access
- HASP Framework 3.8 — Monitor for account takeover (including real-time alerts on exposed credentials)
- HASP Framework 3.9 — Monitor for MFA configuration changes
- HASP Framework 3.10 — Monitor for new MFA registrations
Exposed Remote Services
- HASP Framework 4.2 — Identify exposed shadow IT
- HASP Framework 4.4 — Manage shadow IT / remote access
Indicators of Attack
- HASP Framework 7.1 — Monitor for suspicious external accounts
- HASP Framework 7.2 — Request takedowns for suspicious external accounts
- HASP Framework 7.3 — Alert your organization about suspicious external accounts
- HASP Framework 7.4 — Monitor for suspicious domains
- HASP Framework 7.5 — Block suspicious domains
- HASP Framework 8.1 — Train employees on social engineering attacks
- HASP Framework 8.2 — Provide employees with social engineering phishing simulation training
- HASP Framework 8.4 — Build and establish social engineering policies, processes, and procedures
Industry: Telecommunications, Technology, Professional Services
Actor: Suspected to be ‘muddled libra’, ‘scattered spider’ or ‘scatter swine’
Breach Notice/Company Notice:
- Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges
- Okta: Hackers target IT help desks to gain Super Admin, disable MFA
- More Okta customers trapped in Scattered Spider’s web
- Palo Alto Networks Unit42 Threat Group Assessment: Muddled Libra
- Muddled Libra’ Uses Oktapus-Related Smishing to Target Outsourcing Firms