arthead - stock.adobe.com
In a blog post last week, Okta disclosed a threat actor used social engineering to gain a highly privileged role in customer's Okta tenants. The threat actor called IT service desk personnel at targeted organizations and convinced them to reset all MFA factors for the organizations' highly privileged users.
Following the publication of the blog post, Okta confirmed to TechTarget Editorial that four customers were compromised between July 29 and Aug. 19, when the identity and access management (IAM) vendor initially started tracking the wave of attacks.
During the campaign, attackers gained privileges to Okta super administrator accounts, abused identity federation features and eventually impersonated users within the compromised organizations. In some cases, Okta observed the threat actor had passwords to privileged user accounts. In others, the threat actor was able to manipulate Active Directory, which stores authentication information, prior to calling the IT service desk and requesting the MFA reset.
Okta said the threat actor used an IP and device not previously associated with the user account to evade detection. Additionally, the adversary abused inbounded federation protocols to gain additional access to the target organization.
"The threat actor was observed configuring a second Identity Provider to act as an 'impersonation app' to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called 'Org2Org') with the target," the blog read.
The threat actor used the "source" identity provider (IDP) to enable single sign-on access for applications in the IDP of the targeted organization. It's unclear if the impersonation app was created through another IAM provider or if the attackers created their own IDP.
It's also unclear how the attackers were able to convince IT service personnel to reset MFA factors. Vishing threats have increased in recent years amid concerns about deepfake audio and video, many organizations have emphasized security awareness training to defend against social engineering attacks.
Kevin Greene, public sector CTO at OpenText Cybersecurity, said it's likely the threat actor spent a significant amount of time studying the targeted organizations to learn the identities and backgrounds of targeted users and executives. He also said it's possible the attackers used public tutorials and training material for Okta to learn how to abuse inbound federation and set up their own malicious IDP.
Kevin GreenePublic sector CTO, OpenText Cybersecurity
"You can't underestimate the amount of reconnaissance that threat actors do," he said.
Greene said the social engineering campaign highlights how identity infrastructure, particularly in the cloud, has become an attractive and broad attack surface for threat actors. He added that organizations should have up-to-date threat profiles to strengthen their cybersecurity postures and also install additional authorization requirements for certain high-level actions such as resetting MFA factors.
Regarding attribution, Okta told TechTarget Editorial that other cybersecurity companies have linked the activity to Scattered Spider, also referred to as UNC3944, Scatter Swine and Muddled Libra. While names may vary, all three vendors agreed that Scattered Spider is adept at evading defenses and employing effective phishing techniques.
In a blog post last month, Trellix threat researcher Phelix Oluoch revealed the financially motivated threat actor has been active since May 2022. Victims included telecommunications and business process outsourcing organizations, but Trellix recently observed that the group started targeting other sectors, including critical infrastructure organizations.
More notably, Trellix observed the IT personnel connection similar to the technique used in the Okta attacks.
"This group has often been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers, has been linked to several past phishing campaigns and deployments of malicious kernel drivers -- including the use of signed but malicious versions of the Windows Intel Ethernet diagnostics driver," Oluoch wrote in the blog.
Oluoch emphasized that Scattered Spider has a deep understanding of the Azure environment, is known for sensitive data theft and typically exploits vulnerabilities such as CVE-2015-2291, a flaw that affects the Intel Ethernet diagnostics driver for Windows.
Social engineering using phone calls and text messages to impersonate users was one way Scattered Spider gained initial access. The group is also known to leverage "trusted organization infrastructure for follow-on attacks on downstream customers."
Mandiant also observed that the Scattered Spider threat group, or what is referred to as UNC3944, "heavily relies on email and SMS phishing attacks and have also been observed attempting to phish other users within an organization once they've gained access to employee databases."
In a blog post from May, Mandiant revealed an alarming growth within the group.
"This particular group continues to evolve and tailor their efforts based on the target," Mandiant wrote in the blog.
In January, CrowdStrike warned the group was attempting to bypass endpoint tools including Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR and SentinelOne.
"Scattered Spider leverages a combination of credential phishing and social engineering to capture one-time password (OTP) codes or overwhelms targets using multifactor authentication notification fatigue tactics," CrowdStrike wrote in the blog.
Like Trellix, CrowdStrike urged users to patch CVE-2015-2291.
This isn't the first time Scattered Spider has targeted Okta. In August 2022, Okta disclosed another phishing campaign attributed to Scatter Swine. After hacking customer engagement vendor Twilio, Scatter Swine was able to access some Okta customer data. While Okta said its "strong authentication policies" blocked attacks, the threat actor was observed impersonating support trying to understand how authentication works. Okta described the accent of the threat actor as "North American, confident and clearly spoken."
To defend against the most recent social engineering campaign that involves cross-tenant impersonation, Okta urged users to enforce phishing-resistant authentication and restrict privileges. To strengthen help desk identity verification processes, the IAM vendor recommended using a combination of visual verification and access requests that require approval by a user's line manager before factors are reset.
Arielle Waldman is a Boston-based reporter covering enterprise security news.