Okta warns of social engineering attacks targeting Super Administrator privileges
Identity services provider Okta has issued a warning on an emerging hacking campaign impacting its customers. The attacks involved social engineering methods to obtain elevated account privileges within organisations.
Okta stated that several US-based customers faced social engineering attacks targeting IT help desk staff. The attackers pretended to be employees and convinced personnel to reset multi-factor authentication (MFA) for highly privileged administrative accounts.
With control of these compromised accounts, the hackers could impersonate users and access sensitive systems. Okta said these attacks occurred between late July and mid-August 2023.
While the specific threat actor was not disclosed, the techniques match previous activity by a group called Muddled Libra. This group is known for social engineering campaigns that manipulate IT support to gain unauthorised access.
A key tool in these social engineering attacks is a phishing kit called 0ktapus. This kit allows the creation of fake login pages to harvest user credentials and MFA codes. It also enables command-and-control via Telegram.
Security researchers note that 0ktapus is being added to many hackers' arsenals lately. Using this phishing kit alone does not necessarily indicate the involvement of the Muddled Libra group. Of course, attribution remains challenging without more data on targeting and motives. UNC3944, an uncategorised group tracked by Mandiant, is said to use similar tactics. There are no observable links between the two threat actors as of yet.
Once administrative accounts are compromised, the hackers can escalate privileges, reset MFA for other accounts, and remove security requirements. By controlling a secondary identity provider, the attackers can also impersonate any user to access systems.
To combat these social engineering risks, Okta recommends several countermeasures for customers:
Implement phishing-resistant authentication methods
Strengthen identity verification policies for IT help desks
Enable notifications about suspicious logins and new devices
Review and limit the use of accounts with super admin privileges
Companies must educate personnel to recognise fraudulent reset requests, enforce strong identity controls, and limit account privileges. Staying vigilant against impersonation attempts and implementing robust security policies can help mitigate the significant risks of these attacks.