Researchers on Monday reported discovering an impersonation technique in Okta that can cause an Okta Administrator to have themselves or someone else have elevated rights as an impersonated user in another application or environment such as Azure, the Google Cloud Platform, or AWS.
In a blog post, Permiso Security and ACV Auctions said, based on “in the wild” detections they reviewed, the impersonation technique is also an effective method of bypassing multi-factor authentication (MFA). While the impersonator may have had to pass their own MFA check, they are not forced to provide an MFA verification again under the context of the impersonated user.
Ian Ahl, vice president of P0 Labs at Permiso explained how this would work:
“In Okta, you have your normal username that you log into Okta with, but you can also have application-specific usernames. The impersonation technique takes advantage of being able to have different application usernames. The attacker simply modifies the application username to be the identity they wish to impersonate. The attacker would then log on to the Okta portal with their normal identity ([email protected]) and then click on the AWS app, for example, which is now configured to ([email protected]), allowing them to authenticate into AWS as Sally.”
Darryl Athans, vice president for North America at senhasegura, said privileged credentials are a relevant attack vector used by malicious attackers on their activities. According to Verizon Data Breach Investigations Report 2022, Athans said almost half of data breaches exploited credentials. He said by using impersonation techniques, those malicious attackers may obtain unauthorized access through the privileged credential.
“One way administrators can avoid such attacks is by enforcing MFA for users,” Athans said. “By doing so, even though attackers may compromise the credential, it will not be possible to perform the breach, mainly because another authentication factor is needed. Another effective way to prevent attacks using those credentials is by deploying privileged access management solutions so administrators can verify all actions performed through credentials and quickly detect abnormal or malicious behavior from users.”
'0ktapus' phishing campaign for Okta credentials
In other Okta-related news, on Friday Group-IB Threat Intelligence reported that one of their clients was one of several well-known organizations that were targeted in a massive phishing campaign codenamed “0ktapus” by Group-IB researchers. Group-IB said the objective of the attackers was to obtain Okta identity credentials and two-factor authentication codes from users of the targeted organizations.
Permiso’s Ahl said his group’s research is not directly-related to Groub-IB’s Oktapus post, but it is a great lead-in. “[The] Group-IB post is about how attackers are compromising accounts in Okta,” Ahl said. “The Permiso post is about what attackers can do once they have those compromised Okta accounts.”
Shweta Khare, cybersecurity evangelist at Delinea, pointed out that all these incidents highlight that it’s critical for organizations and enterprises to implement granular access controls to stop threat actors from moving laterally in the network. Khare said ransomware and data breaches thrive on default or compromised credentials and once inside the system, attackers can escalate privileges to facilitate lateral movement.
“Longer dwell time before discovery gives attackers more opportunity to compromise your data,” Khare said. “Even in cases where malicious users manage to compromise passwords to systems, enforcing the principle of least privilege based on the just enough, just-in-time privilege elevation model reduces this risk significantly and can break the attack chain.”