Customers of Okta’s identity and access management solution have been hit by a social engineering campaign that abuses Okta “super administrator” accounts to compromise target organizations.
The scam involves threat actors phoning IT service desk staff and convincing them to reset multi-factor authentication (MFA) settings of highly privileged Okta platform admin accounts. The scammers then use the admin accounts to compromise other applications across victim organizations.
More than 18,000 organizations – including FedEx, S&P Global and T-Mobile – use Okta’s platform, according to the company’s website.
In a September 1 security advisory, Okta said “multiple” U.S.-based users of its solution had been targeted using the same approach in recent weeks.
Before calling to request an MFA reset, the threat actors appeared to have passwords for the super admin accounts or were “able to manipulate the delegated authentication flow via Active Directory”.
To help pull off the ruse, the scammers used anonymizing proxy services and accessed the compromised accounts using devices and IP addresses not previously associated with the users, according to the advisory.
Attacks linked to UNC3944
While Okta’s security advisory did not attribute the attacks to a particular threat group, researchers have speculated that the tactics, techniques and procedures used suggest a link to UNC3944, also known as Scattered Spider, Scatter Swine, and Muddled Libra.
In an analysis of the group published last month, Trellix threat researcher Phelix Oluoch said UNC3944 were known for making use of a variety of social engineering tactics.
“This group has often been observed impersonating IT personnel to convince individuals to share their credentials or grant remote access to their computers, has been linked to several past phishing campaigns and deployments of malicious kernel drivers,” he wrote.
In August 2022, UNC3944 gained access to data related to 163 customers of cloud communications services provider Twilio, including Okta.
The dangers of ‘super admin’ accounts
Okta described the methods used to carry out the latest campaign as an abuse of its platform’s “legitimate identity federation features” and said the attacks could be prevented using appropriate security measures or, failing that, detected.
But the incident demonstrated the risks organizations can face if control of top-level admin accounts falls into the wrong hands.
“Compromised Super Administrator accounts were used to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts,” Okta’s advisory said.
“In some cases, the threat actor removed second factor requirements from authentication policies.”
With the level of privilege, they were able to attain by accessing super admin accounts, the hackers were able to configure compromised “identity provider” accounts which could be used to access applications used across the targeted organizations.
“Given how powerful this is, access to create or modify an Identity Provider is limited to users with the highest permissions in an Okta organization – Super Administrator or Org Administrator,” Okta said.
