More Okta customers trapped in Scattered Spider's web
Oktapus phishing campaign criminals are back in action
Customers of cloudy identification vendor Okta are reporting social engineering attacks targeting their IT service desks in attempts to compromise user accounts with administrator permissions.
"Multiple US-based Okta customers" have reported these phishing attempts, "in which the caller's strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users," according to a security alert published on Thursday.
"The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization," the alert continued.
According to Okta chief security officer David Bradbury, the company spotted the campaign beginning July 29, and it continued until August 19.
"We don't have visibility into which customers were targeted, but we know that four customers were affected within the three-week period since we've begun tracking these activities," he told The Register.
When asked if Okta attributed the attacks to a particular group, Bradbury said "other cyber security companies have linked this behavior to threat actors known as Scattered Spider."
Scattered Spider, also tracked as UNC3944, Scatter Swine, and Muddled Libra, has been around since May 2022, according to security researchers.
The crew favors SIM swapping, email and SMS phishing attacks, and sometimes they'll attempt to phish other people within an organization once they've broken into employee databases, Mandiant noted in May. "Once persistence has been established, UNC3944 has been observed modifying and stealing data from within the victim organization's environment," the Google-owned threat intel firm said.
The gang's targets are usually telecom and business process outsourcing (BPO) companies, however "recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations," Trellix researchers said in a report earlier this month.
- Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign
- Crooks copy source code from Okta's GitHub repository
- INTERPOL shutters '16shop' phishing-as-a-service outfit
- Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks
In its latest campaign, the miscreants either had passwords to privileged user accounts or were "able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account," according to the Okta alert.
Similar to last year's attacks, after gaining access to admin accounts, Scattered Spider then assigned higher privileges to other accounts and also removed second-factor authentication requirements tied to some users.
Okta says its security team also observed the crew using this access to authenticate themselves as a "source" identity provider, thus gaining single sign-on access to applications. Here's how the criminals did that:
"The threat actor was observed configuring a second Identity Provider to act as an 'impersonation app' to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called "Org2Org") with the target.
From this, they "manipulated the username parameter for targeted users in the second 'source' Identity Provider to match a real user in the compromised 'target' Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user."
Okta suggests several measures customers can take to protect themselves against this and similar phishing campaigns, including phishing-resistant authentication, and requiring re-authentication at every sign-in for privileged applications.
It's also a good idea to review and limit use of admin roles, and require admins to sign in from managed devices using multi-factor authentication.
It's also recommended that admins turn on new device and suspicious activity end-user notifications to receive alerts about any phishy behavior that could be originating from Scattered Spider. ®