More Okta customers trapped in Scattered Spider's web

Customers of cloudy identification vendor Okta are reporting social engineering attacks targeting their IT service desks in attempts to compromise user accounts with administrator permissions.

"Multiple US-based Okta customers" have reported these phishing attempts, "in which the caller's strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users," according to a security alert published on Thursday.

"The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization," the alert continued.

According to Okta chief security officer David Bradbury, the company spotted the campaign beginning July 29, and it continued until August 19.

"We don't have visibility into which customers were targeted, but we know that four customers were affected within the three-week period since we've begun tracking these activities," he told The Register.

When asked if Okta attributed the attacks to a particular group, Bradbury said "other cyber security companies have linked this behavior to threat actors known as Scattered Spider."

Scattered Spider, also tracked as UNC3944, Scatter Swine, and Muddled Libra, has been around since May 2022, according to security researchers.

The crew favors SIM swapping, email and SMS phishing attacks, and sometimes  they'll attempt to phish other people within an organization once they've broken into employee databases, Mandiant noted in May. "Once persistence has been established, UNC3944 has been observed modifying and stealing data from within the victim organization's environment," the Google-owned threat intel firm said.

The gang's targets are usually telecom and business process outsourcing (BPO) companies, however "recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations," Trellix researchers said in a report earlier this month.

• Twilio, Cloudflare just two of 135 orgs targeted by Oktapus phishing campaign
• Crooks copy source code from Okta's GitHub repository
• INTERPOL shutters '16shop' phishing-as-a-service outfit
• Barracuda gateway attacks: How Chinese snoops keep a grip on victims' networks

Trellix also linked Scattered Spider to the August 2022 Oktapus phishing campaign during which the criminals gained unauthorized access to 163 Twilio customers, including Okta.

In its latest campaign, the miscreants either had passwords to privileged user accounts or were "able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account," according to the Okta alert.

Similar to last year's attacks, after gaining access to admin accounts, Scattered Spider then assigned higher privileges to other accounts and also removed second-factor authentication requirements tied to some users.

Okta says its security team also observed the crew using this access to authenticate themselves as a "source" identity provider, thus gaining single sign-on access to applications. Here's how the criminals did that:

Okta suggests several measures customers can take to protect themselves against this and similar phishing campaigns, including phishing-resistant authentication, and requiring re-authentication at every sign-in for privileged applications.

It's also a good idea to review and limit use of admin roles, and require admins to sign in from managed devices using multi-factor authentication. 

It's also recommended that admins turn on new device and suspicious activity end-user notifications to receive alerts about any phishy behavior that could be originating from Scattered Spider. ®