More Okta customers trapped in Scattered Spider's web

Oktapus phishing campaign criminals are back in action

Customers of cloudy identification vendor Okta are reporting social engineering attacks targeting their IT service desks in attempts to compromise user accounts with administrator permissions.

"Multiple US-based Okta customers" have reported these phishing attempts, "in which the caller's strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users," according to a security alert published on Thursday.

"The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization," the alert continued.

According to Okta chief security officer David Bradbury, the company spotted the campaign beginning July 29, and it continued until August 19.

"We don't have visibility into which customers were targeted, but we know that four customers were affected within the three-week period since we've begun tracking these activities," he told The Register.

When asked if Okta attributed the attacks to a particular group, Bradbury said "other cyber security companies have linked this behavior to threat actors known as Scattered Spider."

Scattered Spider, also tracked as UNC3944, Scatter Swine, and Muddled Libra, has been around since May 2022, according to security researchers.

The crew favors SIM swapping, email and SMS phishing attacks, and sometimes  they'll attempt to phish other people within an organization once they've broken into employee databases, Mandiant noted in May. "Once persistence has been established, UNC3944 has been observed modifying and stealing data from within the victim organization's environment," the Google-owned threat intel firm said.

The gang's targets are usually telecom and business process outsourcing (BPO) companies, however "recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations," Trellix researchers said in a report earlier this month.

Trellix also linked Scattered Spider to the August 2022 Oktapus phishing campaign during which the criminals gained unauthorized access to 163 Twilio customers, including Okta.

In its latest campaign, the miscreants either had passwords to privileged user accounts or were "able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account," according to the Okta alert.

Similar to last year's attacks, after gaining access to admin accounts, Scattered Spider then assigned higher privileges to other accounts and also removed second-factor authentication requirements tied to some users.

Okta says its security team also observed the crew using this access to authenticate themselves as a "source" identity provider, thus gaining single sign-on access to applications. Here's how the criminals did that:

"The threat actor was observed configuring a second Identity Provider to act as an 'impersonation app' to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a 'source' IdP in an inbound federation relationship (sometimes called "Org2Org") with the target.

From this, they "manipulated the username parameter for targeted users in the second 'source' Identity Provider to match a real user in the compromised 'target' Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user."

Okta suggests several measures customers can take to protect themselves against this and similar phishing campaigns, including phishing-resistant authentication, and requiring re-authentication at every sign-in for privileged applications.

It's also a good idea to review and limit use of admin roles, and require admins to sign in from managed devices using multi-factor authentication. 

It's also recommended that admins turn on new device and suspicious activity end-user notifications to receive alerts about any phishy behavior that could be originating from Scattered Spider. ®

Send us news
Post a comment

Okta data breach dilemma dwarfs earlier estimates

All customer support users told their info was accessed after analysis oversight

Uncle Sam probes cyberattack on Pennsylvania water system by suspected Iranian crew

CISA calls for stronger IT defenses as Texas district also hit by ransomware crew

MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

Real-life impact of buggy software laid bare – plus: Avast tries to profit from being caught up in attacks

Rogue ex-Motorola techie admits cyberattack on former employer, passport fraud

Pro tip: Don't use your new work email to phish your old firm

Scores of US credit unions offline after ransomware infects backend cloud outfit

Supply chain attacks: The gift that keeps on giving

Mirai malware infects routers and cameras for new botnet

Akamai sounds the alarm – won't name the manufacturers yet

'Serial cybercriminal and scammer' jailed for 8 years, told to pay back $1.2M

Crook did everything from SIM swaps to fake verified badge scams

Top Ukrainian cyber officials fired after allegedly pocketing kickbacks from govt IT deals

Duo probed over alleged $2M embezzlement plot

Clorox CISO flushes self after multimillion-dollar cyberattack

Plus: Ransomware crooks file SEC complaint against victim

Leader of pro-Russia DDoS crew Killnet 'unmasked' by Russian state media

Also: NXP China attack, Australia can't deliver on ransom payment ban (yet), and Justin Sun's very bad month

Weak session keys let snoops take a byte out of your Bluetooth traffic

BLUFFS spying flaw present in iPhones, ThinkPad, plenty of chipsets

Industry piles in on North Korea for sustained rampage on software supply chains

Kim’s cyber cronies becoming more active, sophisticated in attempts to pwn global orgs