According to an analysis by Okta's security team, threat actors are using social engineering tactics to gain access to privileged accounts, particularly those with Super Administrator permissions. The attackers convince IT help desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.
Once they gain access to a privileged account, attackers then leverage their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enable them to impersonate users within the compromised organization.
Okta's inbound federation allows single sign-on access from a trusted "source" identity provider to a "target" one. The attackers are setting up their own fake identity provider to act as the source, and then modifying the username parameter to match a real user in the target organization. This lets them access applications in the target organization while impersonating real users.
Okta said this attack method demonstrates "novel methods of lateral movement and defense evasion" that were previously unseen.
The company provided several recommendations for customers to protect against such attacks, including enforcing phishing-resistant MFA, restricting privileged accounts, requiring re-authentication for admin consoles, and monitoring anomalous admin activity.
- Protect sign-in flows by enforcing phishing-resistant authentication with Okta FastPass and FIDO2 WebAuthn.
- Configure Authentication Policies (Application Sign-on Policies) for access to privileged applications, including the Admin Console, to require re-authentication “at every sign-in”.
- If using self-service recovery, initiate recovery with the strongest available authenticator (Okta Verify or Google Authenticator), and limit recovery flows to trusted networks (by IP, ASN or geolocation).
- Review and consolidate the use of Remote Management and Monitoring (RMM) tools by help desk personnel, and block execution of all other RMM tools.
- Strengthen help desk identity verification processes using a combination of visual verification, delegated Workflows in which helpdesk personnel issue MFA challenges to verify a user’s identity, and/or Access Requests that require approval by a user’s line manager before factors are reset.
- Turn on and test New Device and Suspicious Activity end-user notifications.
- Review and limit the use of Super Administrator Roles - Implement privileged access management (PAM) for Super Administrator access, and use Custom Admin Roles for maintenance tasks, and delegate the ability to perform high-risk tasks.
- Enforce dedicated admin policies - Require admins to sign-in from managed devices and via phishing resistant MFA (Okta FastPass, FIDO2 WebAuthn). Restrict this access to trusted Network Zones and deny access from anonymizing proxies.
While social engineering continues to be a top attack vector, following security best practices like least privilege and MFA can limit the damage from compromised credentials. This incident highlights the importance of securing and monitoring highly privileged accounts that serve as gateways to an organization's most sensitive systems and data.