Okta: social engineering attacks targeting IT help desks to gain control of privileged accounts and disable MFA
Details of the attack and recommendations for protecting privileged accounts
Okta, an identity and access management company, has revealed a series of targeted attacks on their customers' IT service desks in the US. Attackers used social engineering to gain control over privileged accounts. Okta suggests implementing new security measures, such as phishing-resistant authentications, to protect privileged accounts.
Identity and access management company, Okta, recently issued an alert regarding a series of targeted attacks on their customers' IT service desk agents in the United States. Attackers attempted to leverage social engineering to trick agents into resetting multi-factor authentication (MFA) for highly privileged users in order to gain control of Okta Super Administrator accounts.
Attackers' methods and actions taken
Attackers have adopted various strategies to achieve their goal. Before contacting the targeted organization's IT service desk, the attackers had passwords for privileged accounts or were able to manipulate the authentication flow through Active Directory (AD). Once a Super Administrator account was compromised, threat actors used anonymized proxy services, new IP addresses, and new devices to bypass security measures.
Hacker activities and ways to protect yourself
Once hackers gained privileged access, they elevated privileges for other accounts, changed registered authenticators, and even removed two-factor authentication (2FA) protection for some accounts. They also set up a second identity provider to access applications within the compromised organization by impersonating other users. To protect against external actors, Okta recommends implementing phishing-resistant authentications such as Okta FastPass and FIDO2 WebAuthn, requiring reauthentication for privileged access to applications, using advanced authenticators for self-service recovery by limiting them to trusted networks, and improving help desk view controls, such as manager approval and MFA challenges.
Further information and recommended safety measures
In the alert, Okta provides additional indicators of compromise such as system log events and workflow patterns that indicate malicious activity during the attack. The company also recommends enabling and testing alerts for new devices and suspicious activity, limiting super administrator roles, implementing privileged access management and delegating high-risk tasks, and requiring administrators to log in from managed devices with phishing-resistant MFA and restrict access to trusted zones. By following these security measures, organizations can reduce the risk of their privileged accounts being compromised and better protect the security of their identities and sensitive data.
Follow us on Google News for more pills like this09/04/2023 18:20
Marco Verro