In today’s SensCy Cyber Alert, your SensCy team is reviewing a flaw in the Identity and access management company Okta that could lead to social engineering attacks. The attacks are targeted at IT services and IT support desks to trick them into resetting multi-factor authentication (MFA) for high-privileged users, weakening the security around to admin accounts.
According to Okta, threat actors are attempting to hijack highly-privileged Okta Super Administrator accounts to access the identity federation feature, allowing them to impersonate users from the organization. Once they gained admin status, the threat actors elevated privileges for other accounts, reset enrolled authenticators, and in some cases, removed the two-factor authentication (2FA) protection for some accounts.
“The threat actor was observed configuring a second Identity Provider to act as an “impersonation app” to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target” – Okta
Here are Okta’s recommendations:
- Enforce phishing-resistant authentication using Okta FastPass and FIDO2
- Require re-authentication for privileged app access, including Admin
- Use strong authenticators for self-service recovery and limit to trusted
- Streamline Remote Management and Monitoring (RMM) tools and block unauthorized
- Enhance help desk verification with visual checks, MFA challenges, and manager
- Activate and test alerts for new devices and suspicious
- Limit Super Administrator roles, implement privileged access management, and delegate high-risk tasks.
- Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.