Okta Environments Seeing Increased Targeted Threat Activity

Share :

In the last few weeks, Arctic Wolf Labs has noted an increase in threat activity targeting Okta as an attack vector. The relevant Techniques, Tools, and Procedures (TTPs) span across several different types of attacks. This bulletin will review several key aspects of these attacks. 

Inbound Identity Provider Abuse 

Okta’s Defensive Cyber Operations published a blog detailing an uptick in social engineering attempts where multiple US-based Okta customers were reporting consistent patterns of attacks against their help desk teams. The main goal of the attacks was to convince help desk personnel to reset all Multi-Factor Authentication (MFA) factors for highly privileged users, the role Okta calls Super Administrator. 

After the MFA factors were reset, Okta Security identified a cluster of threat actor activity involving anonymous proxies for accessing compromised accounts. These compromised accounts were used to assign high privileges to other accounts and reset additional MFA factors for other users, as well as configuring a secondary Identity Provider (IdP). The threat actors then linked the IdP in an inbound federated relationship with the victim. This allowed the threat actors to impersonate users and access applications and resources for the targeted organisation. The threat actors in this activity were not identified by Okta. 

MGM Resorts International Incident 

On 11 September 2023, MGM Resorts International reported via social media network X that a “cybersecurity incident” was affecting some of their systems. Reuters later reported that Scattered Spider (also known as Scatter Swine, 0ktapus, and UNC3944), an affiliate known to be associated with the ALPHV/BlackCat ransomware-as-a-service variant, was responsible for the attacks. 

In a post to their leak site on 14 September 2023, ALPHV/BlackCat claimed responsibility for the attacks against MGM, stating that they were able to access the company’s Okta Agent servers. They claimed that they were able to “sniff passwords” of user accounts that couldn’t be cracked via dumped hashes from the domain controller. Additionally, the leak site posting mentioned that Okta Sync and Okta Agent components were in use by MGM, suggesting they were delegating authentication for Okta to their Active Directory domain controllers. 

Detections 

Arctic Wolf has multiple detections in place via our Okta integration for Managed Detection and Response that detect many of the TTPs currently being used by the threat actors, such as administrative privileges granted, MFA factor resets and deactivations, authentication events nearing/exceeding threshold, account lockouts, and impersonations granted.  

With regard to the MGM breach, Arctic Wolf has agent-based detections in place for relevant tooling across several TTPs including credential access, discovery, and reconnaissance that are associated with the Scattered Spider threat actor. 

Recommendations 

Recommendation #1: Review and Implement Best Practices Outlined by Okta 

Okta outlines a set of configuration best practices and processes in the Prevention section of their recently-published blog article. 

Note: Please follow your organisation’s testing guidelines to avoid operational impact. 

Recommendation #2: Implement Security Awareness Training 

Due to the heavy use of social engineering tactics by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognise and report suspicious activities associated with sophisticated phishing campaigns. 

References 

  1. Okta DCO Blog
  2. Scattered Spider attack on MGM resorts
  3. Scattered Spider 
  4. MGM Casino Hack explained
  5. Okta Phishing Resistant Authentication Blog
  6. Okta Agent Involved in MGM Resorts Breach, Attackers Claim
  7. ALPHV statement
Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security and holds a bachelor’s degree in Cybersecurity Engineering.
Share :
Table of Contents
Categories