In the last few weeks, Arctic Wolf Labs has noted an increase in threat activity targeting Okta as an attack vector. The relevant Techniques, Tools, and Procedures (TTPs) span across several different types of attacks. This bulletin will review several key aspects of these attacks.
Inbound Identity Provider Abuse
Okta’s Defensive Cyber Operations published a blog detailing an uptick in social engineering attempts where multiple US-based Okta customers were reporting consistent patterns of attacks against their help desk teams. The main goal of the attacks was to convince help desk personnel to reset all Multi-Factor Authentication (MFA) factors for highly privileged users, the role Okta calls Super Administrator.
After the MFA factors were reset, Okta Security identified a cluster of threat actor activity involving anonymous proxies for accessing compromised accounts. These compromised accounts were used to assign high privileges to other accounts and reset additional MFA factors for other users, as well as configuring a secondary Identity Provider (IdP). The threat actors then linked the IdP in an inbound federated relationship with the victim. This allowed the threat actors to impersonate users and access applications and resources for the targeted organization. The threat actors in this activity were not identified by Okta.
MGM Resorts International Incident
On September 11, 2023, MGM Resorts International reported via social media network X that a “cybersecurity incident” was affecting some of their systems. Reuters later reported that Scattered Spider (also known as Scatter Swine, 0ktapus, and UNC3944), an affiliate known to be associated with the ALPHV/BlackCat ransomware-as-a-service variant, was responsible for the attacks.
In a post to their leak site on September 14, 2023, ALPHV/BlackCat claimed responsibility for the attacks against MGM, stating that they were able to access the company’s Okta Agent servers. They claimed that they were able to “sniff passwords” of user accounts that couldn’t be cracked via dumped hashes from the domain controller. Additionally, the leak site posting mentioned that Okta Sync and Okta Agent components were in use by MGM, suggesting they were delegating authentication for Okta to their Active Directory domain controllers.
Detections
Arctic Wolf has multiple detections in place via our Okta integration for Managed Detection and Response that detect many of the TTPs currently being used by the threat actors, such as administrative privileges granted, MFA factor resets and deactivations, authentication events nearing/exceeding threshold, account lockouts, and impersonations granted.
With regard to the MGM breach, Arctic Wolf has agent-based detections in place for relevant tooling across several TTPs including credential access, discovery, and reconnaissance that are associated with the Scattered Spider threat actor.
Recommendations
Recommendation #1: Review and Implement Best Practices Outlined by Okta
Okta outlines a set of configuration best practices and processes in the Prevention section of their recently-published blog article.
Note: Please follow your organization’s testing guidelines to avoid operational impact.
Recommendation #2: Implement Security Awareness Training
Due to the heavy use of social engineering tactics by the threat actors outlined in this bulletin, Arctic Wolf recommends using security awareness training campaigns so that users are better able to recognize and report suspicious activities associated with sophisticated phishing campaigns.
