More Okta customers trapped in Scattered Spider's web

Trending 2 weeks ago

Customers of cloudy recognition vendor Okta are reporting societal engineering attacks targeting their IT work desks successful attempts to discuss personification accounts pinch administrator permissions.

"Multiple US-based Okta customers" person reported these phishing attempts, "in which nan caller's strategy was to person work table unit to reset each Multi-factor Authentication (MFA) factors enrolled by highly privileged users," according to a security alert published connected Thursday.

"The attackers past leveraged their compromise of highly privileged Okta Super Administrator accounts to maltreatment morganatic personality federation features that enabled them to impersonate users wrong nan compromised organization," nan alert continued.

According to Okta main information serviceman David Bradbury, nan institution spotted nan run opening July 29, and it continued until August 19.

"We don't person visibility into which customers were targeted, but we cognize that 4 customers were affected wrong nan three-week play since we've begun search these activities," he told The Register.

When asked if Okta attributed nan attacks to a peculiar group, Bradbury said "other cyber information companies person linked this behaviour to threat actors known arsenic Scattered Spider."

Scattered Spider, besides tracked arsenic UNC3944, Scatter Swine, and Muddled Libra, has been astir since May 2022, according to information researchers.

The unit favors SIM swapping, email and SMS phishing attacks, and sometimes  they'll effort to phish different group wrong an statement erstwhile they've surgery into worker databases, Mandiant noted successful May. "Once persistence has been established, UNC3944 has been observed modifying and stealing information from wrong nan unfortunate organization's environment," nan Google-owned threat intel patient said.

The gang's targets are usually telecom and business process outsourcing (BPO) companies, nevertheless "recent activity indicates that this group has started targeting different sectors, including captious infrastructure organizations," Trellix researchers said successful a report earlier this month.

  • Twilio, Cloudflare conscionable 2 of 135 orgs targeted by Oktapus phishing campaign
  • Crooks transcript root codification from Okta's GitHub repository
  • INTERPOL shutters '16shop' phishing-as-a-service outfit
  • Barracuda gateway attacks: How Chinese snoops support a grip connected victims' networks

Trellix besides linked Scattered Spider to nan August 2022 Oktapus phishing campaign during which nan criminals gained unauthorized entree to 163 Twilio customers, including Okta.

In its latest campaign, nan miscreants either had passwords to privileged personification accounts aliases were "able to manipulate nan delegated authentication travel via Active Directory (AD) anterior to calling nan IT work table astatine a targeted org, requesting a reset of each MFA factors successful nan target account," according to nan Okta alert.

Similar to past year's attacks, aft gaining entree to admin accounts, Scattered Spider past assigned higher privileges to different accounts and besides removed second-factor authentication requirements tied to immoderate users.

Okta says its information squad besides observed nan unit utilizing this entree to authenticate themselves arsenic a "source" personality provider, frankincense gaining azygous sign-on entree to applications. Here's really nan criminals did that:

Okta suggests respective measures customers tin return to protect themselves against this and akin phishing campaigns, including phishing-resistant authentication, and requiring re-authentication astatine each sign-in for privileged applications.

It's besides a bully thought to reappraisal and limit usage of admin roles, and require admins to motion successful from managed devices utilizing multi-factor authentication. 

It's besides recommended that admins move connected caller instrumentality and suspicious activity end-user notifications to person alerts astir immoderate phishy behaviour that could beryllium originating from Scattered Spider. ®