More Okta customers trapped in Scattered Spider's web

Trending 2 weeks ago
  1. Home
  2. Security
  3. More Okta customers trapped in Scattered Spider's web

Customers of cloudy recognition vendor Okta are reporting societal engineering attacks targeting their IT work desks successful attempts to discuss personification accounts pinch administrator permissions.

"Multiple US-based Okta customers" person reported these phishing attempts, "in which nan caller's strategy was to person work table unit to reset each Multi-factor Authentication (MFA) factors enrolled by highly privileged users," according to a security alert published connected Thursday.

"The attackers past leveraged their compromise of highly privileged Okta Super Administrator accounts to maltreatment morganatic personality federation features that enabled them to impersonate users wrong nan compromised organization," nan alert continued.

According to Okta main information serviceman David Bradbury, nan institution spotted nan run opening July 29, and it continued until August 19.

"We don't person visibility into which customers were targeted, but we cognize that 4 customers were affected wrong nan three-week play since we've begun search these activities," he told The Register.

When asked if Okta attributed nan attacks to a peculiar group, Bradbury said "other cyber information companies person linked this behaviour to threat actors known arsenic Scattered Spider."

Scattered Spider, besides tracked arsenic UNC3944, Scatter Swine, and Muddled Libra, has been astir since May 2022, according to information researchers.

The unit favors SIM swapping, email and SMS phishing attacks, and sometimes  they'll effort to phish different group wrong an statement erstwhile they've surgery into worker databases, Mandiant noted successful May. "Once persistence has been established, UNC3944 has been observed modifying and stealing information from wrong nan unfortunate organization's environment," nan Google-owned threat intel patient said.

The gang's targets are usually telecom and business process outsourcing (BPO) companies, nevertheless "recent activity indicates that this group has started targeting different sectors, including captious infrastructure organizations," Trellix researchers said successful a report earlier this month.

  • Twilio, Cloudflare conscionable 2 of 135 orgs targeted by Oktapus phishing campaign
  • Crooks transcript root codification from Okta's GitHub repository
  • INTERPOL shutters '16shop' phishing-as-a-service outfit
  • Barracuda gateway attacks: How Chinese snoops support a grip connected victims' networks

Trellix besides linked Scattered Spider to nan August 2022 Oktapus phishing campaign during which nan criminals gained unauthorized entree to 163 Twilio customers, including Okta.

In its latest campaign, nan miscreants either had passwords to privileged personification accounts aliases were "able to manipulate nan delegated authentication travel via Active Directory (AD) anterior to calling nan IT work table astatine a targeted org, requesting a reset of each MFA factors successful nan target account," according to nan Okta alert.

Similar to past year's attacks, aft gaining entree to admin accounts, Scattered Spider past assigned higher privileges to different accounts and besides removed second-factor authentication requirements tied to immoderate users.

Okta says its information squad besides observed nan unit utilizing this entree to authenticate themselves arsenic a "source" personality provider, frankincense gaining azygous sign-on entree to applications. Here's really nan criminals did that:

Okta suggests respective measures customers tin return to protect themselves against this and akin phishing campaigns, including phishing-resistant authentication, and requiring re-authentication astatine each sign-in for privileged applications.

It's besides a bully thought to reappraisal and limit usage of admin roles, and require admins to motion successful from managed devices utilizing multi-factor authentication. 

It's besides recommended that admins move connected caller instrumentality and suspicious activity end-user notifications to person alerts astir immoderate phishy behaviour that could beryllium originating from Scattered Spider. ®

Related Article

Save the Children feared hit by ransomware, 7TB stolen

Save the Children feared hit by ransomware, 7TB stolen

1 week ago
MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

MGM Resorts shuts down website, computer systems after 'cybersecurity incident'

1 week ago
Huge DDoS attack against US financial institution thwarted

Huge DDoS attack against US financial institution thwarted

1 week ago
Malice in the mail

Malice in the mail

1 week ago
Google warns infoseccers: Beware of North Korean spies sliding into your DMs

Google warns infoseccers: Beware of North Korean spies sliding into your DMs

1 week ago
Safe delivery

Safe delivery

1 week ago

Trending

1. Angus Cloud
2. Splunk
3. Rupert Murdoch
4. Europa League
5. Joe Jonas
6. Justin Fields
7. American Horror Story
8. Kim Jong Un
9. Cam Akers
10. Inter Miami

Popular Article

OpenAI boss Sam Altman receives Indonesia's first golden visa

OpenAI boss Sam Altman receives Indonesia's first golden visa

1 week ago
Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

Morgan Stanley values Tesla's super-hyped supercomputer at up to $500B

1 week ago
3 sci-fi movies on Prime Video you need to watch in September

3 sci-fi movies on Prime Video you need to watch in September

1 week ago
Square: Last week’s outage was caused by DNS issue, not a cyberattack

Square: Last week’s outage was caused by DNS issue, not a cyberattack

1 week ago
Iranian hackers backdoor 34 orgs with new Sponsor malware

Iranian hackers backdoor 34 orgs with new Sponsor malware

1 week ago
Billions of 'custobots' are coming online. Marketers may need to learn SEO for AI

Billions of 'custobots' are coming online. Marketers may need to learn SEO for AI

1 week ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.