Multiple US-based customers of identity and access management company Okta have been compromised in a series of phishing attacks aiming to obtain elevated administrator permissions.
“In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users,” Okta said in an advisory.
The attackers then used compromised Okta Super Administrator accounts to impersonate users within targeted organizations.
Okta says it observed intrusions between July 29 and August 19 but did not say how many customers were impacted.
The attacks are believed to have been orchestrated by a financially motivated threat actor known as Scattered Spider, UNC3944, Scatter Swine, and Muddled Libra, which has been around since May 2022.
The group’s tactics often include SIM-swapping attacks followed by the establishment of persistence using compromised accounts. Once persistence has been established, UNC3944 has been observed modifying and stealing data from within the victim organization’s environment. Scattered Spider relies on email and SMS phishing attacks and has also been observed attempting to phish other users within an organization once it has gained access to employee databases.
To prevent future attacks Okta is recommending that customers enforce phishing-resistant methods for enrollment, authentication and recovery; restrict the use of highly privileged accounts, apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.
