Okta has warned U.S. customers about attacks taking place at their customers’ IT help desks. The attackers are targeting Okta Super Administrator Accounts, seriously compromising a company.
Specifically, the malicious are trying to urge IT help desks to reset MFA (multi-factor authentication) for highly privileged accounts. These accounts can then be taken over using this authentication method, after which it is possible to mimic the users in question within an organization. Okta discovered occurrences of these cyber-incidents between July 29 and Aug. 19.
How it works
Such a cyber-incident for Okta customers does not start with calling the help desk. Before that, the hacker has already gotten hold of passwords to privileged accounts or exploited an authentication vulnerability in Azure Active Directory.
A phone call to the help desk then leads to the compromise of a Super Admin account. After that, the attacker uses proxy services, a new IP address and a new device to remain undetected.
Those with a Super Admin account can tinker with accepted authenticator solutions or remove 2FA protection from some accounts.
Okta has so far only mentioned attacks in the U.S., but of course, deception of this kind could occur elsewhere. To prevent damage, Okta recommends deploying Okta FastPass and FIDO2 WebAuthn. These login methods the company characterizes as “phishing-resistant.” In addition, organizations should deploy authentication policies that require re-authentication with each sign-in.
In addition, recovery options should be limited to Okta Verify and Google Authenticator, while recovery attempts should only be allowed on trusted networks. Organizations should restrict RMM (Remote Management & Monitoring) tools as much as possible, with only trusted applications allowed to run.
Ultimately, the advice to limit Super Administrator roles as much as possible is the most apparent resort. After all, a fooled IT help desk employee cannot inadvertently cause additional damage if they don’t have the required privileges.