Criminals have been targeting Okta’s clients in an attempt to gain access to accounts with administrator privileges.
“In recent weeks, multiple U.S.-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication (MFA) factors enrolled by highly privileged users,” the company confirmed in a blog post.
The campaign was active between July 29 and August 19 2023, it was added.
Apparently, the attackers (whom Okta did not want to name) have already obtained the target accounts’ username and password combination. However, as these accounts were protected by MFA, the threat actors had no other choice but to try and trick their way into resetting the tool.
If the attackers had succeeded, they would be granted the ability to assign higher privileges to other accounts, reset authenticators for other people, and even remove two-factor authentication if needed.
While Okta did not say who was behind the campaign, the media came to its own conclusion, based on the information provided. Thus, The Hacker News argues that this could be the work of Muddled Libra, an activity cluster partly overlapping with the likes of Scattered Spider and Scatter Swine. Google’s Mandiant tracks the group as UNC3944. They’re basing their conclusion on the fact that the group uses a commercial phishing kit called 0ktapus. Unit 42, on the other hand, argues that multiple groups are using 0ktapus, which means it’s not 100% certain Muddled Libra was behind the campaign.
Muddled Libra is a threat actor known to target organizations in software automation, BPO, telecommunications, and technology industries. Between mid-2022 and early 2023, Unit 42’s researchers investigated “more than half a dozen” incidents related to this threat actor.
Via: The Hacker News