In a recent security revelation, cybercriminals have set their sights on Okta’s clients in a sophisticated attempt to gain access to accounts with administrator privileges. Okta, a leading identity and access management provider, confirmed this concerning trend in a blog post, highlighting a pattern of social engineering attacks against IT service desk personnel employed by several U.S.-based Okta customers.
The modus operandi of the attackers involved convincing service desk personnel to reset all multi-factor authentication (MFA) factors for highly privileged users. This campaign unfolded during a specific timeframe, running from July 29 to August 19, 2023, posing a significant threat to the security of affected organizations.
It is worth noting that the threat actors had already acquired the username and password combinations for the target accounts. However, these accounts were fortified with MFA, leaving the attackers with no alternative but to resort to social engineering tactics to manipulate service desk personnel into resetting this critical security tool.
Had the attackers succeeded, they would have gained the ability to assign elevated privileges to other accounts, manipulate authenticators for different individuals, and potentially disable two-factor authentication as required.
While Okta refrained from explicitly naming the culprits behind this campaign, industry experts have begun drawing connections. Some have speculated that this operation could be attributed to Muddled Libra, an activity cluster with partial overlaps with groups like Scattered Spider and Scatter Swine, known as UNC3944 in Google’s Mandiant tracking. The reasoning behind this attribution stems from the group’s use of a commercial phishing kit called 0ktapus.
However, it’s important to note that Unit 42, another cybersecurity research entity, has suggested that multiple threat groups might be employing the 0ktapus phishing kit. This ambiguity underscores the need for a thorough investigation to conclusively determine the identity of the perpetrators.
Muddled Libra has a track record of targeting organizations in sectors such as software automation, business process outsourcing (BPO), telecommunications, and technology. Between mid-2022 and early 2023, researchers at Unit 42 were involved in investigating over half a dozen incidents associated with this particular threat actor, shedding light on their persistent and evolving threat landscape.
