Criminals Target Okta Clients in Elaborate MFA Reset Scam to Gain Administrator Privileges

While Okta refrained from explicitly naming the culprits behind this campaign, industry experts have begun drawing connections. Some have speculated that this operation could be attributed to Muddled Libra, an activity cluster with partial overlaps with groups like Scattered Spider and Scatter Swine, known as UNC3944 in Google’s Mandiant tracking. The reasoning behind this attribution stems from the group’s use of a commercial phishing kit called 0ktapus.

However, it’s important to note that Unit 42, another cybersecurity research entity, has suggested that multiple threat groups might be employing the 0ktapus phishing kit. This ambiguity underscores the need for a thorough investigation to conclusively determine the identity of the perpetrators.