Four Okta customers fell victim to social engineering attacks this summer when threat actors convinced IT service desk personnel to reset all multifactor authentication factors of highly privileged users, according to the identity and access management provider.
The attacks demonstrated novel methods of lateral movement and defense evasion, Okta said in an Aug. 31 filing with the Securities and Exchange Commission.
“Four customers were affected within the three-week period since we’ve begun tracking these activities” on July 29, Okta CSO David Bradbury said via email.
The campaign targeted multiple U.S.-based companies and followed a consistent pattern involving calls to IT service desk staff that resulted in compromised Okta super administrator accounts. This access was used to impersonate highly privileged users within compromised organizations, according to Okta.
The threat actor appeared to have legitimate credentials or manipulated the authentication flow via Active Directory prior to calling the IT service desk at the targeted organization, the company said in the filing.
Okta did not specify potential damages, such as data theft, extortion or encryption, that may have resulted from these attacks.
“We’ve worked with customers hand-in-hand to assist during these attacks and we’ve been sharing preventative measures and remediations with customers both directly and via our blog, so we feel our relationship with our customers remains stronger than ever,” Bradbury said in response to questions.
Okta’s systems were not compromised during these attacks but the single sign-on provider is no stranger to these threats. Okta got hit by a phishing attack, a breach and had its GitHub source code stolen last year.
“This is definitely a pattern of continued risk that customers of IAM and SSO solutions need to seriously take into account,” Michela Menting, senior research director at ABI Research, said via email.
“These types of supply chain attacks are very lucrative for threat actors because they can be deployed consistently in many different companies across verticals and regions,” Menting said.
Identity tools aren’t necessarily failing to protect enterprises, according to Zane Bond, head of product at Keeper Security. The risk lies in how organizations use and manage these services.
“Advanced social engineering attacks are what cybercriminals use when an organization is sufficiently secure and they cannot breach it using simpler methods such as basic phishing emails or compromising weak credentials,” Bond said via email.
Cloud and identity providers confront novel methods of attempted exploitation every day, Bradbury said.
“As security teams and the tools they use continue to improve, attackers must seek out new and novel ways to subvert these countermeasures,” Bradbury said. "We will continue to monitor the changing tactics of attackers and ensure we take every step to protect our customers from harm."
Okta encouraged its customers to implement phishing-resistant authentication, restrict the use of highly privileged accounts and investigate anomalous use of these functions.
“Social engineering, especially highly-targeted calls, can go a long way in opening up the doors to threat actors,” Menting said. “No need to use complex and expensive methods to brute force your way into IT systems — it’s easier to get the gatekeepers to simply open the door. This type of fraud is as old as mankind.”