Threat actors, especially Scattered Spider (UNC3944), have been using voice phishing techniques (vishing) to reset users’ passwords, including single sign-on MFA factors. According to VX Underground, Scattered Spider used this technique recently to compromise MGM Resorts. The threat actors contact organizations’ help desks with phone numbers potentially listed on public-facing sign-in help pages. Furthermore, they likely researched social media profiles, like LinkedIn and X (Twitter), of target companies to identify strategic users who likely have a privileged account. By contacting the IT help desk, the threat actors can manipulate help desk personnel into resetting accounts with access to sensitive applications with higher privileges. The threat actors could then log in to single sign-on portals from the internet, giving them access to sensitive applications and systems.
The Adversary Tactics and Intelligence team recently published a threat intelligence report finding that threat actors used these social engineering techniques to compromise highly privileged roles within organizations’ Okta tenants. The actors manipulated IT service desk personnel into resetting Multi-Factor Authentication (MFA) for Super Administrator accounts, thereby gaining unauthorized access to sensitive systems and data. Before calling the IT service desk, the threat actors either had the passwords to the accounts or were able to manipulate the delegated authentication flow via Active Directory (AD). They further abused inbound federation features to impersonate users within the compromised organization.
Based on our analysis, the threat actor demonstrates a high level of sophistication in their approach to compromising Okta tenants. Recently, Mandiant stated that In the majority of cases, Scattered Spider (UNC3944) obtained credentials through SMS phishing attacks (smishing). Once they obtain the credentials, the threat actors may impersonate employees on calls to the organization’s service desk in an attempt to obtain multi factor authentication (MFA) codes and/or reset passwords. During these calls, the threat actor provided verification information requested, including usernames, employee IDs, and other types of personally identifiable information (PII).
Once MFA was reset, the threat actor accessed the compromised accounts using commercial residential proxy services from the same local area to evade security monitoring tools. However, the threat actor used an IP and device not previously associated with the user account.
The threat actor then used the compromised Super Administrator accounts for lateral movement within the organization. The actors assigned higher privileges to other accounts and, in some instances, removed second-factor requirements from authentication policies, weakening the organization’s security posture.
A particularly alarming technique involved the configuration of a second Identity Provider (IdP) to act as an “impersonation app.” This second IdP, controlled by the actor, served as a “source” in an inbound federation relationship with the target organization. The threat actor manipulated the username parameter for targeted users in this second “source” IdP to match a real user in the compromised “target” IdP, thereby gaining the ability to Single Sign-On (SSO) into applications as the targeted user.
Inbound Federation is a critical feature in identity management that allows a user authenticated by a source IdP to access applications in a target IdP. This feature is helpful in scenarios such as mergers, acquisitions, and divestitures and in large organizations requiring centralized control while allowing divisions some policy autonomy. Given the power and flexibility that Inbound Federation offers, access to create or modify an IdP is restricted to users with the highest permissions within an Okta organization—namely, Super Administrators or Org Administrators.
Threat Actor Intentions, Objectives, and Capabilities
The threat actors aim to gain unauthorized access to sensitive data and systems within targeted organizations for financial gain. Focusing on compromising highly privileged Okta accounts, particularly Super Administrators, the threat actors sought to undermine the organization’s identity management system to impersonate any user. Their capabilities include advanced social engineering, identity and access management knowledge, evasion techniques, and using anonymizing proxy services.
The recent publicity of the success of these techniques is likely to prompt other threat actors who may adopt similar TTPs. The success rate and impact of these intrusions make them an attractive option for other actors looking for efficient ways to compromise high-value targets. Therefore, we can expect an uptick in similar incidents potentially against other identity management platforms.
Threat actors currently using these techniques will likely adapt their Tactics, Techniques, and Procedures (TTPs) in the short term. Given their demonstrated sophistication, it is reasonable to anticipate that they will refine their social engineering tactics and possibly diversify their attack vectors. The use of anonymizing proxy services suggests that these actors are already well-versed in evasion techniques, and they may further sophisticate these methods to bypass new detection measures. The threat actors may target other identity management systems or organizations they perceive will not have robust identity verification processes. These organizations would likely be smaller with less sophisticated security practices and policies.
To withstand, recover, and adapt to threat actors using social engineering to attain access to highly privileged roles in an organization’s single sign-on tenant, customers should implement the following actions to mitigate the tactics, techniques, and procedures to improve an organization’s cyber resilience:
- Strengthen identity verification processes, especially for helpdesks. Verification could involve visual verification (like Zoom) or calling them back at a number maintained by HR and emailing them a code or password to verify the user’s identity.
- If using self-service recovery, initiate recovery with the strongest available authenticator and limit recovery flows to trusted networks (by IP, ASN, or geolocation).
- For organizations that use Entra ID (formerly Microsoft Azure Active Directory), Mandiant provides detailed proven recommendations to mitigate common TTPs such as MFA abuse and unauthorized use of privileged accounts within the Microsoft cloud environment.
- Enforce dedicated admin policies – Require admins to sign in from managed devices via phishing-resistant MFA. Restrict this access to trusted Network Zones and deny access from anonymizing proxies.
- Review the business risks of posting help desk phone numbers for corporate assistance on Publicly accessible websites.
- Review your organization’s potential accounts that could be targeted by conducting simple web searches to see what is publicly exposed that the Threat Actors could target.
- Example searches:
- <My Organization> linkedIn IAM
- <My Organization> linkedIn admin
- <My Organization> linkedIn okta admin
- Example searches:
- Encourage users with Privileged Access to use secure LinkedIn and other social-media profile settings.
- Configure security solutions to block known IOCs associated with this threat.
The following recommendations are specific to Okta
- Enable and test Okta’s New Device and Suspicious Activity end-user notifications.
- Review and limit Okta’s Super Administrator Roles – Implement privileged access management (PAM) for Super Administrator access, use Custom Admin Roles for maintenance tasks, and delegate the ability to perform high-risk tasks.
- All Administrative roles in Okta can be constrained to a specific group. Okta recommends using Custom Admin Roles to create help desk roles with the least privileges required and to limit these roles to groups that exclude highly privileged administrators.
Threat Hunting Guidance
Deepwatch recommends that all organizations retrospectively hunt for malicious activity, which will likely indicate compromise, using the following threat hunting guidance and the observables listed here.
- Unexpected/anomalous password/MFA factor resets for privileged Okta users, including rare source geography, device type, browser, etc.
- Modifications to Okta policy allowing single-factor authentication for easier access by malicious actors.
- Okta has provided System Log events and Workflow templates that organizations can adapt to detect several of the threat actor’s tactics, techniques, and procedures.