Criminals have targeted Okta customers in an attempt to gain access to accounts with administrator privileges.
“Over the past few weeks, several US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, where the caller’s strategy was to get the service desk personnel to reset all multi-factor authentication (MFA) factors registered by highly privileged users,” the company confirmed in a blog posts.
The campaign was active between July 29 and August 19, 2023, it adds.
Apparently the attackers (whose name Okta did not want to name) have already obtained the username and password combination of the targeted accounts. However, since these accounts were protected by MFA, threat actors had no choice but to try to trick the tool into resetting it.
Had the attackers been successful, they would have had the ability to elevate privileges to other accounts, reset authenticators for other people, and even remove two-factor authentication if necessary.
While Okta did not say who was behind the campaign, the media came to their own conclusions based on the information provided. Therefore, The Hacker News argues that this could be the work of Muddled Libra, a group of activities partly overlapping with those of Scattered Spider and Scatter Swine. Google’s Mandiant tracks the group as UNC3944. Their conclusion is based on the fact that the group uses a commercial phishing kit called 0ktapus. Unit 42, on the other hand, claims that more groups are using 0ktapus, which means that it is not 100% sure that Muddled Libra was behind the campaign.
Muddled Libra is a threat actor known for targeting organizations in the software automation, BPO, telecommunications, and technology industries. Between mid-2022 and early 2023, Unit 42 researchers investigated “more than half a dozen” incidents related to this threat actor.
Through: The news about hackers