Criminals are targeting Okta customers in an attempt to gain access to administrative accounts.
“In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against IT service desk personnel, where the caller’s strategy was to convince service desk personnel to remove all multi-factor authentication (MFA) factors. registered by the caller. very privileged users,” the company confirmed in a blog post.
The campaign was active between July 29 and August 19, 2023, it added.
Confused Libra
Apparently, the attackers (whom Okta declined to name) have already obtained the username and password of the target accounts. However, since these accounts were protected by MFA, the threat actors had no choice but to try to reset the tool.
If successful, the attackers would gain the ability to assign higher privileges to other accounts, reset authenticators for other people, and even remove two-factor authentication if necessary.
While Okta did not say who was behind the campaign, the media came to their own conclusion based on the information provided. So The Hacker News argues that this could be the work of Muddled Libra, an activity cluster that partially overlaps with the likes of Scattered Spider and Scatter Swine. Google’s Mandiant follows the group as UNC3944. They base their conclusion on the fact that the group uses a commercial phishing kit called 0ktapus. Unit 42, on the other hand, claims that multiple groups use 0ktapus, meaning it’s not 100% certain that Muddled Libra was behind the campaign.
Muddled Libra is a threat actor known to target organizations in the software automation, BPO, telecommunications and technology industries. Between mid-2022 and early 2023, Unit 42 investigators investigated “more than half a dozen” incidents related to this threat actor.
Through: The hacker news