惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
美团技术团队
T
Tenable Blog
大猫的无限游戏
大猫的无限游戏
Schneier on Security
Schneier on Security
S
Schneier on Security
博客园_首页
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
T
Tailwind CSS Blog
GbyAI
GbyAI
C
CERT Recently Published Vulnerability Notes
博客园 - 【当耐特】
IT之家
IT之家
G
Google Developers Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
Vercel News
Vercel News
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
Cisco Talos Blog
Cisco Talos Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Project Zero
Project Zero
V
V2EX
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
MongoDB | Blog
MongoDB | Blog
F
Full Disclosure
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
G
GRAHAM CLULEY
H
Hacker News: Front Page
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
L
LINUX DO - 最新话题
L
Lohrmann on Cybersecurity
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Announcements
Recent Announcements
C
Cisco Blogs
L
LINUX DO - 热门话题

Okta Security RSS Feed

OpenSSL HollowByte: A DoS Hiding in 11 Bytes Datadog and Okta Combine for New Customer Detections Detecting OpenClaw at Sign-In Okta Hardening Guide Updated to Secure Non-Human Identities Okta Pooled Security Audits: a One-Year Retrospective Account Recovery, without Password Resets Okta’s Response to React2Shell Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework Attackers Target Hotelier Accounts in Malvertising and Phishing Campaign Using Auth0 Logs for Proactive Threat Detection Controlling Cross-App Data Sprawl in Google Workspace How this ClickFix campaign leads to Redline Stealer Paving the Path: Pooled Audits with Okta Security Building Confidence in Support Comms with Caller Verify at Okta Enabling ISO/IEC 27001:2022 Compliance with Okta Okta’s Secure by Design Pledge - One Year On Leveraging Okta System Logs for Proactive Threat Detection Enhancing Customer Trust Through a Comprehensive Audit Program Okta's new Security Technical Implementation Guide (STIG) A Guide to DORA Compliance with Okta How AI services power the DPRK’s IT contracting scams Detect and Prevent Cross Device Authentication How Responsible Disclosures are Shaping a Safer Cyberspace Cybersecurity’s Next Gen Next.js CVE-2025-29927 CSO Conversations: Matthew Hansen, Regional CSO of Americas West Empowering Security with Customer Trust Solutions Putting Security First with Secure Development One trick finds the root of any Okta troubles CSO Conversations: Stephen McDermid, Regional CSO of EMEA Content-Security-Policy in a Complex Environment CSO Conversations: Keiko Itakura, Regional CSO of Japan How Okta Embraces Identity Verification Using Persona CSO Conversations: Matt Immler, Regional CSO of Americas East Raising the Bar for our Industry with IPSIE Cyber-Safety over the Holidays Okta Social Engineering Impersonation Report - Response and Recommendation Five Reasons to Upgrade your Org to Okta Identity Engine Okta’s Ongoing Commitment to Secure By Design Unveiling the Essence of the Security Customer Trust Function Security Education Through the Art of Storytelling Seven Ways to Reduce Super Admins in Okta The Case for Zero Standing Privileges FastPass: The battle-hardened authenticator Detecting Cross-Origin Authentication Credential Stuffing Attacks How to Block Anonymizing Services using Okta Why Cyber-heroes need a Zero Trust CAEP! Okta Verify Vulnerability Disclosure Report - Response and Remediation Defensive Domain Registration is a Mug’s Game Protecting Administrative Sessions in Okta How to Secure the SaaS Apps of the Future Okta October 2023 Security Incident Investigation Closure October Customer Support Security Incident - Update and Recommended Actions Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation Tracking Unauthorized Access to Okta's Support System Go “Secure by Default” With Custom Admin Roles for IT support staff BYO Telephony and the future of SMS at Okta Saying “No Thanks” to nOAuth Telling More Okta Detection Stories with Google Chronicle An Unexpected Endorsement for WebAuthn Social Engineering is Getting More Extreme, but the Fixes Can Be Simple Study up on Okta Logs for Splunk’s Boss of the SOC! Keeping Phishing Adversaries Out of the Middle Using Workflows to Respond to Anomalous Push Requests Okta and Splunk Combine to Detect Common Attacks Setting the Right Levels of Assurance for Zero Trust Catch-All's and Canary Rules User Sign-in and Recovery Events in the Okta System Log Okta Code Repositories Detecting Real-Time Phishing Attacks Detecting Real-Time Phishing Attacks Okta’s Response to OpenSSL Security Update Monitoring for Abuse of Administrative Privileges System Log: a Window into Supporting the Okta Cloud The Human Factor in Phishing Resistance Auth0 Code Repository Archives From 2020 and Earlier Phishing Resistance and Why it Matters Detecting Scatter Swine: Insights into a Relentless Phishing Campaign Defending against Session Hijacking Unlocking the Mystery of 700+ Okta System Log Events Official Okta Statement on LAPSUS$ Claims Protection, without perimeters We (still) need to talk about RDP Just How Risky is Legacy Authentication?
Cross-Tenant Impersonation: Prevention and Detection
Defensive Cyber Operations · 2023-08-31 · via Okta Security RSS Feed

Summary

  • Okta has observed attacks in which a threat actor used social engineering to attain a highly privileged role in an Okta customer Organization (tenant).

  • When successful, the threat actor demonstrated novel methods of lateral movement and defense evasion.

  • These methods are preventable and present several detection opportunities for defenders.

In recent weeks, multiple US-based Okta customers have reported a consistent pattern of social engineering attacks against their IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.

The attackers then leveraged their compromise of highly privileged Okta Super Administrator accounts to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization.

Tactics, Techniques and Procedures

Okta Security has identified a cluster of activity in which:

  • Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account. In the case of Okta customers, the threat actor targeted users assigned with Super Administrator permissions.

  • The threat actor would access the compromised account using anonymizing proxy services and an IP and device not previously associated with the user account.

  • The compromised Super Administrator accounts were used to assign higher privileges to other accounts, and/or reset enrolled authenticators in existing administrator accounts. In some cases, the threat actor removed second factor requirements from authentication policies.

  • The threat actor was observed configuring a second Identity Provider to act as an "impersonation app" to access applications within the compromised Org on behalf of other users. This second Identity Provider, also controlled by the attacker, would act as a “source” IdP in an inbound federation relationship (sometimes called “Org2Org”) with the target.

  • From this “source” IdP, the threat actor manipulated the username parameter for targeted users in the second “source” Identity Provider to match a real user in the compromised “target” Identity Provider. This provided the ability to Single sign-on (SSO) into applications in the target IdP as the targeted user.

What is Inbound Federation?

Inbound Federation allows access to applications in a target Identity Provider (IdP) if the user has successfully authenticated to a source IdP. The feature can also be used for Just-in-time (JIT) provisioning of users. It’s a feature that is used to save months off mergers, acquisitions and divestitures. It is also popular with large organizations (such as global parent companies) that require central controls or globally provision one set of applications (while also empowering divisions to have some level of autonomy for their own policies and apps).

Given how powerful this is, access to create or modify an Identity Provider is limited to users with the highest permissions in an Okta organization - Super Administrator or Org Administrator. It can also be delegated to a Custom Admin Role to reduce the number of Super Administrator’s required in large, complex environments.

These recent attacks highlight why protecting access to highly privileged accounts is so essential.

Prevention

Based on our analysis of this intrusion, we recommend Okta customers implement our industry-leading, phishing-resistant methods for enrollment, authentication and recovery; restrict the use of highly privileged accounts, and apply dedicated access policies for administrative users and monitor and investigate anomalous use of functions reserved for privileged users.

A more detailed set of recommendations is listed below:

  • Protect sign-in flows by enforcing phishing-resistant authentication with Okta FastPass and FIDO2 WebAuthn.

  • Enable Protected Actions (under Settings > Features) to force re-authentication whenever an administrative user attempts to perform sensitive actions.

  • Configure Authentication Policies (Application Sign-on Policies) for access to privileged applications, including the Admin Console, to require re-authentication “at every sign-in”.

  • If using self-service recovery, initiate recovery with the strongest available authenticator, and limit recovery flows to trusted networks (by IP, ASN or geolocation).

  • Review and consolidate the use of Remote Management and Monitoring (RMM) tools by help desk personnel, and block execution of all other RMM tools.

  • Strengthen help desk identity verification processes using visual verification.

  • Turn on and test New Device and Suspicious Activity end-user notifications.

  • Take a "Zero Standing Privileges" approach to administrative access. Assign administrators Custom Admin Roles with the least permissions required for daily tasks, and require dual authorization for JIT (just-in-time) access to more privileged roles.

  • Constrain custom help desk roles with resource sets that exclude groups of highly privileged administrators.

  • Enforce dedicated admin policies - Assign all administrators to groups. Require users in these groups to sign-in from managed devices and via phishing resistant MFA (Okta FastPass, FIDO2 WebAuthn). Restrict this access to trusted Network Zones and deny access from anonymizing proxies.

  • Apply ASN and IP Session Binding (from Settings > Features) to all administrative apps to prevent the replay of stolen administrative sessions.

Detection and Response

The following System Log events and Workflows templates can be adapted to detect several of the TTPs listed above.

Stage of Attack

System Log Query

Workflows Templates/Further Advice

Detect AiTM phishing using FastPass

eventType eq "user.authentication.auth_via_mfa" AND result eq "FAILURE" AND outcome.reason eq "FastPass declined phishing attempt"

Monitor Unsuccessful Phishing Attempts

User Denied Access due to ASN/IP Session Binding

eventType eq "security.session.detect_client_roaming"

Support article

Alert on Factor Resets

eventType eq "user.mfa.factor.reset_all"

Trigger Notifications when All MFA Factors are Reset

Alert on Factor Downgrades

There is no System Log event for a Factor downgrade. To monitor all activation and deactivation events, use the following query: eventType sw

"system.mfa.factor"

Tracking and Alerting for Possible Account Takeover Events

Alert on User Suspicious Activity Reports

eventType eq "user.account.report_suspicious_activity_by_enduser"

Suspicious Activity Reported

Alert on New Behaviors during Access to Okta Admin Console

eventType eq "policy.evaluate_sign_on" and target.displayName eq "Okta Admin Console" and debugContext.debugData.behaviors co "POSITIVE"

and

eventType eq "policy.evaluate_sign_on" and target.displayName eq "Okta Admin Console" and debugContext.debugData.LogOnlySecurityData co "POSITIVE"

We recommend administrators use Expression Language to alert on access to the Admin Console from users that meet the following conditions:

security.behaviors.contains('New IP') && security.behaviors.contains('New Device')

Alert on Sign-In Attempts via Anonymizing Proxies

eventType eq "user.session.start"

and

securityContext.isProxy eq "true"

We recommend administrators deny sign-ins from these services in policy using a Dynamic Network Zone.

Alert on Creation of an Identity Provider by a Super Administrator or Org Administrator

eventType eq "system.idp.lifecycle.create" Alternative that includes all creation and modification events:

eventType sw "system.idp.lifecycle"

We recommend delegating access to this feature to a Custom Admin Role with the minimum required permissions.

Alert on Sign-In Events via a Third-Party Identity Provider

eventType eq "user.authentication.auth_via_IDP"

We recommend alerting on these events if the organization does not currently use the Inbound Federation feature.

Indicators of Compromise

For the period 2023-07-29 to 2023-08-19

IP addresses:

IP

24.189.245.79

74.105.157.5

174.199.192.95

98.113.77.43

108.21.89.22

75.252.4.33

73.205.234.246

99.25.84.9

185.56.83.225

96.244.225.43

Change Log

1.2 - Mar 8, 2024

  • Updated recommendations to include new features released as part of Okta Secure Identity Commitment: Protected Actions, ASN/IP Session Binding.

  • Updated detections section to include System Log event for for an authentication failure arising from session binding.

1.1 - Sep 9, 2023

  • Updated Prevention section to include advice on constraining help desk administrators to specific user groups.

  • Updated Detection section. While defenders can alert on IdP creation (eventType eq "system.idp.lifecycle.create"), an alternative approach is to alert on any creation or modification using the "starts with" qualifier (eventType sw "system.idp.lifecycle")

1.0 - Sep 1, 2023

  • Original Version Published

The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.