Just over a week ago, Okta made known that their customers have been targeted by a coordinated social engineering attack with the goal of gaining access to highly privileged admin accounts in the customer’s Okta tenants. These Super Administrator accounts are then used to gain access to other applications and data. Several Okta customers have already been compromised by this attack.
How the attack occurs
The group of tactics in this phishing and social engineering attack are collectively called an “Org2Org” attack with the end goal of gaining access to an Okta customers’ Super Administrator accounts which then opens up access to other downstream applications and data:
- Attackers either have harvested passwords of privileged user accounts or manipulate the delegated authentication flow via Microsoft Active Directory (AD).
- The attacker then calls the target organization’s IT service desk and requests a reset of all MFA factors for users assigned Super Administrator permissions.
- The compromised Super Administrator accounts are used to assign higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts and sometimes remove the 2FA requirement from authentication policies.
- The threat actor then configures a new Identity Provider (IdP) controlled by the attacker to act as an “impersonation app” to access applications within the compromised organization on behalf of other users: the new IdP acts as a “source” in an inbound federation relationship with the target.
- From this “source” IdP, the threat actor manipulates the username parameter for targeted users in the second “source” IdP to match a real user in the compromised “target” Identity Provider. This enables the attacker to masquerade as the targeted user and use Single sign-on (SSO) to access applications in the target IdP.
Okta Security provides more context about the tactics, techniques and procedures that security practitioners and stakeholders should be aware of in their own blog.
Why it matters: Okta Super Admin accounts provide full access to critical apps and data
Companies use Okta and other identity providers to manage authentication for human users. Using MFA, SSO, and complex password management, Okta provides a necessary layer of authentication security for organizations.
While Okta is a premier authentication platform it’s important to note that organizations gain a defensive advantage when authentication and authorization are separated.
Because authentication and authorization are often bound together, it results in accounts with standing elevated privileges—this significantly increases the attack surface for targeted organizations: in Okta, Super Admins can manage all Okta identities, including corporate admins, third-party contractors, and various workloads and tokens.
When threat actors compromise a Super Admin account, they have full access to the Okta environment that allows them to:
- Create new users such as new Super Admin shadow accounts
- Delete logs so they can cover up their attack and thus gain persistence in the target’s environment
- Modify policies including access controls
- Turn off security controls like 2FA
As the hack demonstrates, the ability to stop malicious hackers before they gain admin privileges is critical both for the IAM vendor and its customers. As part of their overall security and cloud operations, organizations should add an extra layer of security implementing Just-In-Time (JIT) access to critical cloud infrastructure and applications, both of which can make sensitive data available with unauthorized access.
What this attack pattern makes clear is that threat actors will continue to use identity tooling—in this case Okta—for their own objectives.
Britive’s automated JIT privileged access and approvals can thwart attackers
The Britive Identity Security Platform augments Okta’s authentication management platform by providing access only for the amount of time necessary for an identity—human or machine-based—to complete a task. With Britive, privileges are delivered Just-In-Time (JIT): this includes Super Admin account privileges.
These temporary access privileges fit seamlessly into the approval workflow processes, which empowers users with pre-authorized access privileges that expire automatically after use.
Britive’s approval workflows can provide multiple levels of approvals which in turn can block third-parties—including those who appear to be legitimate identities—requesting Super Admin level privileges.
Britive also manages the authorization process separately, giving organizations a critical extra layer of defense by separating authentication from authorization, the later of which ultimately determines what cloud-based resources (such as database, app, service, compute or storage instance) an identity can access and what level of permission they have to use that resource (e.g., create, read, update, or delete).
JIT privileges remove the 24/7 risk exposure that results from standing privileges. Moreover, Britive lets you monitor privileged user activity, including when, where and how privileges were invoked and used: having this critical capability enables security and operations teams to recognize questionable activities by identities that are not within scope or expected for a user’s role.
This valuable privileged activity data can also be fed into a SIEM for further analysis and correlation with telemetry your other security tooling provides for a clearer picture of how identity access is being used in your organization: this is key to effectively securing cloud environments and apps as part of an overall unified access model.
Watch the JIT Access Demo for Okta Super Admin Accounts:
The attack targeting Okta Super Admin accounts is concerning because it increases risk to customers with serious outcomes of an identity-related breach. But as the attack surface evolves, organizations can leverage JIT privileged access to thwart subsequent attacks.
Unlike other cloud security monitoring tools, Britive can effectively mitigate the risk of privilege account compromise (e.g. compromising Okta Super Admin accounts) by eliminating standing privileges while also providing in-depth activity logging and analysis. Other security benefits of implementing a JIT authorization solution like Britive include:
- Effective just-in-time access management that works across IaaS, PaaS, DaaS, Kubernetes clusters and hybrid environments
- 100% API-driven implementation means a direct connection to any cloud platform or app—without exposure to additional security risks
- Eliminating standing privileges for both business users and cloud app developers
- Granting elevated privileges to cloud app developers and platform engineers only when needed
To learn more about protecting access to your cloud environment with effective JIT access request a demo today.