Threat Research

Cross-Tenant Impersonation: Prevention and Detection

Securonix

Okta observed social engineering to elevate privileges within customer tenants and obtain a highly privileged role. Attackers leveraged Inbound Federation and cross-tenant impersonation to access apps and impersonate users, revealing novel lateral movement and defense-evasion methods. #Okta #InboundFederation #Org2Org #CrossTenantImpersonation #FIDO2 #FastPass

Keypoints

  • Pattern of social engineering against IT service desks to reset MFA factors for highly privileged users, enabling unauthorized access.
  • Attackers leveraged compromised Okta Super Administrator accounts to escalate privileges and reset authenticators or remove second-factor requirements.
  • Threat actors used anonymizing proxies and devices/IPs not associated with the target user to access compromised accounts.
  • Attackers configured a second Identity Provider to act as an impersonation app in inbound federation (Org2Org) to access apps in the compromised Org as other users.
  • Inbound Federation enables cross-organization access and Just-in-Time provisioning, but requires strong access controls; creation/modification of IdPs is guarded by top admin roles.
  • Prevention and detection recommendations include phishing-resistant enrollment/authentication (Okta FastPass, FIDO2 WebAuthn), Protected Actions, least-privilege admin roles with dual authorization for JIT, monitoring anomalous privileged-use, and ASN/IP session binding.

MITRE Techniques

  • [T1566.003] Phishing – The attacker used social engineering to persuade the service desk to reset MFA factors for highly privileged users. ‘the caller’s strategy was to convince service desk personnel to reset all Multi-factor Authentication (MFA) factors enrolled by highly privileged users.’
  • [T1078] Valid Accounts – The compromised Super Administrator accounts were used to access the compromised account and to assign higher privileges or reset authenticators. ‘The threat actor targeted users assigned with Super Administrator permissions.’
  • [T1199] Trusted Relationship – The attackers configured a second Identity Provider to impersonate a user and access apps within the compromised Org on behalf of other users. ‘second Identity Provider to act as an “impersonation app” to access applications within the compromised Org on behalf of other users.’

Indicators of Compromise

  • [IP] Inbound intrusion activity – 24.189.245.79, 74.105.157.5, and 8 more addresses (period 2023-07-29 to 2023-08-19)

Read more: https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint