Cyber criminal gangs are telling their targets to stop authenticating with Okta services in what the company’s threat management team is describing as a ringing endorsement of its technology and a lesson in why phishing-resistant authentication methods are now not merely a nice-to-have, but a must-have.
Due to its position as a first line of defence in many organisations, Okta’s identity management systems are frequently targeted by threat actors as they attempt to work their way into their victims’ systems.
Perhaps most famously, its services were exploited by the gang known as Scattered Spider in a series of 2023 cyber heists on Las Vegas casino operators.
This week, Okta’s vice-president of threat intelligence, Brett Winterford, revealed how the firm had stumbled across a new social engineering campaign by an undisclosed threat actor in which the cyber criminals told their targets: “Please sign in normally, do not use the Okta FastPass feature.”
FastPass is a feature in Okta’s Verify service that offers passwordless authentication – such as biometrics or device-based security – to access secured resources.
“This unusual instruction, delivered to targets of a recent social engineering campaign observed by Okta Threat Intelligence, offers a look into how cyber criminals are evolving their tactics in response to higher adoption of advanced, high-assurance sign-in methods,” said Winterford in a blog post.
“During the observed phishing attacks, attackers … tried to convince targeted users to evade security measures the company had in place. The campaign abused trusted instant messaging communications channels – in this case, Slack – to deliver lures to targeted users.”
In the message, headlined “Happy Thursday & Congratulations”, the threat actor posed as a company CEO and messaged the target to invite them to an “exclusive new Slack workspace”.
The message was, of course, a phish, because the threat actor then asked the target to complete the setup by connecting their Okta account via a link.
However, the cyber criminals claimed that they were seeing “some issues” with how Okta FastPass worked with a new Slack integration and told the target not to use FastPass, implying that they should enter their password directly at the link.
The link in question, said Winterford, directed users to visit phishing pages running an adversary-in-the-middle (AiTM) transparent proxy known as Evilginx. This phishing kit would then have passed the password-based authentication request through the threat actor-controlled infrastructure, allowing them to steal passwords and any one-time passcode (OTP) needed to access the resource.
Winterford said attackers well understand that the choice of sign-in methods organisations offer their users is hugely important, noting that AiTM kits aren’t effective in circumstances where there are strong phishing-resistant authentication methods, or phishing resistance was enforced in policy.
“When administrators enforce phishing resistance in an authentication policy rule, a user can only access the protected resource using Okta FastPass, FIDO2-based authentication or PIV [Personal Identity Verification] Smart Cards,” he wrote.
“These sign-in methods will not allow access if the request is routed through a transparent proxy. Users can’t be tricked into selecting any other sign-in method. If all your users are enrolled in phishing-resistant authenticators, you’ve done most of the work,” added Winterford.
