Identity services provider Okta has issued a warning regarding a series of social engineering attacks that have recently targeted multiple U.S.-based Okta customers. These attacks aim to obtain elevated administrator permissions by manipulating IT service desk personnel into resetting all multi-factor authentication (MFA) factors associated with highly privileged users.
Once successful, the threat actors abuse Okta Super Administrator accounts to impersonate users within compromised organizations. The campaign occurred between July 29 and August 19, 2023, and is attributed to an activity cluster known as Muddled Libra, which shares characteristics with Scattered Spider and Scatter Swine.
Central to these attacks is the use of a commercial phishing kit called “0ktapus,” which provides ready-made templates for creating convincing fake authentication portals. These portals are used to harvest user credentials and multi-factor authentication (MFA) codes, and the kit also includes a built-in command-and-control (C2) channel via Telegram.
Although Okta has not revealed the identity of the threat actor, it noted that the tactics align with those associated with Muddled Libra. However, it’s important to note that using the 0ktapus phishing kit alone does not necessarily classify a threat actor as Muddled Libra.
To counter such threats, Okta recommends several countermeasures, including enforcing phishing-resistant authentication, enhancing identity verification processes for help desk personnel, enabling notifications for new devices and suspicious activities for end-users, and conducting a review to limit the use of Super Administrator roles.
