{"id":16846,"date":"2023-09-06T13:30:57","date_gmt":"2023-09-06T13:30:57","guid":{"rendered":"http:\/\/www.namorgy.com\/blog\/?p=16846"},"modified":"2023-09-06T13:31:00","modified_gmt":"2023-09-06T13:31:00","slug":"hackers-target-high-privileged-okta-accounts-via-help-desk","status":"publish","type":"post","link":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/","title":{"rendered":"Hackers Target High-Privileged Okta Accounts via Help Desk"},"content":{"rendered":"\n<p>By <a href=\"https:\/\/www.darkreading.com\/author\/elizabeth-montalbano\">Elizabeth Montalbano<\/a><\/p>\n\n\n\n<p>Threat actors convince employees to reset MFA for Super Admin accounts in the IAM service to leverage compromised accounts, impersonating users and moving laterally within an organization.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\" alt=\"\"\/><\/figure>\n\n\n\n<p>Threat actors are using social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, gaining access to the cloud-based identity access management (IAM) service and moving laterally through targeted networks from there.<\/p>\n\n\n\n<p>Okta is a&nbsp;<a href=\"https:\/\/www.darkreading.com\/dr-tech\/okta-launches-new-workforce-identity-cloud\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-based, enterprise-grade IAM service<\/a>&nbsp;that connects enterprise users across applications and devices, and it&#8217;s used by more than 17,000 customers globally. While it was built for&nbsp;<a href=\"https:\/\/www.darkreading.com\/endpoint\/okta-post-exploit-method-exposes-user-passwords\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-based systems<\/a>, it also is compatible with many on-premises applications.<\/p>\n\n\n\n<p>US-based customers of&nbsp;<a href=\"https:\/\/www.darkreading.com\/dr-tech\/okta-launches-new-workforce-identity-cloud\" target=\"_blank\" rel=\"noreferrer noopener\">Okta<\/a>&nbsp;have reported a &#8220;consistent pattern&#8221; of &#8220;cross-tenant impersonation&#8221; attacks in recent weeks, with the actors targeting users assigned with &#8220;Super Administrator&#8221; permissions, the company&nbsp;<a href=\"https:\/\/sec.okta.com\/articles\/2023\/08\/cross-tenant-impersonation-prevention-and-detection\" target=\"_blank\" rel=\"noreferrer noopener\">revealed in a recent blog post.<\/a><\/p>\n\n\n\n<p>&#8220;Threat actors appeared to either have a) passwords to privileged user accounts or b) be able to manipulate the delegated authentication flow via Active Directory (AD) prior to calling the IT service desk at a targeted org, requesting a reset of all MFA factors in the target account,&#8221; according to the post, attributed to Okta&#8217;s Defensive Cyber Operations.<\/p>\n\n\n\n<p>The hackers then access compromised accounts using anonymizing proxy services and an IP and device not previously associated with the user account &#8220;to abuse legitimate identity federation features that enabled them to impersonate users within the compromised organization,&#8221; according to the post.<\/p>\n\n\n\n<p>Read more at: <a href=\"https:\/\/www.darkreading.com\/cloud\/hackers-target-high-privileged-okta-accounts-via-help-desk\">https:\/\/www.darkreading.com\/cloud\/hackers-target-high-privileged-okta-accounts-via-help-desk<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>By Elizabeth Montalbano Threat actors convince employees to reset MFA for Super Admin accounts in the IAM service to leverage compromised accounts, impersonating users and moving laterally within an organization. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-16846","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Hackers Target High-Privileged Okta Accounts via Help Desk -<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hackers Target High-Privileged Okta Accounts via Help Desk -\" \/>\n<meta property=\"og:description\" content=\"By Elizabeth Montalbano Threat actors convince employees to reset MFA for Super Admin accounts in the IAM service to leverage compromised accounts, impersonating users and moving laterally within an organization. &hellip;\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-09-06T13:30:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-06T13:31:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\" \/>\n<meta name=\"author\" content=\"Namorgy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Namorgy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#article\",\"isPartOf\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/\"},\"author\":{\"name\":\"Namorgy\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/#\\\/schema\\\/person\\\/7037cc04551c43ba5e74edd08fda91c2\"},\"headline\":\"Hackers Target High-Privileged Okta Accounts via Help Desk\",\"datePublished\":\"2023-09-06T13:30:57+00:00\",\"dateModified\":\"2023-09-06T13:31:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/\"},\"wordCount\":267,\"image\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7d4766887a1b0233\\\/634f0b0fd8465a0f34a1fdfc\\\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/\",\"url\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/\",\"name\":\"Hackers Target High-Privileged Okta Accounts via Help Desk -\",\"isPartOf\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#primaryimage\"},\"image\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7d4766887a1b0233\\\/634f0b0fd8465a0f34a1fdfc\\\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\",\"datePublished\":\"2023-09-06T13:30:57+00:00\",\"dateModified\":\"2023-09-06T13:31:00+00:00\",\"author\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/#\\\/schema\\\/person\\\/7037cc04551c43ba5e74edd08fda91c2\"},\"breadcrumb\":{\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7d4766887a1b0233\\\/634f0b0fd8465a0f34a1fdfc\\\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/blt7d4766887a1b0233\\\/634f0b0fd8465a0f34a1fdfc\\\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/2023\\\/09\\\/06\\\/hackers-target-high-privileged-okta-accounts-via-help-desk\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hackers Target High-Privileged Okta Accounts via Help Desk\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/#website\",\"url\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/\",\"name\":\"Namorgy.com\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/#\\\/schema\\\/person\\\/7037cc04551c43ba5e74edd08fda91c2\",\"name\":\"Namorgy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g\",\"caption\":\"Namorgy\"},\"sameAs\":[\"http:\\\/\\\/www.namorgy.com\"],\"url\":\"http:\\\/\\\/www.namorgy.com\\\/blog\\\/author\\\/namorgy_12uffn\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Hackers Target High-Privileged Okta Accounts via Help Desk -","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/","og_locale":"en_US","og_type":"article","og_title":"Hackers Target High-Privileged Okta Accounts via Help Desk -","og_description":"By Elizabeth Montalbano Threat actors convince employees to reset MFA for Super Admin accounts in the IAM service to leverage compromised accounts, impersonating users and moving laterally within an organization. &hellip;","og_url":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/","article_published_time":"2023-09-06T13:30:57+00:00","article_modified_time":"2023-09-06T13:31:00+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690","type":"","width":"","height":""}],"author":"Namorgy","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Namorgy","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#article","isPartOf":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/"},"author":{"name":"Namorgy","@id":"http:\/\/www.namorgy.com\/blog\/#\/schema\/person\/7037cc04551c43ba5e74edd08fda91c2"},"headline":"Hackers Target High-Privileged Okta Accounts via Help Desk","datePublished":"2023-09-06T13:30:57+00:00","dateModified":"2023-09-06T13:31:00+00:00","mainEntityOfPage":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/"},"wordCount":267,"image":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690","inLanguage":"en-US"},{"@type":"WebPage","@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/","url":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/","name":"Hackers Target High-Privileged Okta Accounts via Help Desk -","isPartOf":{"@id":"http:\/\/www.namorgy.com\/blog\/#website"},"primaryImageOfPage":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#primaryimage"},"image":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690","datePublished":"2023-09-06T13:30:57+00:00","dateModified":"2023-09-06T13:31:00+00:00","author":{"@id":"http:\/\/www.namorgy.com\/blog\/#\/schema\/person\/7037cc04551c43ba5e74edd08fda91c2"},"breadcrumb":{"@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/blt7d4766887a1b0233\/634f0b0fd8465a0f34a1fdfc\/identityverification_2fa-jirsak-adobe.jpg?quality=80&amp;format=webply&amp;width=690"},{"@type":"BreadcrumbList","@id":"http:\/\/www.namorgy.com\/blog\/2023\/09\/06\/hackers-target-high-privileged-okta-accounts-via-help-desk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.namorgy.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Hackers Target High-Privileged Okta Accounts via Help Desk"}]},{"@type":"WebSite","@id":"http:\/\/www.namorgy.com\/blog\/#website","url":"http:\/\/www.namorgy.com\/blog\/","name":"Namorgy.com","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.namorgy.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.namorgy.com\/blog\/#\/schema\/person\/7037cc04551c43ba5e74edd08fda91c2","name":"Namorgy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e20986966f4472043ecdaf2cf41caaa3d2477283bd208dfc1d663755a5100b2c?s=96&d=mm&r=g","caption":"Namorgy"},"sameAs":["http:\/\/www.namorgy.com"],"url":"http:\/\/www.namorgy.com\/blog\/author\/namorgy_12uffn\/"}]}},"_links":{"self":[{"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/posts\/16846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/comments?post=16846"}],"version-history":[{"count":1,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/posts\/16846\/revisions"}],"predecessor-version":[{"id":16847,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/posts\/16846\/revisions\/16847"}],"wp:attachment":[{"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/media?parent=16846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/categories?post=16846"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.namorgy.com\/blog\/wp-json\/wp\/v2\/tags?post=16846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}