How the Okta Cross-Tenant Impersonation Attacks Succeeded

Sophisticated attacks on MGM and Caesars underscore the reality that even robust identity and access management may not be enough to protect you.

Nigel Douglas, Senior Technical Manager, Detection & Response, Sysdig

September 27, 2023

4 Min Read
Okta logo
Source: Ahmed Zaggoudi via Alamy Stock Photo

A series of highly sophisticated attacks have sparked significant concerns among organizations that rely on multifactor authentication (MFA), particularly those using vendors like Okta. These attacks have notably targeted hospitality groups and casinos, raising alarm bells across the industry. One particularly concerning method is the cross-tenant impersonation attack, which has impacted multiple Okta customers in the United States. These attacks have garnered global attention due to their severe repercussions on major organizations.

MGM Resorts, one of the affected entities, has not yet fully disclosed the extent of the attack. Therefore, our understanding is primarily based on information provided by the ALPHV hackers, also known as BlackCat, regarding its potential breach of MGM. (There is debate regarding if they are responsible for the attack.) While official details remain undisclosed, BusinessNews reports MGM incurred staggering daily losses of $8.4 million as a result of these attacks. There is also damage stemming from ransomware incidents. The Wall Street Journal reports that Caesars, a fellow gaming and hospitality services provider, recently paid a substantial $15 million ransom to ALPHV.

Identity Attacks on the Rise

Identity attacks, which often involve impersonation and privilege escalation, are a growing persistent threat to organizations worldwide. To truly understand the gravity, it's essential to delve into the history of impersonation-type attacks and recognize the urgency they present.

Impersonation attacks have a long and troubling history. Cybercriminals have been exploiting identity misconfigurations (weak password policies, inadequate MFA, lack of rate limiting, stale user accounts handling, and so on) for decades, but the methods and sophistication of these attacks have evolved dramatically. In the Internet's early days, simple tactics like phishing emails were used to steal login credentials. However, as technology advanced, so did attackers. Today, we face a formidable array of threats, such as impersonation attacks that specifically target an organization's identity and access management (IAM) systems.

Configuring Okta Correctly May Not Be Enough

Many organizations have adopted Okta, a robust IAM platform, to enhance their security posture. Okta offers a comprehensive set of tools to manage user identities, control access to applications, and enforce security policies. However, even when Okta is configured correctly, MFA is turned on, and permissions are meticulously managed, absolute security is not guaranteed. The reason? Account takeovers and privilege escalation are persistent threats that can evade even the most well-architected systems.

Account takeovers occur when malicious actors gain access to a legitimate user's credentials, often through phishing or credential stuffing attacks. Once inside, they can exploit these credentials to impersonate the user, potentially gaining access to sensitive data or elevating their privileges within the organization. Privilege escalation involves exploiting vulnerabilities or misconfigurations in the IAM system itself to gain unauthorized access to higher-level accounts or resources.

MFA, often hailed as a security silver bullet, is not a cure-all for these threats. While MFA provides an additional layer of security by requiring multiple forms of authentication, determined attackers can still find ways to bypass it. For instance, they may target the second factor, such as a mobile device, or use social engineering tactics to trick users into approving access.

Impersonation Attack Tactics

In recent security incidents involving Okta, hacking groups like ALPHV and Scattered Spider targeted multiple organizations, including MGM and Caesars. These threat actors employed a series of five tactics, techniques, and procedures (TTPs):

  1. Privileged user account access: Attackers gained access to privileged user accounts or manipulated authentication flows to reset MFA factors.

  2. Anonymizing proxy services: They used anonymizing proxies to obscure their identity and location.

  3. Privilege escalation: They leveraged compromised "super administrator" accounts to assign higher privileges, reset authenticators, and alter authentication policies.

  4. Impersonation via second identity provider: Threat actors configured a second identity provider to impersonate users and access applications within the compromised organizations.

  5. Username manipulation: They manipulated usernames to perform single sign-on (SSO) into applications, effectively impersonating targeted users.

These TTPs highlight the evolving sophistication of identity attacks and the need for organizations, including Okta clients, to bolster identity threat detection and response measures to safeguard their systems. Best practices within IAM include:

  • Least privilege: Ensure users have the minimum necessary permissions to perform their roles.

  • Regular auditing: Continuously monitor and audit permissions and access logs.

  • Conditional access policies: Restrict access based on specific conditions, such as device location.

  • Identity threat detection and response (ITDR): If the above best practices are not sufficient, the last line of defense is a real-time ITDR solution to detect suspicious activity within the identity accounts by analyzing IAM logs.

No Solution Can Guarantee Absolute Security

Identity attacks, particularly impersonation attacks, represent a significant and growing threat to organizations. Despite implementing robust IAM solutions like Okta, no system can guarantee absolute security. Account takeovers, privilege escalation, and other identity-related threats evolve.

To address this challenge, organizations must prioritize ITDR strategies, bolstered by comprehensive user education and best practices. Identity attacks are a top priority for chief information security officers (CISOs) because compromising access control can lead to catastrophic data breaches and significant financial and reputational damage. Recognizing the urgency of this issue and taking proactive measures is essential to safeguarding your organization's sensitive data and assets in an era where identity is the new battleground for cybercriminals.

About the Author

Nigel Douglas

Senior Technical Manager, Detection & Response, Sysdig

Nigel Douglas plays a key role in driving education for the detection and response segment for cloud and container security at Sysdig. He spends his time drafting articles, blogs, and taking the stage to help bring awareness to how security needs to change in the cloud. Prior to his current role at Sysdig, he held similar positions in product, alliance, and technical marketing at Tigera, Malwarebytes, Solarwinds, and Google. He is currently working on a Master of Science in Cybersecurity, Privacy, and Trust at South East Technological University in Ireland.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights