How the Okta Cross-Tenant Impersonation Attacks Succeeded

We Keep you Connected

How the Okta Cross-Tenant Impersonation Attacks Succeeded

A series of highly sophisticated attacks have sparked significant concerns among organizations that rely on multifactor authentication (MFA), particularly those using vendors like Okta. These attacks have notably targeted hospitality groups and casinos, raising alarm bells across the industry. One particularly concerning method is the cross-tenant impersonation attack, which has impacted multiple Okta customers in the United States. These attacks have garnered global attention due to their severe repercussions on major organizations.
MGM Resorts, one of the affected entities, has not yet fully disclosed the extent of the attack. Therefore, our understanding is primarily based on information provided by the ALPHV hackers, also known as BlackCat, regarding its potential breach of MGM. (There is debate regarding if they are responsible for the attack.) While official details remain undisclosed, BusinessNews reports MGM incurred staggering daily losses of $8.4 million as a result of these attacks. There is also damage stemming from ransomware incidents. The Wall Street Journal reports that Caesars, a fellow gaming and hospitality services provider, recently paid a substantial $15 million ransom to ALPHV.
Identity attacks, which often involve impersonation and privilege escalation, are a growing persistent threat to organizations worldwide. To truly understand the gravity, it’s essential to delve into the history of impersonation-type attacks and recognize the urgency they present.
Impersonation attacks have a long and troubling history. Cybercriminals have been exploiting identity misconfigurations (weak password policies, inadequate MFA, lack of rate limiting, stale user accounts handling, and so on) for decades, but the methods and sophistication of these attacks have evolved dramatically. In the Internet’s early days, simple tactics like phishing emails were used to steal login credentials. However, as technology advanced, so did attackers. Today, we face a formidable array of threats, such as impersonation attacks that specifically target an organization’s identity and access management (IAM) systems.
Many organizations have adopted Okta, a robust IAM platform, to enhance their security posture. Okta offers a comprehensive set of tools to manage user identities, control access to applications, and enforce security policies. However, even when Okta is configured correctly, MFA is turned on, and permissions are meticulously managed, absolute security is not guaranteed. The reason? Account takeovers and privilege escalation are persistent threats that can evade even the most well-architected systems.
Account takeovers occur when malicious actors gain access to a legitimate user’s credentials, often through phishing or credential stuffing attacks. Once inside, they can exploit these credentials to impersonate the user, potentially gaining access to sensitive data or elevating their privileges within the organization. Privilege escalation involves exploiting vulnerabilities or misconfigurations in the IAM system itself to gain unauthorized access to higher-level accounts or resources.
MFA, often hailed as a security silver bullet, is not a cure-all for these threats. While MFA provides an additional layer of security by requiring multiple forms of authentication, determined attackers can still find ways to bypass it. For instance, they may target the second factor, such as a mobile device, or use social engineering tactics to trick users into approving access.
In recent security incidents involving Okta, hacking groups like ALPHV and Scattered Spider targeted multiple organizations, including MGM and Caesars. These threat actors employed a series of five tactics, techniques, and procedures (TTPs):
These TTPs highlight the evolving sophistication of identity attacks and the need for organizations, including Okta clients, to bolster identity threat detection and response measures to safeguard their systems. Best practices within IAM include:

  • Least privilege: Ensure users have the minimum necessary permissions to perform their roles.
  • Regular auditing: Continuously monitor and audit permissions and access logs.
  • Conditional access policies: Restrict access based on specific conditions, such as device location.
  • Identity threat detection and response (ITDR): If the above best practices are not sufficient, the last line of defense is a real-time ITDR solution to detect suspicious activity within the identity accounts by analyzing IAM logs.

No Solution Can Guarantee Absolute Security

Identity attacks, particularly impersonation attacks, represent a significant and growing threat to organizations. Despite implementing robust IAM solutions like Okta, no system can guarantee absolute security. Account takeovers, privilege escalation, and other identity-related threats evolve.
To address this challenge, organizations must prioritize ITDR strategies, bolstered by comprehensive user education and best practices. Identity attacks are a top priority for chief information security officers (CISOs) because compromising access control can lead to catastrophic data breaches and significant financial and reputational damage. Recognizing the urgency of this issue and taking proactive measures is essential to safeguarding your organization’s sensitive data and assets in an era where identity is the new battleground for cybercriminals.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.