Okta has a standard process that can be abused for nefarious purposes. The legitimate method for changing credential details within Okta (for example, if a person gets married and changes her last name and adopts a new email address) can be misused by an attacker to impersonate another existing user.
The potential has been explored by cloud identity firm Permiso. The initial incentive came from a Permiso customer who could see the possibility, but wished to know how a nefarious action could be detected.
The process itself is not simple to abuse, but not impossible. It requires the credentials of either an Okta super administrator or application administrator, and – if necessary – the ability to bypass any MFA deployd. Credentials can be phished or possibly bought off the web. MFA is often urged as a way of making life more difficult for attackers, but is sometimes bypassed by advanced attackers.
The SolarWinds attackers bypassed MFA to gain access to a US think tank’s emails. Until a fix in 2021, Box was vulnerable to an MFA bypass. Varonis commented at the time, “MFA implementations are prone to bugs, just like any other code. MFA can provide a false sense of security.” In March 2022, the FBI warned that Russian state-sponsored threat actors had gained access to networks and systems by exploiting default MFA protocols.
A method for Okta identity impersonation is outlined in a new Permiso report. “When legitimately changing the details of an existing user account, the administrator will simply change the user assignment field to the new credentials,” explains Permiso’s Ian Ahl, VP of P0 Labs. This avoids having to delete the account, create a new one, and fix access to all associated applications.
The malicious process differs from the legitimate process in one detail only: the attacker does not change an identity to a new user, but to an existing user. Ultimately, as described in the Permiso report, this can provide access to the existing user’s account with that user’s privileges.
Ahl describes the attraction of this approach as twofold. “Firstly, attackers want to evade detection. They don’t want to do things under their initial method of access. They want to maintain persistence, and the way they do that is by using other accounts that are less suspicious. Secondly, just because you’re an Okta admin doesn’t mean you will be an admin in other applications that Okta redirects to – for instance, AWS or Gmail. If you want to see the CEO’s mailbox, you must be able to authenticate as that CEO – there’s no other way to do it.”
Permiso’s investigations have discovered numerous examples of the nefarious use of this process. “We’ve seen attackers using the method to gain access, for example, to a CEO’s mailbox. Others have used it for privilege escalation to gain access into AWS. Less maliciously, we’ve seen organizations use the technique to get around license requirements.”
The primary method of detection Is simple but beyond the scope of most organizations without help from technology. If the Okta logs contain an administrator’s name-change using an existing user rather than a new user, Permiso takes it as a clear indication of malicious intent. But these logs can contain tens of millions of sessions every day. Detecting a malicious change is the proverbial needle in the haystack – and, of course, once inside the system a malicious actor can edit the Okta logs to minimize the likelihood of detection.
The irony of using MFA to make such an attack more difficult is that it limits potential attackers to the more advanced groups that would specifically target an enterprise’s cloud accounts. Such attackers would be more capable of hiding their presence and avoiding detection once access has been achieved.
Permiso reported its findings to Okta on July 29, 2022. “Okta informed us that this is expected behavior for the edit user assignments functionality, and recommended ensuring Okta Administrators have MFA required, be tightly controlled, and heavily monitored,” notes the report.
SecurityWeek approached Okta to see if the firm had any further comment. We were told that this is not a problem from Okta’s perspective, and the technique being predicated on administrator access is critical to its use.
“The technique Permiso highlighted is not a vulnerability but an illustration of a typical administrator-level function for troubleshooting other users’ applications and yet another example of why implementing strong multi-factor authentication and regular access reviews is critical for all organizations today,” said Okta. “We appreciate Permiso’s partnership and encourage Okta customers to implement security best-practices outlined here.”
Related: Okta Says Customer Data Compromised in Twilio Hack
Related: Permiso Emerges From Stealth With $10M in Funding
Related: Okta Closes Lapsus$ Breach Probe, Adds New Security Controls
Related: Reality Check on the Demise of Multi-Factor Authentication
