0ktapus for humans

On August 7th this year an attack called #oktapus started to get uncovered by Group-IB. The attack was targeting Okta customers, but how does the sentence “9,931 accounts at more than 130 organizations were compromised by a phishing attack on Twilio and Cloudflare employees” make sense? These are just two companies and only one of them reported the attack to be successful. So how does that data make sense? Let me start with an old joke: A man is flying in a hot air balloon and realizes that he is lost. He reduces height and spots a man down below. He lowers the balloon further and shouts, “Excuse me. Can you help me? I promised a friend I would meet him half an hour ago, but I don’t know where I am.” The man below says, “Yes. You are in a hot air balloon, hovering approximately 30 feet above this field. You are between 40 and 42 degrees north latitude, and between 58 and 60 degrees west longitude.” “You must be an engineer,” says the balloonist. “I am”, replies the man. “How did you know?” “Well…” says the balloonist. “Everything you told me was technically correct, but I have no idea what to make of your information and the fact is I am still lost.”

I am going to skip the retort about the balloonist being a manager, but we get the point. #management and #engineering have a communication gap and in #security it’s even worse, as we #engineers talk jargon and details, trying to impress our peers rather than explaining what we are seeing. I am going to do what Richard Feynman did to the Challenger report, oversimplify it. I am going to make hypotheses without complete data and skip details, but give a big picture that is #ciso readable and action-oriented to help address the following:

1. If you are an Okta customer, should you be worried and what should you do?

2. What does the recent attack mean in terms of security threats and the direction it is taking. (and why you should care about #itdr)

What do we know so far?

Around August 4th a #phishing attack targeting the texting infrastructure company Twilio was launched. The attack targeted its Okta infrastructure, while trying to dig deeper at attacking Okta customers. There was also a failed attack targeting Cloudflare. We know the attackers also gained access to Signal Messenger. The attack was first reported by Group-IB and each of the companies attacked, including DoorDash, all acted in a very responsible and transparent way. They reported timelines and #iocs , provided screenshots and reversing reporting. But no one has said what it means for customers and users. So here are a few points, in order of importance to you, an Okta or #AzureAD customer.

1. The attack was very well planned, but not very technologically sophisticated. They used a known toolkit that emulates the Okta login page, mainly for desktop, but they also targeted mobile. Meaning this was a smart attacker making the most of the tools they have. Why target Okta now? Well because, like RSA 13 years ago, they hold the keys to the kingdom in many organizations. For you, the customer that thinks that MFA (often based on weak factors like SMS) solves all your Identity threats, well, this is not the case. We passed the stage where outrunning the slowest of the group was enough. Now you do need to outrun the bear, or at least a big enough part of the pack. Later in this article I will give you tips on how to outrun the pack.

2. Most text messages over the internet go through companies like Twilio, so if someone wants to attack users using SMS, you would go after such companies. If I were to attack such companies, intending to hijack authentication sessions, capturing SMS traffic for authenticators would be my move. I am not sure if either Okta or Twilio commented on what role Twilio plays in Okta SMS traffic, but I would not be surprised if the former was used to carry authentication messages. It is interesting that they have a dependency on one another.

3. Also, I would guess Okta leverages Cloudflare, because this is not the first attack relating to both. Someone is trying to host and hijack Okta-hosted login pages. Okta allows you to pick one of three options: (i) Okta hosted domain and application, (ii) Okta hosted application, but not domain (custom domain names) and (iii) you host everything.

4. Right now the most valuable assets are credentials. The attack goal was to steal as many of them as possible, partial or full. Specifically, targeting organizations that are part of the global software supply chain. These credentials in turn can be used to attack the next step. This is not the last time it will happen. You need to be able to address an attack on your identity infrastructure provider.

Recommendations

Many customers still have SMS or phone calls as an authentication factor. This needs to go away, even as a recovery factor, unless you keep a close eye on using it for recovery. What factor should I use if my install base refuses to use anything on their personal phones? Are they willing to only access from company devices? If the answer is yes, just install Okta fastpass or Duo Security on their endpoint and use a biometric as a factor. If the answer is no, still consider pressure, mainly due to overall data security. It’s a bit complicated to want access to company data without company oversight. TOTP is not fun, but can also work. Most solutions these days support phone built-in solutions and do not mandate the client.Last solution should be a Yubico security keys, not because they are bad, but rather as the person that dealt with provisioning RSA tokens, physical tokens take forever to get to where they are going, while they are the most effective measure, just ask the person that had his kid flush one down the drain, what they can do then.

To effectively get rid of SMS, you will need to get a sense of who has SMS registered as a second factor, and who is actively using it. Also you need to know if SMS was used as a factor while accessing sensitive applications like the Okta admin console. If you have not migrated to OIE (Okta Identity Engine) yet, you might want to have a stronger policy on specific applications allowing SMS only on the lower-important ones. If you do have OIE, there is a way to allow SMS only for recovery purposes.