{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/lapsus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Lapsus$","APT29","Cozy Bear","NOBELIUM","UNC2452","Midnight Blizzard","The Dukes"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Okta"],"_cs_severities":["high"],"_cs_tags":["okta","mfa","credential-access","mfa-bypass"],"_cs_type":"threat","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis brief addresses the threat of adversaries attempting to bypass multi-factor authentication (MFA) in Okta environments. Attackers, such as the Lapsus$ group and APT29, may employ techniques involving repeated MFA requests to overwhelm a user, hoping they will eventually approve a request either accidentally or out of frustration. This analytic focuses on identifying anomalous activity characterized by a high number of failed MFA attempts for a single user within a short timeframe. Specifically, the detection triggers when more than 10 failed MFA attempts are observed within a 5-minute window, based on Okta event logs. A successful MFA bypass can grant unauthorized access to sensitive resources, potentially leading to data breaches and further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker obtains valid credentials for an Okta user, potentially through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to Okta using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eOkta prompts the user for MFA.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a rapid series of authentication attempts, triggering multiple MFA requests to the user's device.\u003c/li\u003e\n\u003cli\u003eThe user experiences a barrage of MFA push notifications or phone calls.\u003c/li\u003e\n\u003cli\u003eThe attacker hopes the user approves one of the MFA requests either accidentally or due to fatigue.\u003c/li\u003e\n\u003cli\u003eIf the user approves an MFA request, the attacker gains access to the Okta account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised Okta account to access applications and resources protected by Okta, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful MFA bypass can lead to unauthorized access to critical systems and data. This can result in data breaches, financial losses, and reputational damage. The Okta Account Takeover analytic story highlights the potential impact. Given that Okta is often used as a central identity provider, a compromise can have wide-ranging consequences across an organization's entire infrastructure. Identifying and mitigating these attacks is crucial to maintaining a strong security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious patterns of failed MFA requests in Okta logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, paying close attention to the source IP addresses (\u003ccode\u003esrc_ip\u003c/code\u003e) associated with the failed attempts.\u003c/li\u003e\n\u003cli\u003eImplement user training to educate employees about the risks of MFA fatigue and how to recognize and report suspicious MFA requests.\u003c/li\u003e\n\u003cli\u003eConfigure Okta to limit the number of MFA requests that can be initiated within a specific timeframe to mitigate MFA fatigue attacks.\u003c/li\u003e\n\u003cli\u003eUse Okta Risk Engine to detect and block suspicious login attempts based on factors such as location, device, and behavior.\u003c/li\u003e\n\u003cli\u003eReview Okta event logs for \u003ccode\u003euser.authentication.auth_via_mfa\u003c/code\u003e events with \u003ccode\u003eoutcome.result=FAILURE\u003c/code\u003e to identify potential MFA bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-okta-mfa-bypass/","summary":"An adversary may attempt to bypass MFA by bombarding a user with repeated authentication requests, potentially leading to unauthorized access and system compromise.","title":"Okta Multiple Failed MFA Requests Indicate Potential MFA Bypass Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-mfa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Lapsus$","version":"https://jsonfeed.org/version/1.1"}