<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Lapsus$ - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/actors/lapsus/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/actors/lapsus/feed.xml" rel="self" type="application/rss+xml"/><item><title>Okta Multiple Failed MFA Requests Indicate Potential MFA Bypass Attempt</title><link>https://feed.craftedsignal.io/briefs/2024-01-okta-mfa-bypass/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-okta-mfa-bypass/</guid><description>An adversary may attempt to bypass MFA by bombarding a user with repeated authentication requests, potentially leading to unauthorized access and system compromise.</description><content:encoded><![CDATA[<p>This brief addresses the threat of adversaries attempting to bypass multi-factor authentication (MFA) in Okta environments. Attackers, such as the Lapsus$ group and APT29, may employ techniques involving repeated MFA requests to overwhelm a user, hoping they will eventually approve a request either accidentally or out of frustration. This analytic focuses on identifying anomalous activity characterized by a high number of failed MFA attempts for a single user within a short timeframe. Specifically, the detection triggers when more than 10 failed MFA attempts are observed within a 5-minute window, based on Okta event logs. A successful MFA bypass can grant unauthorized access to sensitive resources, potentially leading to data breaches and further compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker obtains valid credentials for an Okta user, potentially through phishing or credential stuffing.</li>
<li>The attacker attempts to authenticate to Okta using the compromised credentials.</li>
<li>Okta prompts the user for MFA.</li>
<li>The attacker initiates a rapid series of authentication attempts, triggering multiple MFA requests to the user's device.</li>
<li>The user experiences a barrage of MFA push notifications or phone calls.</li>
<li>The attacker hopes the user approves one of the MFA requests either accidentally or due to fatigue.</li>
<li>If the user approves an MFA request, the attacker gains access to the Okta account.</li>
<li>The attacker leverages the compromised Okta account to access applications and resources protected by Okta, potentially leading to data exfiltration or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful MFA bypass can lead to unauthorized access to critical systems and data. This can result in data breaches, financial losses, and reputational damage. The Okta Account Takeover analytic story highlights the potential impact. Given that Okta is often used as a central identity provider, a compromise can have wide-ranging consequences across an organization's entire infrastructure. Identifying and mitigating these attacks is crucial to maintaining a strong security posture.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rules to your SIEM to detect suspicious patterns of failed MFA requests in Okta logs.</li>
<li>Investigate any alerts generated by these rules, paying close attention to the source IP addresses (<code>src_ip</code>) associated with the failed attempts.</li>
<li>Implement user training to educate employees about the risks of MFA fatigue and how to recognize and report suspicious MFA requests.</li>
<li>Configure Okta to limit the number of MFA requests that can be initiated within a specific timeframe to mitigate MFA fatigue attacks.</li>
<li>Use Okta Risk Engine to detect and block suspicious login attempts based on factors such as location, device, and behavior.</li>
<li>Review Okta event logs for <code>user.authentication.auth_via_mfa</code> events with <code>outcome.result=FAILURE</code> to identify potential MFA bypass attempts.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>okta</category><category>mfa</category><category>credential-access</category><category>mfa-bypass</category></item></channel></rss>