Okta Admin Role Assignment Creation

Okta is a widely used identity and access management (IAM) platform, making it a prime target for malicious actors seeking to gain unauthorized access to sensitive resources. This threat focuses on the creation of new admin role assignments within Okta. An attacker who successfully compromises an Okta account with sufficient privileges, or bypasses security controls, may attempt to escalate their privileges or establish persistence by creating new admin role assignments for themselves or other accounts they control. This activity can go unnoticed if not actively monitored, granting the attacker extended access and control over the Okta environment and connected applications. Monitoring for anomalous admin role assignments is crucial for early detection and prevention of potential breaches.

Attack Chain

1. Initial Access: Attacker gains unauthorized access to an Okta account, possibly through credential phishing, brute-force attacks, or exploitation of vulnerabilities.
2. Privilege Check: The attacker verifies the privileges of the compromised account to determine if it has sufficient permissions to create new admin role assignments.
3. Account Impersonation: The attacker uses the compromised account to access the Okta admin dashboard.
4. Role Assignment Creation: The attacker navigates to the role assignment section and initiates the creation of a new admin role assignment.
5. Configuration: The attacker specifies the target user or group for the new admin role assignment.
6. Audit Logging: Okta logs the event ‘iam.resourceset.bindings.add’ indicating the creation of a new admin role assignment.
7. Persistence: The attacker uses the newly created admin role assignment to maintain persistent access to the Okta environment even if the initial compromised account is detected and remediated.

Impact

Successful exploitation could lead to complete control over the Okta environment, affecting all connected applications and services. An attacker with admin privileges can modify user accounts, reset passwords, access sensitive data, and potentially compromise the entire organization. The number of affected users and systems depends on the scope of the Okta deployment, but the impact can be significant, potentially affecting thousands of users and critical business operations.

Recommendation

• Deploy the Sigma rule Okta Admin Role Assignment Created to your SIEM and tune it for your environment to detect suspicious admin role creation activity in Okta logs.
• Investigate any alerts generated by the Okta Admin Role Assignment Created rule to determine if the role assignment was legitimate and authorized.
• Implement multi-factor authentication (MFA) for all Okta accounts, especially those with administrative privileges, to mitigate the risk of credential compromise.
• Regularly review and audit Okta admin role assignments to identify and remove any unnecessary or unauthorized privileges.