{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/okta-identity-cloud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Cloud"],"_cs_severities":["low"],"_cs_tags":["identity","okta","policy","attack.impact"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThis alert identifies modifications or deletions of Okta policies, which govern authentication, authorization, and access control within the Okta Identity Cloud platform. While legitimate administrators routinely update policies, unauthorized changes can weaken security postures and grant malicious actors elevated privileges or bypass security controls. The source event indicates a potential compromise or insider threat activity within the Okta environment. Because Okta serves as a critical identity provider for many organizations, any unauthorized change to its policies can have far-reaching consequences. Detecting policy changes is crucial for maintaining the integrity and security of the Okta environment and preventing potential breaches. The targeted scope includes all Okta-managed applications and resources protected by the modified or deleted policy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains access to an Okta administrator account, either through compromised credentials (e.g., phishing, credential stuffing) or insider access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the Okta admin console using the compromised or legitimate administrator account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker identifies target Okta policies to modify or delete using the Okta admin console or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification/Deletion:\u003c/strong\u003e The attacker modifies or deletes the targeted Okta policy through the Okta admin console or API. This generates an \u003ccode\u003epolicy.lifecycle.update\u003c/code\u003e or \u003ccode\u003epolicy.lifecycle.delete\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Potential):\u003c/strong\u003e By modifying policies, the attacker may escalate privileges, granting themselves or other unauthorized users access to sensitive applications and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e With escalated privileges, the attacker moves laterally within the Okta environment, accessing other applications and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Damage (Potential):\u003c/strong\u003e The attacker leverages the compromised Okta environment to exfiltrate sensitive data or cause damage to connected systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Okta policy modification or deletion can have significant consequences. Unauthorized policy changes can weaken security controls, allowing attackers to bypass authentication mechanisms, escalate privileges, and gain unauthorized access to sensitive applications and data. This could lead to data breaches, financial loss, and reputational damage. The impact depends on the scope of the affected policy and the applications it protects. The number of victims could range from a few individuals to the entire organization, depending on the scope of the compromised policy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect Okta policy modifications or deletions (\u003ccode\u003epolicy.lifecycle.update\u003c/code\u003e, \u003ccode\u003epolicy.lifecycle.delete\u003c/code\u003e event types).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected policy changes to verify their legitimacy and identify the user responsible.\u003c/li\u003e\n\u003cli\u003eReview Okta administrator account activity for any signs of compromise or unauthorized access.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta administrator accounts to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Okta policies to ensure they are configured securely and in accordance with security best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-policy-change/","summary":"An Okta policy was modified or deleted, potentially indicating unauthorized changes to security configurations within the Okta identity management platform by a malicious actor or insider.","title":"Okta Policy Modification or Deletion Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-policy-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Cloud"],"_cs_severities":["medium"],"_cs_tags":["okta","mfa","credential-access","persistence"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eAttackers may attempt to disable or reset MFA to bypass security controls and gain unauthorized access to user accounts. This activity is often part of a broader attack campaign, such as credential stuffing or account takeover. The Okta platform provides detailed logs of user authentication events, including MFA resets and deactivations. Monitoring these events is crucial for detecting and responding to potential account compromise attempts. These attempts can originate from various sources, including compromised administrator accounts or direct attacks on user accounts. The impact of successful MFA bypass can be significant, potentially leading to data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a user\u0026rsquo;s Okta account, possibly through phishing or credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta tenant using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a request to reset or deactivate one or more of the user\u0026rsquo;s MFA factors through the Okta API or web interface.\u003c/li\u003e\n\u003cli\u003eOkta generates a system log event of type \u003ccode\u003euser.mfa.factor.deactivate\u003c/code\u003e or \u003ccode\u003euser.mfa.factor.reset_all\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker can then authenticate without providing the MFA factor, bypassing a critical security control.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised account to access sensitive applications and data within the Okta environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may perform lateral movement to access other user accounts or systems.\u003c/li\u003e\n\u003cli\u003eThe final objective may include data exfiltration, financial fraud, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful MFA deactivation or reset can lead to complete account takeover. Depending on the compromised user\u0026rsquo;s role and access permissions, this could result in significant data breaches, unauthorized access to sensitive systems, and financial losses. The impact scales with the number of compromised accounts and the sensitivity of the data they can access. This activity targets all sectors relying on Okta for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect suspicious MFA reset or deactivation attempts in Okta logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts for \u003ccode\u003euser.mfa.factor.deactivate\u003c/code\u003e or \u003ccode\u003euser.mfa.factor.reset_all\u003c/code\u003e events, as described in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview Okta system logs for unusual authentication patterns, focusing on users with recently deactivated MFA factors, as detailed in the Okta API documentation.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for Okta administrator accounts to prevent unauthorized MFA modifications.\u003c/li\u003e\n\u003cli\u003eEducate users about phishing and credential security to reduce the risk of initial access compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-mfa-reset/","summary":"An attacker attempts to disable or reset multi-factor authentication (MFA) for a user account in Okta, potentially leading to unauthorized access and account compromise.","title":"Okta MFA Reset or Deactivation Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-mfa-reset/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta Identity Cloud"],"_cs_severities":["medium"],"_cs_tags":["persistence","okta"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThe creation of Okta API tokens is a legitimate administrative function, but can also be abused by malicious actors to establish persistence within an Okta environment. Monitoring for the creation of these tokens, especially when performed by unexpected users or under unusual circumstances, is crucial for identifying potential security breaches. Okta API tokens allow for programmatic access to Okta resources, making them a valuable asset for attackers seeking to maintain access or perform unauthorized actions. Defenders should prioritize monitoring for these events to quickly identify and respond to potentially malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an Okta account with sufficient privileges (e.g., Super Administrator).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Okta Admin Console.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Security \u0026gt; API \u0026gt; Tokens section of the Okta Admin Console.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new API token with broad or specific permissions.\u003c/li\u003e\n\u003cli\u003eOkta logs the \u003ccode\u003esystem.api_token.create\u003c/code\u003e event.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly created API token to programmatically access Okta resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage the API token for various malicious activities, such as user enumeration, group manipulation, or application access.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Okta environment even if their initial access is revoked.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, modification of user accounts and permissions, and potentially complete control over the Okta environment. The impact can range from data breaches and service disruptions to complete compromise of identity management. The number of victims and sectors targeted depends on the scope of the compromised Okta environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Okta API Token Created\u0026rdquo; to your SIEM to detect API token creation events (logsource: okta, service: okta).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected \u003ccode\u003esystem.api_token.create\u003c/code\u003e events to verify the legitimacy of the token creation.\u003c/li\u003e\n\u003cli\u003eReview Okta system logs for unusual administrative activity preceding the API token creation event (logsource: okta, service: okta).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta administrator accounts to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-api-token-creation/","summary":"Detection of Okta API token creation events which can indicate malicious persistence activity.","title":"Okta API Token Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-api-token-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Okta Identity Cloud","version":"https://jsonfeed.org/version/1.1"}