{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/identityprovider/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Okta"],"_cs_severities":["medium"],"_cs_tags":["identityprovider","okta","persistence"],"_cs_type":"advisory","_cs_vendors":["Okta"],"content_html":"\u003cp\u003eThe creation of a new identity provider (IdP) in Okta is a sensitive action that should be closely monitored. While legitimate administrators may create IdPs for federation purposes, adversaries can abuse this functionality to establish persistence or escalate privileges within an Okta environment. This involves creating a malicious IdP that they control and configuring it to authenticate users, potentially bypassing existing security controls such as multi-factor authentication (MFA) or implementing cross-tenant impersonation. The creation of a rogue IdP within Okta can be an indicator of compromise, potentially leading to unauthorized access to applications and data protected by Okta. Defenders should monitor Okta system logs for the creation of new identity providers and validate their legitimacy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta tenant with sufficient administrative privileges, either through compromised credentials or by exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the Okta admin console.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new identity provider (IdP) within the Okta tenant (system.idp.lifecycle.create).\u003c/li\u003e\n\u003cli\u003eThe attacker configures the rogue IdP with attacker-controlled settings, such as SAML endpoints or OIDC configurations, potentially pointing to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker configures routing rules within Okta to direct specific users or groups to authenticate through the newly created, malicious IdP.\u003c/li\u003e\n\u003cli\u003eUsers attempting to access Okta-protected applications are redirected to the attacker-controlled IdP for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s IdP captures user credentials or issues fraudulent authentication tokens, allowing the attacker to impersonate legitimate users.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the stolen credentials or fraudulent tokens to access sensitive applications and data protected by Okta, achieving their objective of data theft or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack involving the creation of a rogue Okta identity provider can lead to significant consequences. Attackers can gain persistent access to the Okta environment, bypass multi-factor authentication, and impersonate legitimate users. This can result in unauthorized access to sensitive applications and data, data breaches, financial loss, and reputational damage. The scope of the impact depends on the privileges of the compromised accounts and the sensitivity of the data accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Okta Identity Provider Created\u0026rdquo; to your SIEM to detect the creation of new identity providers and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eRegularly review and validate all configured identity providers within your Okta tenant to ensure their legitimacy.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and multi-factor authentication for all Okta administrative accounts to prevent unauthorized creation of identity providers.\u003c/li\u003e\n\u003cli\u003eMonitor Okta system logs for suspicious activity related to identity provider configuration and authentication.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u0026ldquo;Okta Identity Provider Created\u0026rdquo; Sigma rule to determine the legitimacy of the IdP creation event.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-okta-idp-created/","summary":"An adversary may create a rogue identity provider within Okta to establish persistence and potentially escalate privileges by impersonating legitimate users or bypassing multi-factor authentication.","title":"Okta Identity Provider Creation Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-idp-created/"}],"language":"en","title":"CraftedSignal Threat Feed — Identityprovider","version":"https://jsonfeed.org/version/1.1"}