With two high-profile breaches this year, Okta, a leader in identity and access management (IAM), made the kind of headlines that security vendors would rather avoid. After seeing headlines like these, some executives and customers lose faith that multifactor authentication (MFA) technology, particularly Okta’s, will protect their organizations, but should they?
The tech world defines breaches as unintended releases of information, and usually the implication is that a technology failure somewhere caused the breach. In both of the Okta cases, the unfortunate cause came from humans, but few people would bother to read an article with the title “Bad Clicks by Tired People Bypass Security – Again.”
As tech professionals it is important to understand MFA’s limitations and communicate to executives that identity and access management still provides powerful protection against attackers. By examining these Okta breaches in detail, we can study what counter measures need to be in place to strengthen the capabilities of MFA and IAM solutions.
Also read: MFA Advantages and Weaknesses
Okta ‘Breach’ #1: User Clicked ‘Accept’ on Push Notification
In January 2022, Lapsus$ hackers tricked an engineer from Sitel, Okta’s third-party customer support services provider, into pushing ‘accept’ on an MFA push notification. That acceptance enabled a set of stolen credentials to access the engineer’s thin client desktop using the remote desktop protocol (RDP).
While embarrassing and highly publicized by Lapsus$, Okta’s initial estimates of damage and access were rather modest. Early reports indicated that the attack might affect as much as 2.5% of Okta’s customers and the attacker could, at most, reset customer passwords.
Ultimately, Okta determined that in five days’ of access, the hacker accessed the machine for a total of 25 minutes. During that time, the client accessed Okta’s customer support panel, data for two of Okta’s 15,000 customers, and local applications such as Slack and Jira.
Sitel received the most traumatic impact of the breach because their outsourcing contract was terminated. Sitel claims that the access occurred due to legacy technology issues still in place at the company Sitel had just acquired: Sykes.
Despite the headlines, this was not a breach of Okta’s technology; after all, MFA push notification was delivered according to Sitel’s intended setup.
How MFA Was Bypassed
Okta refrained from releasing the full details of the breach, but we can read between the lines. The breach required three specific steps:
- The RDP for the engineer’s thin client instance could be reached by Lapsus$
- The credentials for the Okta portal:
- Were readily available on the thin client
- The user clicked “remember me” on an option to bypass future login requests
- The portal access remained open and active
- The engineer granted MFA access
To reach the thin client, the Lapsus$ attacker most likely:
- Successfully phished the engineer to obtain the RDP address and credentials
- The engineer reused credentials that were exposed elsewhere and Lapsus$ social engineered the RDP information
- Discovered a vulnerable RDP exposed to the internet
The contract termination suggests that Sitel possibly:
- Did not check existing credentials for compromise
- Did not adequately protect the employee against phishing
- Did not fully patch their RDP software
However, these potential oversights only grant access to the thin client. To access the Okta customer service portal, the engineer had to enable access through MFA.
There are many types of MFA, but only a few allow for ‘push to authorize’ MFA. The latter also happens to be a specialty of the Lapsus$ attackers.
MFA Fatigue Attacks
Screenshots of internal Lapsus$ communication show one member explaining: “Signin with smartcard doesn’t have any MFA. Signin with password will issue MFA through a phone call or authentication app. However, no limit is placed on the amount of calls that can be made. Call the employee 100 times at 1am while he is trying to sleep and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”
This hacking method earned the name MFA Fatigue and seeks to pester exhausted employees into intentionally or accidentally accepting the MFA prompt to enable access. This method contributed to other prominent breaches this year including Cisco, Microsoft, and Uber.
OKTA ‘Breach’ #2: SMS MFA Theft
As early as March of this year, malicious hackers, now known as Scatter Swine, executed a campaign, dubbed 0ktapus, to steal authentication codes and company data. Experts estimate close to 1,000 credentials across more than 130 companies have been stolen directly from companies or through subsequent breaches.
The most prominent victims of this attack include Twillio, MailChimp and Klavioyo. Attempted attacks include Cloudflare, T-Mobile, MetroPCS, Verizon, Slack, Twitter, CoinBase, Microsoft, Epic Games, Evernote and Best Buy were noted, but no successful attack against these organizations has been publicized.
How MFA was Bypassed
Analysis of the attack reveals that the Scatter Swine team first created curated lists of employees, employer names, and phone numbers. The attackers then created phishing pages to appear to be legitimate Okta authentication pages of the victim’s company.
The attackers then sent text phishing attacks to trick employees into clicking on the link, entering their credentials into the phishing site, and then entering their MFA credentials into the phishing site impersonating the Okta authentication page. The attackers then used an auto-forward feature on Telegram to instantly send the credentials to the attackers and also to submit them to the site the victim was trying to access.
However, note that the Okta MFA codes were not intercepted by the attack. Although this originally has been publicized as an Okta breach, the Okta technology did not fail — again, it was human error.
The Okta technology delivered the MFA code to the victim as it was designed to do. It was the victim who then entered that code into the phishing website and hand-delivered their credentials and MFA authentication to the attacker. Unfortunately, this isn’t even a new type of attack — it is a new version of the classic Man-in-the-Middle (MitM) attack.
In Man-in-the-Middle (MitM) attacks, malicious actors insert themselves between a user and a resource and intercept the credentials. In classic MitM attacks, the attacker inserted themselves between an endpoint and a server, but today we often see this attack between a remote user and a network or between endpoints and web pages.
In the past, this MitM attack may only have been prepared to intercept the users’ credentials, but the increasing adoption of MFA has led to more sophistication from the attackers. These attackers had to know the following information in advance to successfully phish the victims:
- Victim’s phone number and company (perhaps from public LinkedIn resumes, Facebook posts, or other compromised victims)
- The company’s use of Okta MFA
- A credible message to motivate victims to click
- Click here to login and perform mandatory password reset
- Click here to learn about a schedule change
After investigating the attack, Okta noted that the attackers impersonated IT support staff and made numerous phone calls to employees and their family members to learn about security procedures. It is not yet known for sure how the attacker obtained the initial phone numbers.
How to Prevent Similar Breaches
In both attacks the Okta technology itself did not fail. To avoid similar breaches, security managers must prepare internal defenses against MFA fatigue or MitM attacks. As with most other attack methods, the defense starts with executing on the basics of IT security and adding a few specific measures to counter specific attacks.
MFA fatigue attacks only works if:
- Attackers already have access to credentials or devices
- The MFA method can be spammed
- The victim is fatigued or stressed enough to click
MitM attacks only work if:
- The user receives the initial bait (phish, fake website, fake file, etc.)
- The user falls for the bait and enters in their credentials, MFA code, etc.
- The IT resource cannot tell there is a Man-in-the-Middle between the resource and the legitimate user
We will briefly list technically simple controls as examples of measures to defend against these attacks. IT and cybersecurity managers will surely think of many other tools and technologies that could also act as preventative measures.
None of these controls or technologies are new or even particularly novel. Organizations don’t typically implement these additional controls because they cost extra time or money.
Of course, a third factor is that users always complain about change. Especially in large enterprise environments with ingrained habits, the loud complaints of executives or sales teams often lead to rollbacks of security measures. Human behavior remains the most challenging risk to control and modify.
Fundamental Controls: Password Management
Okta notes that 34% of all login attempts for the first quarter of 2022 came from credential stuffing attacks on accounts. In other words, 1 out of every 3 people trying to log into Okta attempted to do so using stolen credentials – because users can’t seem to stop reusing them!
Organizations need to start running password cracking on their own users to eliminate reused and easily cracked passwords from their environments. At the very least, companies, and even users, should check if their user IDs and passwords have already been leaked by checking the publicly available HaveIBeenPwned breach website.
Ideally, organizations should provide their users with corporate password managers that use strong, complex password requirements and also remove the burden of password management from the employees. Password managers have the additional benefit that they cannot be fooled by close-but-not-exact website addresses in a phishing attack.
Companies can also monitor credentials usage and implement login alerts for anomalous user logins, logins from new IP addresses, new devices, and other anomalous behavior. While that single point of information may not be meaningful, combinations can be powerful. For example, an alert for a new device registration, a new IP address, and numerous MFA requests should prompt an investigation.
Fundamental Controls: MFA
Many organizations rely upon MFA to make up for their password weaknesses. Unfortunately, too many organizations simply use two-factor authentication (2FA) for the users, which makes it easier for attackers to bypass the control.
Additionally, how MFA is implemented can also impact how likely an attacker will be able to bypass the controls. Therefore security professionals need to consider two factors to eliminate MFA fatigue or defend against :
- MFA Setup
- More Than 2FA MFA
MFA applications should be set up to send alerts on repeated requests, requests from unusual locations, or requests at unusual times. The IT team can also take preventative measures during setup to prevent MFA Fatigue attacks, such as limiting or disabling MFA Push requests.
IT security can also deny self-registration of additional devices for MFA. Stolen MFA becomes less useful when attackers cannot add their own devices to the user’s profile.
More than 2FA MFA
Beyond simple 2FA push notices or one-time passwords, security teams can implement additional factors such as: biometrics (fingerprint, typing pattern, etc.), physical controls (cards, FIDO-compliant USB security keys, etc.), device specific controls (certificates, device registration, etc.), or location specific controls (IP address filtering, geofencing, etc.).
Cloudflare’s use of security keys (physical control) and their Cloudflare One SASE network (specific network access controls similar to IP address filtering) proved effective in blocking attempts to circumvent their MFA controls.
Fundamental Controls: Application and Network Controls
The details to control access to networks and applications will be very different, but the underlying concepts will be the same:
- Control data flows: Force traffic to flow through monitored and controlled access points using network gateways, VPN networks, IP whitelisting, etc.
- Segment resource access: Use the principle of least privilege, or zero trust, to set up network zones of access for different classes or types of users. For example: the database backend is only available to the application and human users must use the query interface.
- Verify users and devices: Restrict access to registered device/user pairs, or devices that contain specific software (secure browsers, endpoint management tools, etc.)
Fundamental Controls: Anti-Phishing Security
Phishing attacks don’t work if they never reach the user. Implementing email filtering and email security technologies such as email gateways and DMARC can dramatically reduce the number of phishing emails seen by the users.
SMS text filtering can be much harder to block, but companies can limit the effectiveness by requiring their MFA prompts to be delivered through specific apps, from specific phone numbers, or through other channels more easily controlled and monitored by the organization.
Fundamental Controls: User Training
Users can be trained against phishing attacks and to note the common signs of MFA bypass attempts such as:
- Unexpected MFA requests
- Unsolicited calls, texts, or emails from unknown numbers, email addresses, or people claiming to be from the company (especially the IT team or Help Desk)
- A large number of MFA requests
- Emails or texts attempting to create a sense of urgency
While even the best anti-phishing training cannot guarantee 100% success, training can reduce the odds and help the organization defend against attacks.
Fundamental Controls: Personnel Expectations
Managers and HR may not not like this idea, but MFA fatigue primarily works only if employees must keep their ringer active to receive alerts. Anyone that can silence their phone or turn it off becomes immune from such attacks.
Similarly, phishing attacks work best on stressed and exhausted employees that feel rushed. Employees with the time to carefully examine phishing attacks will ignore most of them.
However, adjusting work expectations, employee habits, and workloads remains incredibly difficult. Still, organizations can create formal processes to reduce off-hour workload demands such as on-call designations or shifting work to overseas offices to alleviate pressure.
Minimizing interruptions outside of standard business hours provides an environment that will reduce personnel fatigue and make any MFA fatigue attempts even more obvious and less likely to work.
Minimizing Human Error
The Okta breaches highlight how human error can undermine security controls for any organization. Okta’s technology worked as designed, but the intent was sabotaged by attackers that learned to take advantage of weaknesses in processes or incomplete security stacks.
All too often, the weakness is a stressed human who may not be 100% rational or aware due to fatigue. To limit this risk, personnel expectations can be modified and fundamental technical controls can be implemented that reduce the risk of human failures.