Vishing attacks on Okta identity systems on the rise

spatwei writes: Vishing attacks on Okta identity systems have increased in which attackers simply call the victim or an IT help desk and convince them to weaken or reset multi-factor authentication (MFA).

In an April 13 blog post, LevelBlue researchers said once Okta is compromised via vishing, the attackers gain access to an enterprise’s SaaS systems via single sign-on (SSO), which leads to the exfiltration of SharePoint, OneDrive, Salesforce, and Google Workspace data.

The LevelBlue researchers explained that as part of the attack, the threat actors aim to get the victim or help desk to reset MFA, enroll a new authenticator device, provide one-time passcodes, disclose passwords, or reset Okta credentials.

“The initial attack vector here is still classic social engineering, however, the strategy has matured,” said Mika Aalto, co-founder and CEO at Hoxhunt. “Instead of targeting individual users, attackers are moving upstream to bypass MFA at the identity provider level, manipulating in this case Okta's IT help desk to unlock access across the targeted organization.”