Announcing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake

Illustration Cloud

Password spray enters the Okta-gon

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password spraying. Permiso identified a large Okta password spraying campaign that took place in late August.

💡 All Permiso clients affected by this campaign have already been notified.

From August 27 - 31, a threat actor from the IP Address with a user-agent of python-requests/2.28.1 attempted password spraying against about 50% of Okta clients that Permiso monitors. In this campaign, the threat actor successfully guessed passwords in multiple organizations, and in at least one case even passed an MFA check. Permiso did not observe any post-exploitation activity associated with this campaign.

While password spraying is not a new technique, the scale and success of this campaign makes it unique. Permiso recommends organizations that leverage Okta, to review all user.session.start events with a client.ipAddress of . If the outcome.result is SUCCESS the threat actor successfully authenticated to the environment. Searching for the IP on its own will show all the attempts.

In order for the attacker to run this campaign, they needed to have usernames to attempt. Often times these are enumerated by LinkedIn scraping, but there are various ways this can be done. In this campaign the attacker did not bother to disguise their user-agent. While it can be somewhat noisy in some environments, reviewing for python-requests and python-urllib can be a decent signal.

Compromised credentials are involved in almost every breach. Monitoring your IDP is an important step to staying protected.

Illustration Cloud

Related Articles

Introducing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake

Summary On May 30, 2024 Snowflake confirmed many clients were affected by an attacker leveraging compromised NHI credentials to perform data theft. In their notice, Snowflake included some indicators and suggested hunts. Our good friends at Mandiant

Extending Cloud Console Cartographer With New Mappings

Last month Permiso’s P0 Labs released the Cloud Console Cartographer open-source framework and corresponding research presentation at Black Hat Asia in Singapore. Recently we released our full suite of unit tests. Now let’s talk about how to extend

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 2

Detection and Mitigation The 'Create Snapshot', ‘Create Cloud Instance’, ‘Delete Cloud Instance’, ‘Revert Cloud Instance’ and ‘Modify Cloud Compute Configurations’ features are widely available across major cloud platforms such as AWS, Azure, and

View more posts