Cloud Detection and Response Survey Report

GET THE REPORT
Illustration Cloud

Password spray enters the Okta-gon

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password spraying. Permiso identified a large Okta password spraying campaign that took place in late August.

💡 All Permiso clients affected by this campaign have already been notified.

From August 27 - 31, a threat actor from the IP Address 185.241.208.110 with a user-agent of python-requests/2.28.1 attempted password spraying against about 50% of Okta clients that Permiso monitors. In this campaign, the threat actor successfully guessed passwords in multiple organizations, and in at least one case even passed an MFA check. Permiso did not observe any post-exploitation activity associated with this campaign.

While password spraying is not a new technique, the scale and success of this campaign makes it unique. Permiso recommends organizations that leverage Okta, to review all user.session.start events with a client.ipAddress of 185.241.208.110 . If the outcome.result is SUCCESS the threat actor successfully authenticated to the environment. Searching for the IP on its own will show all the attempts.

In order for the attacker to run this campaign, they needed to have usernames to attempt. Often times these are enumerated by LinkedIn scraping, but there are various ways this can be done. In this campaign the attacker did not bother to disguise their user-agent. While it can be somewhat noisy in some environments, reviewing for python-requests and python-urllib can be a decent signal.

Compromised credentials are involved in almost every breach. Monitoring your IDP is an important step to staying protected.

Illustration Cloud

Related Articles

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Summary LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access into an environment with the goal of stealing

Intern Showcase: Anonymizing Logs Made Easy with LogLicker

LogLicker On GitHub: https://github.com/Permiso-io-tools/LogLicker Introduction Logs play a crucial role in monitoring and analyzing system activity, but handling sensitive information within them can be a daunting task. Whether you're sharing

Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead

Summary Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and tracked an attacker developing and deploying eight (8)

View more posts