Massive identity theft campaign targeting Okta single sign-on at over 100 top businesses - make sure your firm stays safe

News
By published

Scattered LAPSUS$ Hunters are targeting major firms once again

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • SLH targets ~100 enterprises with vishing attacks on Okta SSO credentials
  • Live Phishing Panel intercepts credentials and MFA tokens in real-time
  • No confirmed breaches yet, but hijacked Okta sessions pose severe risks

The notorious Scattered LAPSUS$ Hunters (SLH) threat actors are currently engaged in a massive identity theft campaign targeting Okta single sign-on (SSO) credentials at around 100 large enterprises.

Security researchers Silent Push found the hackers were currently running a sophisticated vishing (voice phishing) campaign, aimed at obtaining access to corporate infrastructure in order to exfiltrate sensitive data and then extort the victims for money.

The researchers said that SLH uses a new ‘Live Phishing Panel’, which allows their operators to “sit in the middle of a login session, intercepting credentials and MFA tokens in real-time”. In other words, the attackers would call the victims on the phone and get them to log into a service, while sitting “in the middle” and intercepting the secrets passing through.

Results unknown

Silent Push says that roughly 100 organizations from different verticals are being targeted. The entire list can be found here, and includes high-profile targets such as Atlassian, Morningstar, American Water, GameStop, and Telstra.

Being targeted, and being compromised are two entirely different things, though. There is no confirmation that any of the companies from the list were actually broken into, and at press time, there was no evidence of that being the case.

Silent Push told The Register it has “no intel to share” about potential victims, and SLH are yet to add anyone to their data leak website. The hackers did confirm that the number of targets was “close”.

The researchers said the risk of the campaign is great, because once an Okta session is hijacked, the attacker has a “skeleton key” to every app in the corporate environment. This allows them to extort sensitive data, move laterally, and even encrypt the data if needed.

“Standard security awareness training often fails to stop this specific threat. SLH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts,” the researchers explained.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.