Security News > 2023 > September > Okta: Hackers target IT help desks to gain Super Admin, disable MFA
The attackers' goal was to hijack highly-privileged Okta Super Administrator accounts to access and abuse identity federation features that allowed impersonating users from the compromised organization.
After a successful compromise of a Super Admin account, the threat actor used anonymizing proxy services, a fresh IP address, and a new device.
The hackers used their admin access to elevate privileges for other accounts, reset enrolled authenticators, and they also removed the two-factor authentication protection for some accounts.
Using the source IdP, the hackers modified usernames so they matched the real users in the compromised target IdP. This allowed them to impersonate the target user and provided access to applications using the Single-Sign-On authentication mechanism.
Require re-authentication for privileged app access, including Admin Console.
Mandate admins to sign-in from managed devices with phishing-resistant MFA and limit access to trusted zones.