- SLH targets ~100 enterprises with vishing attacks on Okta SSO credentials
- Live Phishing Panel intercepts credentials and MFA tokens in real-time
- No confirmed breaches yet, but hijacked Okta sessions pose severe risks
The notorious Scattered LAPSUS$ Hunters (SLH) threat actors are currently engaged in a massive identity theft campaign targeting Okta single sign-on (SSO) credentials at around 100 large enterprises.
Security researchers Silent Push found the hackers were currently running a sophisticated vishing (voice phishing) campaign, aimed at obtaining access to corporate infrastructure in order to exfiltrate sensitive data and then extort the victims for money.
The researchers said that SLH uses a new ‘Live Phishing Panel’, which allows their operators to “sit in the middle of a login session, intercepting credentials and MFA tokens in real-time”. In other words, the attackers would call the victims on the phone and get them to log into a service, while sitting “in the middle” and intercepting the secrets passing through.
Results unknown
Silent Push says that roughly 100 organizations from different verticals are being targeted. The entire list can be found here, and includes high-profile targets such as Atlassian, Morningstar, American Water, GameStop, and Telstra.
Being targeted, and being compromised are two entirely different things, though. There is no confirmation that any of the companies from the list were actually broken into, and at press time, there was no evidence of that being the case.
Silent Push told The Register it has “no intel to share” about potential victims, and SLH are yet to add anyone to their data leak website. The hackers did confirm that the number of targets was “close”.
The researchers said the risk of the campaign is great, because once an Okta session is hijacked, the attacker has a “skeleton key” to every app in the corporate environment. This allows them to extort sensitive data, move laterally, and even encrypt the data if needed.
“Standard security awareness training often fails to stop this specific threat. SLH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts,” the researchers explained.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
