- SLH targets around 100 companies with vishing attacks on Okta SSO credentials
- Live Phishing Panel intercepts MFA credentials and tokens in real time
- No confirmed violations yet, but hijacked Okta sessions pose serious risks
The notorious threat actors Scattered LAPSUS$ Hunters (SLH) are currently engaged in a massive spoofing campaign targeting Okta single sign-on (SSO) credentials at around 100 large enterprises.
Security researchers Silent Push discovered that hackers are currently conducting a sophisticated vishing (voice phishing) campaign, aiming to gain access to company infrastructure in order to exfiltrate sensitive data and then extort money from victims.
Researchers said SLH uses a new “Live Phishing Panel,” which allows its operators to “sit in the middle of a login session, intercepting MFA credentials and tokens in real time.” In other words, the attackers would call victims on the phone and force them to connect to a service, while sitting “in the middle” and intercepting the secrets passing through it.
Unknown results
Silent Push says around 100 organizations across different verticals are being targeted. The full list can be viewed here and includes high-profile targets such as Atlassian, Morningstar, American Water, GameStop and Telstra.
Being targeted and being compromised, however, are two entirely different things. There is no confirmation that any of the companies on the list were actually robbed, and at press time there was no evidence that this was the case.
Silent Push said The register it has “no information to share” about potential victims, and SLH has yet to add anyone to its data leak website. The hackers confirmed that the number of targets was “close”.
Researchers said the risk of the campaign is great because once an Okta session is hijacked, the attacker has a “skeleton key” for every application in the company’s environment. This allows them to extort sensitive data, move laterally, and even encrypt data if necessary.
“Standard security awareness training often fails to stop this specific threat. SLH operators are highly persuasive, frequently calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts,” the researchers explained.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
