- SLH targets ~100 companies with vishing attacks on Okta SSO credentials
- Live Phishing Panel intercepts credentials and MFA tokens in real time
- No confirmed breach yet, but hijacked Okta sessions pose serious risks
The notorious Scattered LAPSUS$ Hunters (SLH) threat actors are currently engaged in a massive identity theft campaign targeting the Okta single sign-on (SSO) credentials of around 100 large enterprises.
Security researchers Silent Push found that the hackers were currently running a sophisticated vishing (voice phishing) campaign aimed at gaining access to the company’s infrastructure to wipe out sensitive data and then extort money from the victims.
The researchers said SLH uses a new ‘Live Phishing Panel’ which allows their operators to “sit in the middle of a login session and intercept credentials and MFA tokens in real-time”. In other words, the attackers would call victims on the phone and have them log into a service while sitting “in the middle” and intercepting the secrets that passed through.
Results unknown
Silent Push says around 100 organizations from various verticals are being targeted. The full list can be found here and includes high-profile targets such as Atlassian, Morningstar, American Water, GameStop and Telstra.
However, being targeted and being compromised are two completely different things. There is no confirmation that any of the companies from the list were actually hacked, and at press time there was no evidence that this was the case.
Silent Push told The register it has “no information to share” about potential victims, and SLH has yet to add anyone to their data breach website. The hackers confirmed that the number of targets was “close”.
The researchers said the risk of the campaign is high because once an Okta session is hijacked, the attacker has a “skeleton key” for every app in the enterprise environment. This allows them to extort sensitive data, move laterally and even encrypt the data if necessary.
“Standard security awareness training often fails to stop this specific threat. SLH operators are very persuasive, often calling help desks and employees while simultaneously manipulating a live phishing page to match the victim’s specific login prompts,” the researchers explained.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
