It’s not just application-level lateral movement and persistence to worry about, though. It’s possible the attacker can start moving laterally across other user accounts. If they have selected their targets well, they might even find they have admin access to some downstream SaaS application that has been configured for SAML logins using Okta.
For example, maybe they compromise a finance employee who has admin access to their business expenses SaaS application. Then the attacker might be able to use a new technique like SAMLjacking to start attacking other users in a watering hole attack to achieve lateral movement.
There are many options for lateral movement and persistence after an account compromise, so simple containment actions like password resets for SSO credentials are not nearly enough to contain a knowledgeable attacker.
Update IR playbooks to to deal with SSO account compromise, factoring in lateral movement and persistence across cloud apps. This really necessitates that you understand what business apps your organization is using, how they are accessed (e.g. SSO or username and password) and what functionality exists that could be abused by an attacker.
Tools :: no vnc :: EvilnoVNC :: Modlishka
Read More ::
- from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud
- 6-months-tracking-aitm-campaigns
- https://blog.thinkst.com/2024/01/defending-against-the-attack-of-the-cloned-websites.html
- https://zolder.io/using-honeytokens-to-detect-aitm-phishing-attacks-on-your-microsoft-365-tenant/
