T1133 – External Remote Services (Okta Detection)

by

Okta Alert Details

Alert ID: OKTA-EXTERNAL-REMOTE-7842
Alert Time: 2024-02-11 07:30:45 EST
Severity: HIGH (88/100)
Source: Okta Identity Cloud
Rule: “Suspicious VPN Login – New Location + Impossible Travel”
MITRE ATT&CK: T1133 – External Remote Services

Alert Details:

User: awilson@company.com (Alex Wilson, IT Administrator)

Application: Palo Alto GlobalProtect VPN

Time: 07:28 EST

Risk Signals:

1. New Location:

   – City: Moscow, Russia

   – IP: 89.248.165[.]23

   – ISP: Digital Energy LLC

   – First time this user has logged in from Russia

2. Impossible Travel:

   – Previous login: 07:00 EST from New York, USA

   – Current login: 07:28 EST from Moscow, Russia

   – Travel time required: 10+ hours

   – Actual time elapsed: 28 minutes

   – Score: 99/100 (impossible)

3. Device Profile:

   – Device: Windows 10 (unrecognized)

   – Browser: Chrome 121

   – User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

   – No previous authentication from this device

4. Authentication Method:

   – Username/Password + Okta Verify (MFA)

   – MFA push accepted from Moscow location

   – User’s registered device is in New York

Additional Context:

– User has privileged access (IT Administrator)

– Can access critical systems via VPN

– No travel plans to Russia

– MFA push suggests attacker may have compromised device or SIM-swapped?

SOC Investigation Process

StepActionTools UsedFindings
1. Alert ValidationVerify Okta risk signalsOkta Admin ConsoleConfirmed impossible travel + new location
2. User ContactReach user immediatelyPhone, Teams, In-personUser confirmed in New York; did not approve MFA
3. Immediate ContainmentDisable user accountOkta, Active DirectoryAccount disabled within 5 minutes
4. Session TerminationRevoke all active sessionsOkta, VPNAll sessions terminated
5. InvestigationDetermine MFA bypass methodOkta Logs, Mobile DeviceUser’s Okta Verify push was accepted; likely MFA fatigue attack
6. Credential ResetForce password resetOkta, ADPassword reset; MFA re-enrolled

Jira Incident Report

Ticket: SOC-2024-059
Summary: T1133 – External Remote Services – Compromised VPN Access via MFA Fatigue
Status: RESOLVED
Resolution: MALICIOUS – Account Takeover Attempt
Priority: P1 – CRITICAL
Labels: T1133, external-remote-services, vpn, okta, mfa-fatigue, privileged-account
Components: Identity-Management, Remote-Access

INCIDENT ANALYSIS REPORT

1. Initial Context:

  • Detection Source: Okta Identity Cloud.
  • Alert: “Suspicious VPN Login – New Location + Impossible Travel”.
  • User: awilson@company.com (IT Administrator).
  • Time: 2024-02-11 07:30 EST.
  • Technique: MITRE ATT&CK T1133 – External Remote Services.

2. Technical Analysis:

  • Attack Details:
  • Initial Access: Attacker obtained user credentials (likely via phishing).
  • MFA Bypass: MFA fatigue attack – user received repeated push notifications until they accidentally accepted.
  • Source IP: 89.248.165[.]23 (Moscow, Russia)
  • Target: Palo Alto GlobalProtect VPN
  • Timeline:

07:00 – Legitimate login from New York (user starts work)

07:25 – Attacker attempts login from Moscow

07:25-07:27 – 12 MFA push notifications sent to user’s phone

07:28 – User finally accepts push (MFA fatigue)

07:28 – Attacker gains VPN access

07:30 – Okta impossible travel alert triggers

07:31 – SOC begins investigation

07:32 – User contacted; confirms no travel

07:33 – Account disabled; sessions terminated

  • Attacker Activity During Access (2 minutes):
  • Connected to VPN
  • Attempted RDP to IT jump box (blocked by firewall)
  • No other actions logged (account disabled quickly)
  • Privileges:
  • IT Administrator access to servers, network devices
  • No access to financial systems

3. Investigation Findings:

  • User Interview:
  • User reported receiving multiple Okta Verify push notifications.
  • Thought it was a glitch; accidentally approved one.
  • Confirmed no travel; phone still in possession.
  • MFA Fatigue Attack:
  • Attacker bombarded user with pushes until approval.
  • No SIM swap; user’s device secure.
  • Indicators of Compromise (IoCs):

Network:

– Attacker IP: 89.248.165[.]23 (Russia)

– VPN session logs (terminated)

Account:

– User: awilson@company.com

4. Containment Actions:

  • Immediate Actions (07:31-07:35 EST):
  • Disabled user account in Okta and Active Directory.
  • Revoked all active VPN sessions.
  • Blocked attacker IP at firewall.
  • Remediation (07:35-08:30 EST):
  • Forced password reset for user.
  • Re-enrolled MFA (Okta Verify only, no SMS).
  • Reviewed account activity logs for any changes (none).
  • User Communication:
  • User briefed on MFA fatigue attacks.
  • Reinforced never to approve unexpected pushes.

5. Root Cause Analysis:

  • Primary Cause: MFA fatigue attack – user overwhelmed and approved malicious push.
  • Contributing Factors:
  1. Credentials compromised via prior phishing.
  2. No number matching in Okta Verify (pushed approval only).
  3. User not trained on MFA fatigue attacks.

6. Business Impact:

  • Operational Impact: IT admin offline for 1 hour.
  • Data Exposure: None (account disabled quickly).
  • Financial Impact: None.

7. Remediation & Prevention:

Completed Actions:

  • checkedAccount secured.
  • checkedMFA re-enrolled.
  • checkedUser educated.

Technical Controls Enhanced:

  • checkedEnabled number matching in Okta Verify (user must enter number from screen).
  • checkedImplemented conditional access policy blocking impossible travel logins.
  • checkedReduced MFA push timeout and maximum attempts.
  • checkedAdded alerting for excessive MFA push rejections.

8. Conclusion:

This incident involved an MFA fatigue attack leading to VPN access by an attacker. Rapid detection via Okta’s impossible travel rule and immediate containment prevented any malicious activity. Enhanced MFA controls will prevent similar attacks.

Closure Rationale: Account secured; attacker blocked; enhanced MFA controls implemented.

Analyst: [Walter White], SOC Analyst
Date: 2024-02-11 09:00 EST

Leave a Comment