Okta Say it Support System Was Breached Using Stolen Credentials
Okta said attackers accessed files containing cookies and session tokens that customers uploaded to its support management system after compromising it using stolen credentials.
” The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” said Okta Chief Security Officer David Bradbury. ” It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted.”
Okta’s CSO added that the incident did not impact the Auth0/CIC case management system. Okta notified all customers whose Okta environments or support tickets were affected by this incident. BeyondTrust, Cloudflare, and 1Password password manager companies are currently known to be affected, but those who have not received the alert are not affected.
Okta’s stock price drops in nearly three days after admitting to supporting system intrusion
Session token and cookie exposure
While the company has not provided details about what customer information was compromised or accessed by hackers in the attack, the support case management system compromised in the attack was also used to store HTTP archive (HAR) files. These files are used to replicate user or administrator errors and to resolve user-reported issues. It also contains sensitive data, such as cookies and session tokens, which threat actors could use to hijack customer accounts.
“HAR files represent a record of browser activity and may contain sensitive data, including the content of pages visited, headers, cookies, and other data,” Okta explains on its support portal. “While this allows Okta staff to replicate browser activity and resolve issues, malicious actors could use these files to impersonate you.”
The company is working with affected customers during the investigation of the incident and has revoked the session tokens embedded in the shared HAR files. It now recommends that all customers clean their HAR files before sharing to ensure they do not contain credentials and cookies/session tokens. Okta also shared a list of indicators of compromise observed during the investigation, including IP addresses and web browser user agent information associated with the attackers.
When contacted by BleepingComputer, an Okta spokesperson did not answer questions about the date of the breach or how many customers were affected.
Instead, the spokesperson said the support system “is separate from the production Okta service, which is fully operational and unaffected. We have notified affected customers and are taking steps to protect all customers.”
The first intrusion attempt was discovered by ByongTrust
Identity management company BeyondTrust said it was one of the affected customers and released additional insights into the incident.
BeyondTrust’s security team detected and blocked an attempt to log into an internal Okta administrator account on October 2, 2023, using a cookie stolen from Okta’s support system.
While BeyondTrust contacted Okta and provided them with forensic data showing their support organization had been compromised, it took more than two weeks for Okta to confirm the breach.
BeyondTrust stated: “We raised concerns about the breach to Okta on October 2. Since we did not receive confirmation from Okta of the possible breach, we believed that Okta escalated it internally, and it was not until October 19 that Okta security leadership notified us that they had A breach did occur and we were one of the customers affected,”
BeyondTrust said the attack was blocked by “custom policy controls,” but the malicious actors were able to perform “some limited actions” due to “limitations of Okta’s security model.” Still, the company said the attackers did not access any of its systems and its customers were not affected.
Attack timeline:
– October 2, 2023 – An identity-centric attack targeting an internal Okta admin account was detected and fixed, and Okta was alerted.
– October 3, 2023 – Okta Support is asked to escalate the issue to the Okta Security Team after preliminary forensics indicate a compromise within the Okta Support organization.
– October 11, 2023 – and October 13, 2023 – Zoom meetings with the Okta security team to explain why we believe they may have been compromised.
– October 19, 2023 – Okta security leadership confirms
Cloudflare is also affected
Cloudflare also discovered malicious activity on its servers on October 18, 2023, related to the Okta vulnerability. Cloudflare said: “While this was a troubling security incident, the real-time detection and prompt response of our Security Incident Response Team (SIRT) achieved containment and minimized the impact on Cloudflare systems and data. It has also been Verify that no Cloudflare customer information or systems are affected by this incident.”
An attacker leveraged an authentication token stolen from Okta’s support system to gain entry into Cloudflare’s Okta instance using an open session with administrative privileges. Cloudflare contacted Okta about the incident 24 hours before it was alerted to the vulnerability affecting Okta’s systems.
“In our case, the threat actor appears to have been able to hijack session tokens from support tickets created by Cloudflare employees. The threat actor gained access to Cloudflare systems on October 18 using tokens extracted from Okta,” Cloudflare said.
“During this sophisticated attack, we observed the threat actor compromise two separate Cloudflare employee accounts within the Okta platform.”
1Password detected suspicious activity
1Password, a popular password management platform used by more than 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.
In a very brief security incident notification, 1Password CTO Pedro Canahuati wrote: “We detected suspicious activity on an Okta instance related to an event supporting its system. After a thorough investigation, we concluded that 1Password user data was not accessed. .”
“On September 29, we detected suspicious activity on an Okta instance used to manage employee-facing applications.” “We immediately terminated the activity, conducted an investigation, and discovered user data or other sensitive systems, whether employee-facing or user-facing) were not compromised.”
Multiple security incidents in two years
In January 2022, Okta disclosed that some of its customer data was compromised after data extortion group Lapsus$ gained access to its management console.
In August 2022, One-time passwords (OTPs) sent to Okta customers via text messages were stolen by the Scatter Swine threat group, which breached cloud communications company Twilio.
In September 2022, Okta-owned authentication service provider Auth0 revealed that some older source code repositories had been stolen from its environment using unknown methods.
In December 2022, Okta disclosed its own source code theft after its private GitHub repository was hacked.
Table of Contents
What We Provide
Managed IT Service
How can we help you?
Call Us, Write Us, Or Knock On Our Door. We are here to help. Thanks for contacting us!
