What You Need to Know About the October OKTA Breach

Okta, a provider of identity and authentication management services, reported that threat actors were able to access private customer data by obtaining credentials to its customer support management system.

According to Okta’s Chief Security Officer, David Bradbury, the threat actor had the capability to view files uploaded by specific Okta customers in recent support cases. These files primarily contained HTTP archive (HAR) files, which are used by the company’s support personnel to replicate customer browser activity during troubleshooting sessions.

These HAR files may include sensitive information, such as cookies and session tokens, which could be exploited by malicious actors for impersonation and unauthorized access. Okta has responded by working closely with affected customers, conducting investigations, and taking steps to protect its clientele. One of these measures involved revoking embedded session tokens. In general, Okta recommends the sanitization of all credentials, cookies, and session tokens within a HAR file before sharing it.

Bradbury did not disclose the method the threat actors used to acquire the credentials for Okta’s support system. Furthermore, he did not confirm whether the access to the compromised support system was protected by two-factor authentication, a security best practice.

The cybersecurity company BeyondTrust is among the recipients of Okta’s security alert issued on Thursday. According to Marc Maiffret, Chief Technology Officer of BeyondTrust, this alert was delivered over two weeks after BeyondTrust had initially notified Okta about a possible issue.

That said, BeyondTrust and Cloudflare are among the two customers who have confirmed they were targeted in the latest support system attack. “The threat-actor was able to hijack a session token from a support ticket which was created by a Cloudflare employee,” Cloudflare said. “Using the token extracted from Okta, the threat-actor accessed Cloudflare systems on October 18.”

BeyondTrust had earlier notified Okta about suspicious activities, detecting an attacker who was trying to access one of BeyondTrust’s internal Okta administrator accounts using a valid authentication cookie. While BeyondTrust’s access policies initially thwarted the threat actor’s activities, Okta’s security model limitations allowed some confined actions. Ultimately, BeyondTrust managed to block all access.

Latest Okta Breaches

• In January 2022, Lapsus$ hackers employed a deception to manipulate an engineer associated with Sitel, the third-party provider of customer support services for Okta. They succeeded in convincing the engineer to press ‘accept’ on a Multi-Factor Authentication (MFA) push notification. This acceptance provided a means for a collection of pilfered credentials to gain entry to the engineer’s thin client desktop through the remote desktop protocol (RDP).
• Starting as early as March of 2022, a group of malicious hackers, now identified as Scatter Swine, launched a campaign referred to as “0ktapus” with the aim of pilfering authentication codes and corporate data. Experts believe that nearly 1,000 credentials from over 130 companies have been compromised, either directly from these companies or as a result of subsequent breaches. Among the notable victims of this attack are Twillio, MailChimp, and Klavioyo. While attempted attacks against entities like Cloudflare, T-Mobile, MetroPCS, Verizon, Slack, Twitter, CoinBase, Microsoft, Epic Games, Evernote, and Best Buy were observed, it’s important to note that no successful breach of these organizations has been publicly reported.
• Okta-owned authentication service provider Auth0 also disclosed in September that some older source code repositories were stolen from its environment using an unknown method.
• Okta revealed its own source code theft incident in December after the company’s private GitHub repositories were hacked.

Insights & conclusions

The consistent data breaches experienced by widely-used companies like Okta, known for their sensitive capabilities, have elevated their attractiveness as prime targets for threat actors. Consequently, Okta’s customers also become targets, as they are susceptible through this third-party supply chain.

Ensure your security products (MDR/EDR/XDR/etc.) are managed to detect and follow suspicious activity in your Okta environment. The following are detections and recommendations from the last Okta breach:

1. Okta Session Compromise: Threat actors pilfer Okta session cookies, granting them access to Okta via their controlled infrastructure. This method enables them to circumvent most Multi-Factor Authentication (MFA) and security checks related to authentication. This detection is designed to identify suspicious sessions that emerge without an authentication event, aligning with session compromise.
2. Proxy-Based Administrative Actions in Okta: Perpetrators, including groups like Scattered Spider, commonly employ proxies to log in as privileged users and carry out sensitive administrative tasks within Okta. Such actions are infrequent among legitimate users.
3. Okta Admin Privilege Assignment: Attackers often seek to elevate or grant privileges to concealed accounts. This information-level detection brings attention to all instances of Okta admin assignments, which are typically uncommon and typically follow an established process.
4. Okta Admin MFA Vulnerability to SIM Swapping: Make sure your incident response procedures benefit significantly when an admin user with some level of administrative access utilizes FIDO2 for MFA. This choice allows the IR team to exclude attacker-in-the-middle phishing as the means for token theft. Posture recommendations for privileged users offer incremental improvements that can enhance the safeguarding of these vital accounts.

Recommendations

Okta has recently made updates to their knowledge base articles concerning the generation and cleansing of HAR files. We suggest you take the time to examine these revised articles.

1. Implement policy controls within Okta to confine access to the administrative console.
2. Consider adapting the Okta global session policy to enforce Multi-Factor Authentication (MFA) challenges with each sign-on. This measure will deter unauthorized access by attackers possessing pilfered cookies from reaching the main dashboard.
3. Restrict the duration of Okta sessions and implement additional measures to narrow the window during which a stolen cookie can be exploited.
4. Keep in mind that actions conducted through the admin API and authenticated via session cookies fall under the jurisdiction of the Global Session Policy. This policy is typically less stringent than other policies.
5. Recognize that session hijacking enables attackers to bypass Multi-Factor Authentication.
6. Enforce robust hardware-based Multi-Factor Authentication for all Okta administrators to safeguard against token hijacking facilitated by attacker-in-the-middle phishing.

Cyberint’s Supply Chain Intelligence Module

Cyberint’s Supply Chain Intelligence module continuously discovers your vendors and technologies, monitors and evaluates their exposures, and issues alerts on major risks and breaches. Learn more about our Supply Chain Intelligence module here or get a demo.