Replace October 20, 16:15 EDT: Added BeyondTrust incident particulars.
Replace October 20, 18:59 EDT: Added Cloudflare incident particulars.
Okta says attackers accessed information containing cookies and session tokens uploaded by prospects to its assist administration system after breaching it utilizing stolen credentials.
“The risk actor was in a position to view information uploaded by sure Okta prospects as a part of latest assist instances,” stated Okta’s Chief Safety Officer David Bradbury.
“It must be famous that the Okta assist case administration system is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted.”
Okta’s CSO added that this incident didn’t impression the Auth0/CIC case administration system. Okta notified all prospects’ whose Okta surroundings or assist tickets have been impacted by the incident. Those that have not acquired an alert aren’t affected.
Session tokens and cookies uncovered
Whereas the corporate has but to offer particulars on what buyer info was uncovered or accessed within the breach, the assist case administration system breached on this assault was additionally used to retailer HTTP Archive (HAR) information used to duplicate consumer or administrator errors to troubleshoot numerous points reported by customers.
Additionally they include delicate knowledge, comparable to cookies and session tokens, which risk actors might use to hijack buyer accounts.
“HAR information symbolize a recording of browser exercise and presumably include delicate knowledge, together with the content material of the pages visited, headers, cookies, and different knowledge,” Okta explains on its assist portal.
“Whereas this enables Okta employees to duplicate browser exercise and troubleshoot points, malicious actors might use these information to impersonate you.”
The corporate labored with affected prospects through the incident investigation and revoked session tokens embedded in shared HAR information. It now advises all prospects to sanitize their HAR information earlier than sharing to make sure they do not embrace credentials and cookies/session tokens.
Okta additionally shared a listing of indicators of compromise noticed through the investigation, together with IP addresses and internet browser Consumer-Agent info linked to the attackers.
An Okta spokesperson didn’t reply to questions concerning the date of the breach and what number of prospects have been affected when BleepingComputer reached out earlier right this moment.
As an alternative, the spokesperson stated the assist system “is separate from the manufacturing Okta service, which is absolutely operational and has not been impacted. Now we have notified impacted prospects and brought measures to guard all our prospects.”
Breach found by BeyondTrust after breach try
Id administration BeyondTrust says it was one of many affected prospects and offered further perception into the incident.
BeyondTrust’s safety crew detected and blocked an try to log into an in-house Okta administrator account on October 2 utilizing a cookie stolen from Okta’s assist system.
Whereas BeyondTrust contacted Okta and offered them with forensics knowledge displaying that their assist group was compromised, it took Okta over two weeks to verify the breach.
“We raised our considerations of a breach to Okta on October 2nd. Having acquired no acknowledgement from Okta of a attainable breach, we endured with escalations inside Okta till October nineteenth when Okta safety management notified us that that they had certainly skilled a breach and we have been one in every of their affected buyer,” BeyondTrust stated.
BeyondTrust says the assault was thwarted by “customized coverage controls,” however resulting from “limitations in Okta’s safety mannequin,” the malicious actor was in a position to carry out “just a few confined actions.”
Regardless of this, the corporate says the attacker didn’t acquire entry to any of its programs, and its prospects weren’t impacted.
BeyondTrust additionally shared the next assault timeline:
October 2, 2023 – Detected and remediated identity-centric assault on an in-house Okta administrator account and alerted Okta
October 3, 2023 – Requested Okta assist to escalate to Okta safety crew given preliminary forensics pointing to a compromise inside Okta assist group
October 11, 2023 and October 13, 2023 – Held Zoom classes with Okta safety crew to elucidate why we believed they is perhaps compromised
October 19, 2023 – Okta safety management confirmed that they had an inner breach, and BeyondTrust was one in every of their affected prospects.
Cloudflare additionally affected
Cloudflare additionally found malicious exercise linked to Okta’s breach on its servers on Wednesday, October 18, 2023.
“Whereas this was a troubling safety incident, our Safety Incident Response Staff’s (SIRT) real-time detection and immediate response enabled containment and minimized the impression to Cloudflare programs and knowledge,” the corporate stated.
“Now we have verified that no Cloudflare buyer info or programs have been impacted by this occasion.”
The attackers leveraged an authentication token stolen from Okta’s assist system to pivot into Cloudflare’s Okta occasion utilizing an open session with Administrative privileges.
Cloudflare contacted Okta concerning the incident 24 hours earlier than they have been alerted of the breach impacting Okta’s programs.
“It seems that in our case, the threat-actor was in a position to hijack a session token from a assist ticket which was created by a Cloudflare worker. Utilizing the token extracted from Okta, the threat-actor accessed Cloudflare programs on October 18,” Cloudflare stated.
“On this subtle assault, we noticed that threat-actors compromised two separate Cloudflare worker accounts inside the Okta platform. “
A number of safety incidents in lower than 2 years
Final 12 months, Okta disclosed that a few of its prospects’ knowledge was uncovered after the Lapsus$ knowledge extortion group gained entry to its administrative consoles in January 2022.
One-time passwords (OTPs) delivered to Okta prospects over SMS have been additionally stolen by the Scatter Swine risk group (aka 0ktapus), which breached cloud communications firm Twilio in August 2022.
Okta-owned authentication service supplier Auth0 additionally disclosed in September that some older supply code repositories have been stolen from its surroundings utilizing an unknown methodology.
Okta revealed its personal supply code theft incident in December after the corporate’s non-public GitHub repositories have been hacked.