Hackers Stole Access Tokens from Okta’s Support Unit – Krebs on Security

Created on November 12, 2023 at 11:17 am

Okta, a company that provides identity tools like multi-factor authentication and single sign-on to thousands CARDINAL of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity ORG has learned. Okta says the incident affected a “very small number” of customers, however it appears the hackers responsible had access to Okta ORG ’s support platform for at least two weeks DATE before the company fully contained the intrusion.

In an advisory sent to an undisclosed number of customers on Oct. 19 DATE , Okta ORG said it “has identified adversarial activity that leveraged access to a stolen credential to access Okta ORG ’s support case management system. The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

Okta explained that when it is troubleshooting issues with customers it will often ask for a recording of a Web browser session (a.k.a. an HTTP Archive or HAR ORG file). These are sensitive files because they can include the customer’s cookies and session tokens, which intruders can then use to impersonate valid users.

Okta ORG has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens,” their notice continued. “In general, Okta ORG recommends sanitizing all credentials and cookies/session tokens within a HAR ORG file before sharing it.”

The security firm BeyondTrust ORG is among the Okta ORG customers who received Thursday DATE ’s alert from Okta. BeyondTrust ORG Chief Technology Officer Marc Maiffret PERSON said that alert came more than two weeks DATE after his company alerted Okta to a potential problem.

Maiffret PERSON emphasized that BeyondTrust ORG caught the attack earlier this month DATE as it was happening, and that none of its own customers were affected. He said that on Oct 2 DATE ., BeyondTrust ORG ’s security team detected that someone was trying to use an Okta ORG account assigned to one CARDINAL of their engineers to create an all-powerful administrator account within their Okta LOC environment.

When BeyondTrust ORG reviewed the activity of the employee account that tried to create the new administrative profile, they found that — just 30 minutes TIME prior to the unauthorized activity — one of their support engineers shared with Okta one of these HAR ORG files that contained a valid Okta session token, Maiffret ORG said.

“Our admin sent that [ HAR ORG file] over at Okta ORG ’s request, and 30 minutes TIME after that the attacker started doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to act on behalf of that user,” he said.

Maiffret ORG said BeyondTrust ORG followed up with Okta CARDINAL on Oct. 3 DATE and said they were fairly confident Okta ORG had suffered an intrusion, and that he reiterated that conclusion in a phone call with Okta ORG on October 11 DATE and again on Oct. 13 DATE .

In an interview with KrebsOnSecurity ORG , Okta ORG ’s Deputy Chief Information Security Officer Charlotte Wylie PERSON said Okta initially believed that BeyondTrust ORG ’s alert on Oct. 2 DATE was not a result of a breach in its systems. But she said that by Oct. 17 DATE , the company had identified and contained the incident — disabling the compromised customer case management account, and invalidating Okta access tokens associated with that account.

Wylie PERSON declined to say exactly how many customers received alerts of a potential security issue, but characterized it as a “very, very small subset” of its more than 18,000 CARDINAL customers.

The disclosure from Okta ORG comes just weeks DATE after casino giants Caesar’s Entertainment ORG and MGM Resorts ORG were hacked. In both cases, the attackers managed to social engineer employees into resetting the multi-factor login requirements for Okta ORG administrator accounts.

In March 2022 DATE , Okta ORG disclosed a breach from the hacking group LAPSUS$ ORG , which specialized in social-engineering employees at targeted companies. An after-action report from Okta on that incident found that LAPSUS$ ORG had social engineered its way onto the workstation of a support engineer at Sitel ORG , a third ORDINAL -party outsourcing company that had access to Okta resources.

Okta ORG ’s Wylie PERSON declined to answer questions about how long the intruder may have had access to the company’s case management account, or who might have been responsible for the attack. However, she did say the company believes this is an adversary they have seen before.

“This is a known threat actor that we believe has targeted us and Okta-specific customers,” Wylie PERSON said.

Update, 2:57 p.m. TIME ET: Okta has published a blog post about this incident that includes some “indicators of compromise” that customers can use to see if they were affected. But the company stressed that “all customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

Update, 3:36 p.m. TIME ET: BeyondTrust ORG has published a blog post about their findings.

Update, Oct. 24 DATE , 10:20 a.m. TIME ET: 1Password and Cloudflare ORG have disclosed compromises of their Okta ORG authentication platforms as a result of the Okta breach. Both companies say an investigation has determined no customer information or systems were affected. Meanwhile, an Okta ORG spokesperson told TechCrunch ORG that the company notified about 1 percent PERCENT of its customer base (~170 customers), so we are likely to see more such disclosures in the days and DATE weeks ahead.

Connecting to blog.lzomedia.com... Connected... Page load complete