Okta Breach

Summary

Last week, Okta identity and access management (IAM) service identified adversarial activity that leveraged a stolen credential to access the support case management system. The threat actor was able to view sensitive HTTP Archive (HAR) files uploaded by a limited number of Okta customers as part of recent support cases. HAR files store information exchanged between the web client and web server and can store sensitive information such as authentication tokens, API keys, and session cookies. Okta’s support team typically requests customers to share these files when submitting a support ticket so that the Okta technician can replicate and troubleshoot the browser activity. Okta stated that all impacted customers were notified, which included BeyondTrust, CloudFlare, and 1Password. These organizations successfully terminated or blocked malicious activity using a defense-in-depth approach.

Multi-factor authentication (MFA) continues to be targeted by threat actors. Last month, Okta revealed social engineering campaigns targeting US-based Okta customer organizations’ IT service desk personnel in attempts to reset MFA for high-privilege users. The threat actor leveraged the compromised Okta Super Admin accounts to abuse legitimate identity features to impersonate users within the compromised organization. Impacted organizations include MGM and Caesar’s Palace, ultimately affecting millions of patrons worldwide due to subsequent ransomware attacks.

Recommendations

The NJCCIC reminds organizations to implement a defense-in-depth approach using multiple layered security and identity management controls to limit a single point of failure that may result in a successful cyberattack. Additionally, users are advised to review and sanitize HAR files prior to sharing or adding to a repository. Further details and indicators of compromise (IOCs) can be found in the Okta article, the BeyondSecurity blog post, and the KrebsonSecurity blog post.