Hackers Stole Entry Tokens from Okta’s Assist Unit – Krebs on Safety

Okta, an organization that gives id instruments like multi-factor authentication and single sign-on to hundreds of companies, has suffered a safety breach involving a compromise of its buyer help unit, KrebsOnSecurity has discovered. Okta says the incident affected a “very small quantity” of shoppers, nevertheless it seems the hackers accountable had entry to Okta’s help platform for at the least two weeks earlier than the corporate totally contained the intrusion.
In an advisory despatched to an undisclosed variety of prospects on Oct. 19, Okta stated it “has recognized adversarial exercise that leveraged entry to a stolen credential to entry Okta’s help case administration system. The menace actor was capable of view information uploaded by sure Okta prospects as a part of current help circumstances.”
Okta defined that when it’s troubleshooting points with prospects it is going to usually ask for a recording of a Net browser session (a.okay.a. an HTTP Archive or HAR file). These are delicate information as a result of on this case they embody the shopper’s cookies and session tokens, which intruders can then use to impersonate legitimate customers.
“Okta has labored with impacted prospects to research, and has taken measures to guard our prospects, together with the revocation of embedded session tokens,” their discover continued. “Basically, Okta recommends sanitizing all credentials and cookies/session tokens inside a HAR file earlier than sharing it.”
The safety agency BeyondTrust is among the many Okta prospects who acquired Thursday’s alert from Okta. BeyondTrust Chief Know-how Officer Marc Maiffret stated that alert got here greater than two weeks after his firm alerted Okta to a possible drawback.
Maiffret emphasised that BeyondTrust caught the assault earlier this month because it was taking place, and that none of its personal prospects have been affected. He stated that on Oct 2., BeyondTrust’s safety group detected that somebody was making an attempt to make use of an Okta account assigned to certainly one of their engineers to create an omnipotent administrator account inside their Okta atmosphere.
When BeyondTrust reviewed the exercise of the worker account that attempted to create the brand new administrative profile, they discovered that — simply half-hour previous to the unauthorized exercise — certainly one of their help engineers shared with Okta certainly one of these HAR information that contained a sound Okta session token, Maiffret stated.
“Our admin despatched that [HAR file] over at Okta’s request, and half-hour after that the attacker began doing session hijacking, tried to replay the browser session and leverage the cookie in that browser recording to behave on behalf of that person,” he stated.
Maiffret stated BeyondTrust adopted up with Okta on Oct. 3 and stated they have been pretty assured Okta had suffered an intrusion, and that he reiterated that conclusion in a telephone name with Okta on October 11 and once more on Oct. 13.
In an interview with KrebsOnSecurity, Okta’s Deputy Chief Data Safety Officer Charlotte Wylie stated Okta initially believed that BeyondTrust’s alert on Oct. 2 was not a results of a breach in its methods. However she stated that by Oct. 17, the corporate had recognized and contained the incident — disabling the compromised buyer case administration account, and invalidating Okta entry tokens related to that account.
Wylie declined to say precisely what number of prospects acquired alerts of a possible safety concern, however characterised it as a “very, very small subset” of its greater than 18,000 prospects.
The disclosure from Okta comes simply weeks after on line casino giants Caesar’s Leisure and MGM Resorts have been hacked. In each circumstances, the attackers managed to social engineer workers into resetting the multi-factor login requirements for Okta administrator accounts.
In March 2022, Okta disclosed a breach from the hacking group LAPSUS$, a felony hacking group that specialised in social-engineering workers at focused firms. An after-action report from Okta on that incident discovered that LAPSUS$ had social engineered its approach onto the workstation of a help engineer at Sitel, a third-party outsourcing firm that had entry to Okta assets.
Okta’s Wylie declined to reply questions on how lengthy the intruder might have had entry to the corporate’s case administration account, or who might need been liable for the assault. Nevertheless, she did say the corporate believes that is an adversary they’ve seen earlier than.
“It is a recognized menace actor that we consider has focused us and Okta-specific prospects,” Wylie stated.
Replace, 2:57 p.m. ET: Okta has printed a blog post about this incident that features some “indicators of compromise” that prospects can use to see in the event that they have been affected. However the firm careworn that “all prospects who have been impacted by this have been notified. If you happen to’re an Okta buyer and you haven’t been contacted with one other message or technique, there isn’t any affect to your Okta atmosphere or your help tickets.”
Replace, 3:36 p.m. ET: BeyondTrust has published a blog post about their findings.